Play interactive tour

Edit tour

Windows Analysis Report T3AtsGGHEL.exe

Overview

General Information

Sample Name:	T3AtsGGHEL.exe
Analysis ID:	534006
MD5:	89611c7a85fb5ccd4dd7edc076bc4ee8
SHA1:	a29812244684e248d7fe4f9e65e180bb4cd3098a
SHA256:	a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
Tags:	exeSmokeLoader
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

T3AtsGGHEL.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\T3AtsGGHEL.exe" MD5: 89611C7A85FB5CCD4DD7EDC076BC4EE8)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: T3AtsGGHEL.exe	Virustotal: Detection: 60%			Perma Link
Source: T3AtsGGHEL.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for domain / URL

Show sources

Source: wfsdragon.ru	Virustotal: Detection: 5%			Perma Link
Source: http://wfsdragon.ru/api/setStats.php	Virustotal: Detection: 6%			Perma Link

Machine Learning detection for sample

Show sources

Source: T3AtsGGHEL.exe

Joe Sandbox ML: detected

Source: T3AtsGGHEL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T3AtsGGHEL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00ECA061 FindFirstFileExW,

1_2_00ECA061

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49741 -> 212.193.30.45:80
Source: Traffic	Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49742 -> 172.67.133.215:80

Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	IP Address: 212.193.30.45 212.193.30.45
Source: Joe Sandbox View	IP Address: 172.67.133.215 172.67.133.215
Source: Joe Sandbox View	IP Address: 172.67.133.215 172.67.133.215

Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.30.45

Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275124847.0000000001159000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/proxies.txt
Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	String found in binary or memory: http://212.193.30.45/proxies.txtOP-
Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/(
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.php
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.php3t
Source: T3AtsGGHEL.exe, 00000001.00000002.275140606.0000000001185000.00000004.00000020.sdmp	String found in binary or memory: http://wfsdragon.ru/api/setStats.phpAX

Source: unknown

DNS traffic detected: queries for: wfsdragon.ru

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC1820 InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetReadFile,__aulldiv,InternetReadFile,InternetReadFile,__aulldiv,InternetReadFile,CreateFileA,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00EC1820

Source: global traffic	HTTP traffic detected: GET /proxies.txt HTTP/1.1Connection: Keep-AliveUser-Agent: ????Host: 212.193.30.45
Source: global traffic	HTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: ????llHost: wfsdragon.ru

Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: T3AtsGGHEL.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T3AtsGGHEL.exe	Binary or memory string: OriginalFilename vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000000.270223923.0000000000ED5000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe	Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe

Source: T3AtsGGHEL.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC2040	1_2_00EC2040
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC1820	1_2_00EC1820
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC830	1_2_00EBC830
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500	1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB7630	1_2_00EB7630
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB8600	1_2_00EB8600
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB98FC	1_2_00EB98FC
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB98F4	1_2_00EB98F4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB592D	1_2_00EB592D
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC280	1_2_00EBC280
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC24F0	1_2_00EC24F0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBEED0	1_2_00EBEED0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00ED0E50	1_2_00ED0E50
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EB6E30	1_2_00EB6E30
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00ECFF12	1_2_00ECFF12

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: String function: 00EC3DA0 appears 33 times

Source: T3AtsGGHEL.exe	Virustotal: Detection: 60%
Source: T3AtsGGHEL.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\T3AtsGGHEL.exe "C:\Users\user\Desktop\T3AtsGGHEL.exe"
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01

Source: classification engine

Classification label: mal68.winEXE@2/0@1/2

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T3AtsGGHEL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: T3AtsGGHEL.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: T3AtsGGHEL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC3DE6 push ecx; ret

1_2_00EC3DF9

Source: T3AtsGGHEL.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC3002 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00EC3002

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00ECA061 FindFirstFileExW,

1_2_00ECA061

Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW{
Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00EC73C4

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBC830 mov eax, dword ptr fs:[00000030h]	1_2_00EBC830
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov eax, dword ptr fs:[00000030h]	1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]	1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]	1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h]	1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC6DF1 mov eax, dword ptr fs:[00000030h]	1_2_00EC6DF1
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC8752 mov eax, dword ptr fs:[00000030h]	1_2_00EC8752

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC2040 __aulldiv,HeapFree,GetProcessHeap,HeapFree,

1_2_00EC2040

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC3D29 SetUnhandledExceptionFilter,	1_2_00EC3D29
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC38A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00EC38A6
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EC73C4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe	Code function: 1_2_00EC3BC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EC3BC4

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC39E4 cpuid

1_2_00EC39E4

Source: C:\Users\user\Desktop\T3AtsGGHEL.exe

Code function: 1_2_00EC703C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_00EC703C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Process Injection1	Process Injection1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
T3AtsGGHEL.exe	61%	Virustotal		Browse
T3AtsGGHEL.exe	48%	ReversingLabs	Win32.Backdoor.Zapchast
T3AtsGGHEL.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wfsdragon.ru	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://212.193.30.45/proxies.txtOP-	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.php	7%	Virustotal		Browse
http://wfsdragon.ru/api/setStats.php	0%	Avira URL Cloud	safe
http://wfsdragon.ru/(	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.phpAX	0%	Avira URL Cloud	safe
http://wfsdragon.ru/api/setStats.php3t	0%	Avira URL Cloud	safe
http://212.193.30.45/proxies.txt	0%	Avira URL Cloud	safe
http://212.193.30.45/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wfsdragon.ru	172.67.133.215	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://wfsdragon.ru/api/setStats.php	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://212.193.30.45/proxies.txt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://212.193.30.45/proxies.txtOP-	T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/(	T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/api/setStats.phpAX	T3AtsGGHEL.exe, 00000001.00000002.275140606.0000000001185000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://wfsdragon.ru/api/setStats.php3t	T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://212.193.30.45/	T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.45	unknown	Russian Federation		57844	SPD-NETTR	true
172.67.133.215	wfsdragon.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	534006
Start date:	04.12.2021
Start time:	23:47:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	T3AtsGGHEL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.winEXE@2/0@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.35.236.56 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.
Errors:	Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.193.30.45	fXlJhe5OGb.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
	Whg8jgqeOs.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
	ikeokicy4x.exe	Get hash	malicious	Browse	212.193.30.45/proxies.txt
172.67.133.215	33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	2B97860AFD98DFF5BED238E2A2CE25977B50BA5356333.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php
	D2864E311EFFCEF848301945DA620B92D1A982DBE2A70.exe	Get hash	malicious	Browse	wfsdragon.ru/api/setStats.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wfsdragon.ru	2A9E7BC07BD4EC39C2BEAA42FF35352BBE6400F899F70.exe	Get hash	malicious	Browse	104.21.5.208
	0A7D966E66CBD260C909DE1D79038C86A071F2F10A810.exe	Get hash	malicious	Browse	172.67.133.215
	B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe	Get hash	malicious	Browse	104.21.5.208
	3BADEBCEFB9E7153384CAE83BAAA119F6317C9381E850.exe	Get hash	malicious	Browse	172.67.133.215
	8F9CDF75C272FDA7DF367232756EA065600077804B165.exe	Get hash	malicious	Browse	172.67.133.215
	33CBD9E39DD39A84D0426897605B17000046E0FB14399.exe	Get hash	malicious	Browse	172.67.133.215
	0A223AA68AF0C2AF0BAABDA61D82748629078720A017E.exe	Get hash	malicious	Browse	104.21.5.208
	71A117DE440384FDC4B8FB690FC73674E9E2A9A75E689.exe	Get hash	malicious	Browse	104.21.5.208
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	172.67.133.215
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	104.21.5.208
	4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe	Get hash	malicious	Browse	172.67.133.215
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	172.67.133.215
	BC2CCE5055F9411C04EDEEE699D7161C257574B4C5540.exe	Get hash	malicious	Browse	104.21.5.208
	F0627549D39AD1D85BCAAE5CF0B5A90B885658E348480.exe	Get hash	malicious	Browse	172.67.133.215
	D44D77232A9E6E684F1ECE4C9C05B3DCB63D4296CFD29.exe	Get hash	malicious	Browse	104.21.5.208
	2D100CC76F229AC10A7589E1AEA0BFB47B5692840D8F2.exe	Get hash	malicious	Browse	104.21.5.208
	4F1F6C55849D794E71B3F37EB1C700348E31A080EAA14.exe	Get hash	malicious	Browse	104.21.5.208
	AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exe	Get hash	malicious	Browse	104.21.5.208
	BAF599ABAB1D6969E1BA455F83375CBC9643BBE504918.exe	Get hash	malicious	Browse	104.21.5.208
	pDHqdUDL46.exe	Get hash	malicious	Browse	104.21.5.208

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe	Get hash	malicious	Browse	162.159.133.233
	780426DE24AE46F300FDAF9CBF597C8F2164F7B6C525C.exe	Get hash	malicious	Browse	104.21.19.200
	W88QoyCyC7.exe	Get hash	malicious	Browse	162.159.130.233
	e8cvIYg1a3	Get hash	malicious	Browse	1.4.15.184
	24E7ED53A8DCE89A4D8F054712A5D77693049EC726F67.exe	Get hash	malicious	Browse	104.23.98.190
	SetUp(5).exe	Get hash	malicious	Browse	162.159.137.232
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	104.21.49.105
	I6l10z8wKV.exe	Get hash	malicious	Browse	162.159.134.233
	PurchaseOrder2xls.exe	Get hash	malicious	Browse	162.159.134.233
	qwEMaieh4k.exe	Get hash	malicious	Browse	162.159.135.233
	FKdsgnUjpn.exe	Get hash	malicious	Browse	162.159.133.233
	y8xn6l2hY0.exe	Get hash	malicious	Browse	162.159.134.233
	eufive_20211204-002445(1).exe	Get hash	malicious	Browse	162.159.130.233
	jA0D6OjNRa.exe	Get hash	malicious	Browse	104.21.96.57
	xajsmKqcFk.exe	Get hash	malicious	Browse	162.159.130.233
	4L2BCPJRuk.exe	Get hash	malicious	Browse	162.159.130.233
	XPCIJGAZa6.exe	Get hash	malicious	Browse	172.67.173.151
	MPEtLYdhdk.msi	Get hash	malicious	Browse	104.21.22.210
	cC6A9znVtH.exe	Get hash	malicious	Browse	172.67.173.151
	f2Y03RRaRe.exe	Get hash	malicious	Browse	162.159.134.233
SPD-NETTR	912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe	Get hash	malicious	Browse	212.193.30.29
	780426DE24AE46F300FDAF9CBF597C8F2164F7B6C525C.exe	Get hash	malicious	Browse	212.193.30.29
	W88QoyCyC7.exe	Get hash	malicious	Browse	195.133.47.114
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	212.193.30.29
	I6l10z8wKV.exe	Get hash	malicious	Browse	195.133.47.114
	qwEMaieh4k.exe	Get hash	malicious	Browse	195.133.47.114
	xajsmKqcFk.exe	Get hash	malicious	Browse	195.133.47.114
	4L2BCPJRuk.exe	Get hash	malicious	Browse	195.133.47.114
	cC6A9znVtH.exe	Get hash	malicious	Browse	212.193.30.45
	21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe	Get hash	malicious	Browse	212.193.30.29
	0D054D4B3068EA7F877963A9BE8A71581CB0396A309F6.exe	Get hash	malicious	Browse	212.193.30.29
	rfmEYZiTI4.exe	Get hash	malicious	Browse	212.193.30.29
	sk4e7kDlkb.exe	Get hash	malicious	Browse	212.193.30.45
	Nh3xqMPynb.exe	Get hash	malicious	Browse	212.193.30.196
	7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe	Get hash	malicious	Browse	212.193.30.29
	f7Kudio57m.exe	Get hash	malicious	Browse	212.193.30.196
	CYw9gmWr8C.exe	Get hash	malicious	Browse	212.193.30.196
	ajTlXKBm6k.exe	Get hash	malicious	Browse	212.193.30.196
	991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe	Get hash	malicious	Browse	212.193.30.29
	vjdcYcI4Y2.exe	Get hash	malicious	Browse	212.193.30.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.162371325795308
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	T3AtsGGHEL.exe
File size:	436224
MD5:	89611c7a85fb5ccd4dd7edc076bc4ee8
SHA1:	a29812244684e248d7fe4f9e65e180bb4cd3098a
SHA256:	a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
SHA512:	5bb8da1fc7efe568d7279c39c0c8cee8e55f858e2b101db5d48a933d95e4e87040f944428dd930a12a8766e7da37c5e332a0b16211955ef867172822d878eed3
SSDEEP:	12288:1imaXG6cgudGbpR8W6szcwG67S+9Gf1NyKZ4:Mm7C8W3zLG6G+4f9Z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.cG........................................................*...............Y...................................Rich...........

File Icon


Icon Hash:	f89e67662636decc

Static PE Info

General
Entrypoint:	0x4137fa
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A8861D [Thu Dec 2 08:38:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	503fd9eea05c6f717892aae512299b17

Entrypoint Preview

Instruction
call 00007FD98CD00443h
jmp 00007FD98CCFFC69h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007FD98CCFFE1Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
div ecx
mov esi, eax
mov eax, ebx
mul dword ptr [esp+10h]
mov ecx, eax
mov eax, esi
mul dword ptr [esp+10h]
add edx, ecx
jmp 00007FD98CCFFE39h
mov ecx, eax
mov ebx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
mov eax, dword ptr [esp+08h]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007FD98CCFFDE6h
div ebx
mov esi, eax
mul dword ptr [esp+14h]
mov ecx, eax
mov eax, dword ptr [esp+10h]
mul esi
add edx, ecx
jc 00007FD98CCFFE00h
cmp edx, dword ptr [esp+0Ch]
jnbe 00007FD98CCFFDFAh
jc 00007FD98CCFFE01h
cmp eax, dword ptr [esp+08h]
jbe 00007FD98CCFFDFBh
dec esi
sub eax, dword ptr [esp+10h]
sbb edx, dword ptr [esp+14h]
xor ebx, ebx
sub eax, dword ptr [esp+08h]
sbb edx, dword ptr [esp+0Ch]
neg edx
neg eax
sbb edx, 00000000h
mov ecx, edx
mov edx, ebx
mov ebx, ecx
mov ecx, eax
mov eax, esi
pop esi
retn 0010h
ret
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00425068h]
push dword ptr [ebp+08h]
call dword ptr [00425064h]
push C0000409h
call dword ptr [0000006Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25140	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x45c18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0x1650	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x602c	0x1c	.code
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6048	0x40	.code
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x13c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x218a0	0x21a00	False	0.50054455158	data	6.46692412072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x23000	0x1590	0xa00	False	0.178125	DOS executable (block device driver @\273\)	2.44015014816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x25000	0x83a	0xa00	False	0.39140625	COM executable for DOS	4.75468144198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x45c18	0x45e00	False	0.816409743962	data	7.34383108574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x1650	0x1800	False	0.733072916667	data	6.40608727267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x26578	0x1dccb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x44248	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 570425344, next used block 352321536
RT_ICON	0x54a70	0x94a8	data
RT_ICON	0x5df18	0x5488	data
RT_ICON	0x633a0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x675c8	0x25a8	data
RT_ICON	0x69b70	0x10a8	data
RT_ICON	0x6ac18	0x988	data
RT_ICON	0x6b5a0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x6ba08	0x84	data
RT_VERSION	0x262b0	0x2c4	data
RT_MANIFEST	0x6ba90	0x188	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

ReadFile, lstrcatA, GetModuleHandleA, CreateFileA, lstrcpyA, CloseHandle, CreateThread, GetProcAddress, GetFileSize, GetConsoleWindow, GetLastError, lstrlenA, lstrcpynA, WriteConsoleW, CreateFileW, HeapSize, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RtlUnwind, RaiseException, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapReAlloc, SetFilePointerEx, GetFileType, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, GetConsoleMode, FlushFileBuffers, GetConsoleOutputCP, DecodePointer

USER32.dll

ShowWindow

Version Infos

Description	Data
LegalCopyright	Tokenizer
InternalName	UpdateToken.exe
FileVersion	7272.5.13.1
CompanyName	FreshTokenizer
ProductName	Token Updater
ProductVersion	2.1.4.1
FileDescription	Token Updater
OriginalFilename	SetToken.exe
Translation	0x041f 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/04/21-23:48:26.150465	TCP	2010595	ET MALWARE User-Agent (???)	49741	80	192.168.2.3	212.193.30.45
12/04/21-23:48:26.277728	TCP	2010595	ET MALWARE User-Agent (???)	49742	80	192.168.2.3	172.67.133.215

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:48:26.122400045 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.149882078 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.149980068 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.150465012 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.177802086 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.177956104 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.177988052 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.178047895 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.178165913 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.249811888 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.277226925 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.277327061 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.277728081 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.305057049 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396331072 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396368980 CET	80	49742	172.67.133.215	192.168.2.3
Dec 4, 2021 23:48:26.396445990 CET	49742	80	192.168.2.3	172.67.133.215
Dec 4, 2021 23:48:26.483290911 CET	49741	80	192.168.2.3	212.193.30.45
Dec 4, 2021 23:48:26.510665894 CET	80	49741	212.193.30.45	192.168.2.3
Dec 4, 2021 23:48:26.759848118 CET	49742	80	192.168.2.3	172.67.133.215

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 23:48:26.221666098 CET	57459	53	192.168.2.3	8.8.8.8
Dec 4, 2021 23:48:26.244530916 CET	53	57459	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 4, 2021 23:48:26.221666098 CET	192.168.2.3	8.8.8.8	0xa3a3	Standard query (0)	wfsdragon.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 4, 2021 23:48:26.244530916 CET	8.8.8.8	192.168.2.3	0xa3a3	No error (0)	wfsdragon.ru		172.67.133.215	A (IP address)	IN (0x0001)
Dec 4, 2021 23:48:26.244530916 CET	8.8.8.8	192.168.2.3	0xa3a3	No error (0)	wfsdragon.ru		104.21.5.208	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

212.193.30.45

wfsdragon.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49741	212.193.30.45	80	C:\Users\user\Desktop\T3AtsGGHEL.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:48:26.150465012 CET	1094	OUT	GET /proxies.txt HTTP/1.1 Connection: Keep-Alive User-Agent: ???? Host: 212.193.30.45
Dec 4, 2021 23:48:26.177956104 CET	1095	IN	HTTP/1.1 400 Bad Request Date: Sat, 04 Dec 2021 22:48:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 32 37 2e 30 2e 30 2e 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br /></p><hr><address>Apache/2.4.41 (Ubuntu) Server at 127.0.0.1 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49742	172.67.133.215	80	C:\Users\user\Desktop\T3AtsGGHEL.exe

Timestamp	kBytes transferred	Direction	Data
Dec 4, 2021 23:48:26.277728081 CET	1096	OUT	GET /api/setStats.php HTTP/1.1 Connection: Keep-Alive User-Agent: ????ll Host: wfsdragon.ru
Dec 4, 2021 23:48:26.396331072 CET	1096	IN	HTTP/1.1 200 OK Date: Sat, 04 Dec 2021 22:48:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kvZt4oAmzp5KHLuJ9wjcV9P2UE0ZZknV7%2Fe0lsgFYZ1XJlNEm%2FNyqZqm6chv8PtPe0FqKT4HybdXJfglt%2BjNFn6Cp5NxYIhbZutSL17VvgRXAanLFqoNvcwsJLIK3hY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b88950c5d7a0676-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 66 0d 0a 25 22 3e 39 57 5f 43 58 5b 43 58 54 43 59 5f 0d 0a Data Ascii: f%">9W_CX[CXTCY_
Dec 4, 2021 23:48:26.396368980 CET	1096	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: T3AtsGGHEL.exe PID: 6980 Parent PID: 4484

General

Start time:	23:48:23
Start date:	04/12/2021
Path:	C:\Users\user\Desktop\T3AtsGGHEL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\T3AtsGGHEL.exe"
Imagebase:	0xeb0000
File size:	436224 bytes
MD5 hash:	89611C7A85FB5CCD4DD7EDC076BC4EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 7044 Parent PID: 6980

General

Start time:	23:48:24
Start date:	04/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: T3AtsGGHEL.exe PID: 6980 Parent PID: 4484 T3AtsGGHEL.exeCOMMON

Executed Functions

Function 00EB8600, Relevance: 45.1, APIs: 19, Strings: 5, Instructions: 3077COMMON

Download Yara Rule

APIs

Part of subcall function 00EBEED0: GetModuleHandleA.KERNEL32(?,3F0B4357,00ED1576,00000000), ref: 00EBEFA4
Part of subcall function 00EBEED0: GetProcAddress.KERNEL32(00000000,26382BB1), ref: 00EBF012

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

__aulldiv.LIBCMT ref: 00EB89BA

Strings

+\e[, xrefs: 00EBB934
+\e[, xrefs: 00EBB96A
+\e[, xrefs: 00EBBCEA
Content-Type: application/x-www-form-urlencoded, xrefs: 00EB86F8, 00EBB3BA, 00EBB85E, 00EBBBE1
+\e[, xrefs: 00EB8801

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv$AddressHandleModuleProc
String ID: +\e[$+\e[$+\e[$+\e[$Content-Type: application/x-www-form-urlencoded
API String ID: 3748425447-430921838
Opcode ID: afce47c14292e6c1ca9474345c60e9414128c810f1be93e628bd68e01ec9efc5
Instruction ID: 581b32c9d3e7101798b3fb20c135d6f346652695589da5f16b177c30d356a66d
Opcode Fuzzy Hash: afce47c14292e6c1ca9474345c60e9414128c810f1be93e628bd68e01ec9efc5
Instruction Fuzzy Hash: DA7322B0D052288BDB25CF28CD95BEEBBB5AF59304F1481D9D509BB281DB716E85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD500, Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 501sleepthreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(00000000,?,00000000), ref: 00EBD50D
ShowWindow.USER32(00000000,?,00000000), ref: 00EBD514
SetPriorityClass.KERNELBASE(B2A8C9C0,?), ref: 00EBD7C1
__aulldiv.LIBCMT ref: 00EBD896
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EBD959
Sleep.KERNELBASE(0000EE56,00000000,?,00002710,00000000,936223CE,00000000,0F8DFE7B,00000000,0000EE56,00000000,00000013,00000000), ref: 00EBD984
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EBD9B1

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

__aulldiv.LIBCMT ref: 00EBD9EB

Part of subcall function 00EC703C: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,00EBDA87,00000000,936223C8,00000000,936223CE,00000000,936223C8,00000000,00000013,00000000,00000000), ref: 00EC704F
Part of subcall function 00EC703C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC7080

CreateThread.KERNELBASE(00000000,00000000,00EBC830,00000000,00000000,00000000), ref: 00EBDACE
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00EBDAD5
Sleep.KERNELBASE(?,93622992,00000000,?,00000000), ref: 00EBDB8E

Strings

V, xrefs: 00EBD824

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__aulldiv__ehfuncinfo$??2@$SleepTimeWindow$ChangeClassCloseConsoleCreateFileFindNotificationPriorityShowSystemThread
String ID: V
API String ID: 3225941876-3138479545
Opcode ID: 35e1788b1ac598485064c6f7cd0d681fd6a4fb67617efb37917c5661a35e1528
Instruction ID: 13985a037918ea43de4e94901fc97dd44486d2642dc3b6f2f728bc74a430bc07
Opcode Fuzzy Hash: 35e1788b1ac598485064c6f7cd0d681fd6a4fb67617efb37917c5661a35e1528
Instruction Fuzzy Hash: 1F12E3B16093518FC714CF28E880B6ABBE1FF99758F05595EE884BB391E730E845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7630, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 253libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB6E30: __aulldiv.LIBCMT ref: 00EB703C
Part of subcall function 00EB6E30: __aulldiv.LIBCMT ref: 00EB7234

GetProcAddress.KERNEL32(3DB0B2D8,?), ref: 00EB7822
GetProcAddress.KERNEL32(39B0ACC8), ref: 00EB7878
GetProcAddress.KERNEL32(38B4AFD7), ref: 00EB78CE
GetProcAddress.KERNEL32(0CA1A5C8), ref: 00EB7969
GetProcAddress.KERNEL32(28A7A9CD), ref: 00EB79BA

Part of subcall function 00EB6E30: _strstr.LIBCMT ref: 00EB73D3
Part of subcall function 00EB6E30: lstrcpyA.KERNEL32(?,00000000,?,?,?,00000000,00ED1576,?), ref: 00EB73E9
Part of subcall function 00EB6E30: lstrcatA.KERNEL32(?,30B9A4B5,?,?,?,00000000,00ED1576,?), ref: 00EB7463
Part of subcall function 00EB6E30: GetModuleHandleA.KERNEL32(?,?,?,?,00000000,00ED1576,?), ref: 00EB7470

Part of subcall function 00EB6E30: _strstr.LIBCMT ref: 00EB750C

LoadLibraryA.KERNELBASE(39B9A5DF), ref: 00EB7AFF

Strings

+\e[, xrefs: 00EB7B80
+\e[, xrefs: 00EB7B37

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$__aulldiv_strstr$HandleLibraryLoadModulelstrcatlstrcpy
String ID: +\e[$+\e[
API String ID: 3700343077-2567181470
Opcode ID: 58a300c6303e25ebc01544655d9ea8ccb847a3fc58d537eaabe8eb18122a8c64
Instruction ID: e1d6283defa0a6e80f7ead9f95eebf732763d0e1f7d32b04eb8e7e72583d1e44
Opcode Fuzzy Hash: 58a300c6303e25ebc01544655d9ea8ccb847a3fc58d537eaabe8eb18122a8c64
Instruction Fuzzy Hash: 3BF1F0B4C0575D9ACF11DF98E9826EEFB71FF18314F009689D9A03B224D775068A9F84

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1820, Relevance: 12.4, APIs: 8, Instructions: 375networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC1650: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC1691

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000,?,?,00000000,?,3F0B4357,?,00000000), ref: 00EC18EA
InternetCloseHandle.WININET(?), ref: 00EC1D81

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Open$CloseHandle
String ID:
API String ID: 3289985339-0
Opcode ID: 5fa52061266be2f6bc8a51cf89851b0bc290de184579225be2eece6ecb988d1e
Instruction ID: dde5f5d02a24b6810ad71ddcc4bab97bd218a8ae4da041f96dc5f08375fdfde1
Opcode Fuzzy Hash: 5fa52061266be2f6bc8a51cf89851b0bc290de184579225be2eece6ecb988d1e
Instruction Fuzzy Hash: 26F1F6719002289BDB24CF29DD84BA9B7F5FB49304F14C1EAE489A7281DE759E85CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2040, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 00EC1E10: KiUserExceptionDispatcher.NTDLL(-00000002,0506DEAA,00000000,0000000F,00000000), ref: 00EC1E92

__aulldiv.LIBCMT ref: 00EC213A

Strings

Nf-, xrefs: 00EC21C0
JE$, xrefs: 00EC23FA

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: DispatcherExceptionUser__aulldiv
String ID: JE$$Nf-
API String ID: 665433891-3881794669
Opcode ID: e0f7b03cf2568063621a6e90b06972dc66a392aa3b7ea9eb8fea0aaef788fc10
Instruction ID: d4a102348dad51e04f41b38da5ff10b3bc0df2c9646ab56e941aa44e75b9cb23
Opcode Fuzzy Hash: e0f7b03cf2568063621a6e90b06972dc66a392aa3b7ea9eb8fea0aaef788fc10
Instruction Fuzzy Hash: 3BB1ECB440D7848BD2218F29C541B9BFBF1BFD9304F009A0DEAD82B261DB75954ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC830, Relevance: 8.3, APIs: 5, Instructions: 805sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB7BB0: SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,936223D4,00000000,936223B6,00000000,3F0B4357), ref: 00EB7C23

__aulldiv.LIBCMT ref: 00EBC963
SetCurrentDirectoryA.KERNELBASE(00000000,0000EE56,00000000,00000013,00000000,3F0B4357), ref: 00EBCAA4

Part of subcall function 00EC24F0: GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC25A9
Part of subcall function 00EC24F0: GetProcAddress.KERNEL32(00000000,8AAD3975), ref: 00EC2656
Part of subcall function 00EC24F0: GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC2703

_strstr.LIBCMT ref: 00EBCCA6
__aulldiv.LIBCMT ref: 00EBD1BC
Sleep.KERNEL32(00000000,1B123C7B,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EBD303

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$__aulldiv$CurrentDirectoryFolderPathSleep_strstr
String ID:
API String ID: 3874404764-0
Opcode ID: 037f4111db3de372e5934178581dc84d6282c28b5f82c0c1f7411cbec1bf0274
Instruction ID: 5947c26c7cebb8740054dbc380af33450f4333aa156a95ac22d1d7f1a221a65b
Opcode Fuzzy Hash: 037f4111db3de372e5934178581dc84d6282c28b5f82c0c1f7411cbec1bf0274
Instruction Fuzzy Hash: 5772ADB0A042588FDB24CF68DD80BDEBBB1EF59304F2482DAC459B7292D7719A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6DF1, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00EC6DF0,00000000,00000000,?,00000000,?,00000000), ref: 00EC6E13
TerminateProcess.KERNEL32(00000000,?,00EC6DF0,00000000,00000000,?,00000000,?,00000000), ref: 00EC6E1A
ExitProcess.KERNEL32 ref: 00EC6E2C

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b557013761262f0fc6e40fa7163c56f4aabf2b4a7f4d5ca5a3c6366da4ef6715
Instruction ID: 521cc6a0bf1e0f6287b42fe88e75af9a8a12504ce48c21f03b9d42a2e5cc4cc9
Opcode Fuzzy Hash: b557013761262f0fc6e40fa7163c56f4aabf2b4a7f4d5ca5a3c6366da4ef6715
Instruction Fuzzy Hash: 48E0B636001948AFCF116B65EE09F5E3F6AFB44341B14542AF905AA171CB36EE46DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3D29, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00013D35,00EC366B), ref: 00EC3D2E

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ac80909c32b3525138e628dba563de352b9d0111611992a3d1bab2a671228a94
Instruction ID: 11a51d0ea7f823158dd6706904697c1f26fd7139f8c69694d981dc68b84de490
Opcode Fuzzy Hash: ac80909c32b3525138e628dba563de352b9d0111611992a3d1bab2a671228a94
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1650, Relevance: 12.2, APIs: 8, Instructions: 155networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EC1691
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 00EC16AC
GetLastError.KERNEL32(848AC91A,00000000), ref: 00EC176E
InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 00EC1799
InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 00EC17AF

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Option$ErrorLastOpenQuery
String ID:
API String ID: 3355351495-0
Opcode ID: 69bfedfce0482575c5fe015578e3e777f85be303bb87e353363c6f49a4a239ee
Instruction ID: 52e568fc7813af1fdc798c3c01363877bc395ba31e3832a91f8bb8ea579979ed
Opcode Fuzzy Hash: 69bfedfce0482575c5fe015578e3e777f85be303bb87e353363c6f49a4a239ee
Instruction Fuzzy Hash: 8951AFB5A40208AFEB20CFA5DC86FAEBBB4EF49700F144159FA10BB2C1D7715A458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1E10, Relevance: 7.7, APIs: 5, Instructions: 188memorystringCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(-00000002,0506DEAA,00000000,0000000F,00000000), ref: 00EC1E92
__aulldiv.LIBCMT ref: 00EC1F34
__aulldiv.LIBCMT ref: 00EC1FEF
GetProcessHeap.KERNEL32(?,?,0002B51B,00000000,00000000), ref: 00EC2000
lstrcpynA.KERNEL32(00000000,-00000002,00000000), ref: 00EC2013

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv$DispatcherExceptionHeapProcessUserlstrcpyn
String ID:
API String ID: 2210394293-0
Opcode ID: 4083156287942c2f8faac71e55d5060e8ac0079ebacba63b24e939631693a2ed
Instruction ID: 250d37193678cfb9b0f92cf7cf9ae5e170b695ca2caddb62340bb8ee398e16c4
Opcode Fuzzy Hash: 4083156287942c2f8faac71e55d5060e8ac0079ebacba63b24e939631693a2ed
Instruction Fuzzy Hash: C871E0B5E012189FDB04CFA9E984BEEBBF5AF89304F14905AE814B7301CB755D068FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB051, Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00ECB05A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ECB0C8

Part of subcall function 00ECAF63: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00ECDDC0,?,00000000,00000000), ref: 00ECB00F

Part of subcall function 00EC949E: RtlAllocateHeap.NTDLL(00000000,00EC2FAC,75501BB0,?,00EC4332,75501BB2,75501BB0,?,?,?,00EC2EC5,00EC2FAC,75501BB4,75501BB0,75501BB0,75501BB0), ref: 00EC94D0

_free.LIBCMT ref: 00ECB0B9

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 3f99254d676db6e92c11209426535ff00ad2c2fa0e0563733a8bfaf6db502768
Instruction ID: 84958e1708fbeaf4ad6a3c5c6388dbff7b07f6cec42906d7039d9941907d41a7
Opcode Fuzzy Hash: 3f99254d676db6e92c11209426535ff00ad2c2fa0e0563733a8bfaf6db502768
Instruction Fuzzy Hash: A501D8A3601615BB273116661ECBE7F59ADDEC2B54714112DB910F3201EF628C0381B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9324, Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EC9370
GetFileType.KERNELBASE(00000000), ref: 00EC9382

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8627da4e4d5f86995e88753ae8120428a279c140b2343a46e8e33bab15095d6f
Instruction ID: a7968d8704c481b2d208c2f4d058875ceb8e13696402318455ab100e3d91f9d0
Opcode Fuzzy Hash: 8627da4e4d5f86995e88753ae8120428a279c140b2343a46e8e33bab15095d6f
Instruction Fuzzy Hash: 8211A561104B814AC7304A3E8E8CB267A95A796374B38271ED0B6E61F3C736D9879540

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7570, Relevance: 3.0, APIs: 2, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(149B89CC), ref: 00EB75D2
LoadLibraryA.KERNELBASE(35BBA9EC), ref: 00EB7621

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d869fe68eacea3084cb5a377ba3dc039d7df101f62365ec9a81df3655a5b9b76
Instruction ID: d352134b66650e40fd285c4cb02460fca3ecc030be009a70240ede1dab61770c
Opcode Fuzzy Hash: d869fe68eacea3084cb5a377ba3dc039d7df101f62365ec9a81df3655a5b9b76
Instruction Fuzzy Hash: 2C1114B8C0435C9ACF10DF99D9466EEFBB4FF18215F048699CDA03A221E771564A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7AFC, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC7B44

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f8bc4f55bafe5ece6fa62d6f3a5240d7ced0cda2fe9d108d6aceeebfaf03af79
Instruction ID: df03cd27d8fd3a7782384784e4ce93436d9cc879ff5967e4a1ecc5bb2df29ae8
Opcode Fuzzy Hash: f8bc4f55bafe5ece6fa62d6f3a5240d7ced0cda2fe9d108d6aceeebfaf03af79
Instruction Fuzzy Hash: 6CE0E572A0A5114D9221273A7E0AFAE12A7DB81334F15632EF874B60D2DF324D478862

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7BB0, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,936223D4,00000000,936223B6,00000000,3F0B4357), ref: 00EB7C23

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: fa444a3951529ee8b0e8be71d5db1d92c1ad1542d62ac31564ca0da6216754e7
Instruction ID: 762fd41b4802e4dce508cd38e50a1979c150c2a4ec4338cb5fa7c7d792985869
Opcode Fuzzy Hash: fa444a3951529ee8b0e8be71d5db1d92c1ad1542d62ac31564ca0da6216754e7
Instruction Fuzzy Hash: AD219571604218AFEB28DF55CC42FEABBF8EB45714F0041ADE545AB2C1D7755A448F90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB864, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9C5F: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EC8C63,00000001,00000364,00000005,000000FF,?,00EC4332,75501BB2,75501BB0,?,?), ref: 00EC9CA0

_free.LIBCMT ref: 00ECB8D3

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 59c7593efcd4d496789c29f71b39f57d0d225eb482a7eb24154304122a00a697
Instruction ID: 0306d7d60f149a1acc18643d5bf56ad706724631a8e2f716471abd9fe0109f81
Opcode Fuzzy Hash: 59c7593efcd4d496789c29f71b39f57d0d225eb482a7eb24154304122a00a697
Instruction Fuzzy Hash: 1E0104B3A003166BC7258F68C886E89FBDCEB043B0F14462DE555B76C1D371A812C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9C5F, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EC8C63,00000001,00000364,00000005,000000FF,?,00EC4332,75501BB2,75501BB0,?,?), ref: 00EC9CA0

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d7e596a624aff6cb5a6937469266a64af15d39f9d21f2a85ec24034a55c21c78
Instruction ID: eff38c81ebb60b97d25d0248017b69cac75762e355d5372ff4b12c1bc498f9a6
Opcode Fuzzy Hash: d7e596a624aff6cb5a6937469266a64af15d39f9d21f2a85ec24034a55c21c78
Instruction Fuzzy Hash: F9F0E9315415246BDF216F22AF0DF5BBBC8DF41B64B19A11AAC14BA093CE33DC1386E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC949E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00EC2FAC,75501BB0,?,00EC4332,75501BB2,75501BB0,?,?,?,00EC2EC5,00EC2FAC,75501BB4,75501BB0,75501BB0,75501BB0), ref: 00EC94D0

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c21f4f55623738270b2dac6526a267a6e2eb8ad40dc17b9b6dd8c95c198ef1ff
Instruction ID: 49a68138fbf7a94440f9b3bd9898f389057771cea0a99e0aa7b03d708dc7fa7d
Opcode Fuzzy Hash: c21f4f55623738270b2dac6526a267a6e2eb8ad40dc17b9b6dd8c95c198ef1ff
Instruction Fuzzy Hash: 63E0E5361025115FDB2536669F48F9B3A88FF017A5F196119AC68B34C3CF26CC0381E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EC3002, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC3002() {
				struct HINSTANCE__* _t43;

				_t43 = GetModuleHandleW(L"kernel32.dll");
				 *0xed39c8 = GetProcAddress(_t43, "FlsAlloc");
				 *0xed39cc = GetProcAddress(_t43, "FlsFree");
				 *0xed39d0 = GetProcAddress(_t43, "FlsGetValue");
				 *0xed39d4 = GetProcAddress(_t43, "FlsSetValue");
				 *0xed39d8 = GetProcAddress(_t43, "InitializeCriticalSectionEx");
				 *0xed39dc = GetProcAddress(_t43, "InitOnceExecuteOnce");
				 *0xed39e0 = GetProcAddress(_t43, "CreateEventExW");
				 *0xed39e4 = GetProcAddress(_t43, "CreateSemaphoreW");
				 *0xed39e8 = GetProcAddress(_t43, "CreateSemaphoreExW");
				 *0xed39ec = GetProcAddress(_t43, "CreateThreadpoolTimer");
				 *0xed39f0 = GetProcAddress(_t43, "SetThreadpoolTimer");
				 *0xed39f4 = GetProcAddress(_t43, "WaitForThreadpoolTimerCallbacks");
				 *0xed39f8 = GetProcAddress(_t43, "CloseThreadpoolTimer");
				 *0xed39fc = GetProcAddress(_t43, "CreateThreadpoolWait");
				 *0xed3a00 = GetProcAddress(_t43, "SetThreadpoolWait");
				 *0xed3a04 = GetProcAddress(_t43, "CloseThreadpoolWait");
				 *0xed3a08 = GetProcAddress(_t43, "FlushProcessWriteBuffers");
				 *0xed3a0c = GetProcAddress(_t43, "FreeLibraryWhenCallbackReturns");
				 *0xed3a10 = GetProcAddress(_t43, "GetCurrentProcessorNumber");
				 *0xed3a14 = GetProcAddress(_t43, "CreateSymbolicLinkW");
				 *0xed3a18 = GetProcAddress(_t43, "GetCurrentPackageId");
				 *0xed3a1c = GetProcAddress(_t43, "GetTickCount64");
				 *0xed3a20 = GetProcAddress(_t43, "GetFileInformationByHandleEx");
				 *0xed3a24 = GetProcAddress(_t43, "SetFileInformationByHandle");
				 *0xed3a28 = GetProcAddress(_t43, "GetSystemTimePreciseAsFileTime");
				 *0xed3a2c = GetProcAddress(_t43, "InitializeConditionVariable");
				 *0xed3a30 = GetProcAddress(_t43, "WakeConditionVariable");
				 *0xed3a34 = GetProcAddress(_t43, "WakeAllConditionVariable");
				 *0xed3a38 = GetProcAddress(_t43, "SleepConditionVariableCS");
				 *0xed3a3c = GetProcAddress(_t43, "InitializeSRWLock");
				 *0xed3a40 = GetProcAddress(_t43, "AcquireSRWLockExclusive");
				 *0xed3a44 = GetProcAddress(_t43, "TryAcquireSRWLockExclusive");
				 *0xed3a48 = GetProcAddress(_t43, "ReleaseSRWLockExclusive");
				 *0xed3a4c = GetProcAddress(_t43, "SleepConditionVariableSRW");
				 *0xed3a50 = GetProcAddress(_t43, "CreateThreadpoolWork");
				 *0xed3a54 = GetProcAddress(_t43, "SubmitThreadpoolWork");
				 *0xed3a58 = GetProcAddress(_t43, "CloseThreadpoolWork");
				 *0xed3a5c = GetProcAddress(_t43, "CompareStringEx");
				 *0xed3a60 = GetProcAddress(_t43, "GetLocaleInfoEx");
				 *0xed3a64 = GetProcAddress(_t43, "LCMapStringEx");
				return 0;
			}

0x00ec300e
0x00ec3022
0x00ec3033
0x00ec3044
0x00ec3055
0x00ec3066
0x00ec3077
0x00ec3088
0x00ec3099
0x00ec30aa
0x00ec30bb
0x00ec30cc
0x00ec30dd
0x00ec30ee
0x00ec30ff
0x00ec3110
0x00ec3121
0x00ec3132
0x00ec3143
0x00ec314e
0x00ec3165
0x00ec3176
0x00ec3187
0x00ec3198
0x00ec31a9
0x00ec31ba
0x00ec31cb
0x00ec31dc
0x00ec31ed
0x00ec31fe
0x00ec320f
0x00ec3220
0x00ec3231
0x00ec3242
0x00ec3253
0x00ec3264
0x00ec3275
0x00ec3286
0x00ec3297
0x00ec32a7
0x00ec32b3
0x00ec32bb

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EC3008
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EC3016
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EC3027
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EC3038
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EC3049
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EC305A
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00EC306B
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EC307C
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00EC308D
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EC309E
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EC30AF
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EC30C0
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EC30D1
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EC30E2
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EC30F3
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EC3104
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EC3115
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00EC3126
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00EC3137
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00EC3148
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00EC3159
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00EC316A
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00EC317B
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00EC318C
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00EC319D
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00EC31AE
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EC31BF
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00EC31D0
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EC31E1
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EC31F2
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00EC3203
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00EC3214
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00EC3225
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00EC3236
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00EC3247
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00EC3258
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00EC3269
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00EC327A
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00EC328B
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00EC329C
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00EC32AD

Strings

GetFileInformationByHandleEx, xrefs: 00EC3181
CreateThreadpoolWork, xrefs: 00EC324D
GetLocaleInfoEx, xrefs: 00EC3291
FlsAlloc, xrefs: 00EC3010
GetTickCount64, xrefs: 00EC3170
CloseThreadpoolWait, xrefs: 00EC310A
FlsFree, xrefs: 00EC301C
ReleaseSRWLockExclusive, xrefs: 00EC322B
GetCurrentPackageId, xrefs: 00EC315F
InitializeCriticalSectionEx, xrefs: 00EC304F
AcquireSRWLockExclusive, xrefs: 00EC3209
FreeLibraryWhenCallbackReturns, xrefs: 00EC312C
WaitForThreadpoolTimerCallbacks, xrefs: 00EC30C6
CreateThreadpoolWait, xrefs: 00EC30E8
TryAcquireSRWLockExclusive, xrefs: 00EC321A
SubmitThreadpoolWork, xrefs: 00EC325E
CompareStringEx, xrefs: 00EC3280
SetThreadpoolWait, xrefs: 00EC30F9
InitializeSRWLock, xrefs: 00EC31F8
GetSystemTimePreciseAsFileTime, xrefs: 00EC31A3
CreateSemaphoreW, xrefs: 00EC3082
WakeAllConditionVariable, xrefs: 00EC31D6
InitializeConditionVariable, xrefs: 00EC31B4
FlsSetValue, xrefs: 00EC303E
WakeConditionVariable, xrefs: 00EC31C5
SetFileInformationByHandle, xrefs: 00EC3192
CloseThreadpoolTimer, xrefs: 00EC30D7
GetCurrentProcessorNumber, xrefs: 00EC313D
kernel32.dll, xrefs: 00EC3003
SleepConditionVariableCS, xrefs: 00EC31E7
CreateThreadpoolTimer, xrefs: 00EC30A4
CreateEventExW, xrefs: 00EC3071
CreateSymbolicLinkW, xrefs: 00EC3153
InitOnceExecuteOnce, xrefs: 00EC3060
SetThreadpoolTimer, xrefs: 00EC30B5
FlushProcessWriteBuffers, xrefs: 00EC311B
LCMapStringEx, xrefs: 00EC32A2
FlsGetValue, xrefs: 00EC302D
SleepConditionVariableSRW, xrefs: 00EC323C
CreateSemaphoreExW, xrefs: 00EC3093
CloseThreadpoolWork, xrefs: 00EC326F

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 4919f2a3efcd6c27337be645d758315aecd8872d5beac0d81f04046b108768df
Instruction ID: 6477b02758f6b9305442aae1dc0a61022a2689ff9577e9f749d7aa00f1afff65
Opcode Fuzzy Hash: 4919f2a3efcd6c27337be645d758315aecd8872d5beac0d81f04046b108768df
Instruction Fuzzy Hash: FE616876A63710EFC710AFB6BC1DC8A3BA8FB097123509557F141F25A4D7B481099FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC24F0, Relevance: 27.4, APIs: 18, Instructions: 403libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC25A9
GetProcAddress.KERNEL32(00000000,8AAD3975), ref: 00EC2656
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC2703
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC27B0
GetProcAddress.KERNEL32(00000000,?), ref: 00EC280D
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC286A
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC2917
GetProcAddress.KERNEL32(00000000,8AAD3975), ref: 00EC29C4
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC2A71
GetProcAddress.KERNEL32(00000000,9FAD2374), ref: 00EC2B1E
GetModuleHandleA.KERNEL32(94AB2876), ref: 00EC2B80
GetProcAddress.KERNEL32(00000000,8AB82875), ref: 00EC2BDA
GetProcAddress.KERNEL32(00000000,8AB82875), ref: 00EC2C3B
GetProcAddress.KERNEL32(00000000,8AB82875), ref: 00EC2C9C
GetModuleHandleA.KERNEL32(FAD94D3D), ref: 00EC2D4C
GetProcAddress.KERNEL32(00000000,88B8257E), ref: 00EC2DBA
GetProcAddress.KERNEL32(00000000,B6AD287A), ref: 00EC2E17
GetProcAddress.KERNEL32(00000000,9BBC3F7E), ref: 00EC2E74

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: f71c96a56cbea8199e0caaff4e6143896cc922839f2fe6b6ba642477bfeda32d
Instruction ID: 82a58f605892dbce5097744ac037b71592cb16f2029f8b7d35d83ae96583e993
Opcode Fuzzy Hash: f71c96a56cbea8199e0caaff4e6143896cc922839f2fe6b6ba642477bfeda32d
Instruction Fuzzy Hash: 183212B800D7889AD3018F6AD54159BFBF4FFC5744F40AA0DF6D06A221EBB58249DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EBEED0, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 283libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,3F0B4357,00ED1576,00000000), ref: 00EBEFA4
GetProcAddress.KERNEL32(00000000,26382BB1), ref: 00EBF012
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF0AA
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF142
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF1DA
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF272
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF30A
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF35D
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF3B0
GetProcAddress.KERNEL32(?,6E5642E6), ref: 00EBF448

Strings

BVN, xrefs: 00EBEF5E
vT", xrefs: 00EBF290
BVn, xrefs: 00EBF3B2
BVn, xrefs: 00EBF367

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: vT"$BVN$BVn$BVn
API String ID: 667068680-1494709618
Opcode ID: dedbeb0041d76babac7f6c8935140fa48adbc735f57a535f9928e4e0b60d6fc3
Instruction ID: e4a335fdfc2e7135b65e48e77006dbe8c83e0d5c6ac2a308b4dd8b85d5fcbe2a
Opcode Fuzzy Hash: dedbeb0041d76babac7f6c8935140fa48adbc735f57a535f9928e4e0b60d6fc3
Instruction Fuzzy Hash: 00F1DDB8C0579CDADB11CFE8E9866DCBBB0FF15304F20921AD9583B265E7700A4ADB44

Uniqueness

Uniqueness Score: -1.00%

Function 00EB98F4, Relevance: 19.5, APIs: 12, Instructions: 1484COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00EB9998

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

__aulldiv.LIBCMT ref: 00EB9E92
__aulldiv.LIBCMT ref: 00EB9FA1
__aulldiv.LIBCMT ref: 00EBA1DC
__aulldiv.LIBCMT ref: 00EBA418
__aulldiv.LIBCMT ref: 00EBA8EA
__aulldiv.LIBCMT ref: 00EBA9FD
__aulldiv.LIBCMT ref: 00EBAB13
__aulldiv.LIBCMT ref: 00EBAC26
__aulldiv.LIBCMT ref: 00EBAF15
__aulldiv.LIBCMT ref: 00EBB024
__aulldiv.LIBCMT ref: 00EBB28D

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 6417c9244d20b649b969e731f2c6b3472d4e709c1416813c9274ba71d7cc6001
Instruction ID: b90a2cf68e2fdf98f7bcc800595d10cc6455d4b1d08cd0df69d8beb762d8c0c4
Opcode Fuzzy Hash: 6417c9244d20b649b969e731f2c6b3472d4e709c1416813c9274ba71d7cc6001
Instruction Fuzzy Hash: A6F2FFB0E052289FDB64CF24CD95BEEBBB5AB49304F1481E9D509B7291DB716E84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00EB98FC, Relevance: 19.4, APIs: 12, Instructions: 1370COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00EB9998

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 5e14bd2b2dbc02a0b0e6ac804ca3204ea1992c412a817b75e75c431255ccb08f
Instruction ID: 637db7a085a64d53687ece8b483c1194d81974da6522f918d5d40cb1a9cdeb9c
Opcode Fuzzy Hash: 5e14bd2b2dbc02a0b0e6ac804ca3204ea1992c412a817b75e75c431255ccb08f
Instruction Fuzzy Hash: E3E2FFB0E052289FDB64CF24CD95BEEBBB5AB49304F1481E9D509B7281DB716E85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00EB592D, Relevance: 18.0, APIs: 11, Instructions: 1536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bead5da382d072ffecf93f64b6423bb5c78cb7c01b615197cee4e7823d5c7699
Instruction ID: 48ead8541b780eb2e5d30a5afd8c98eae6474ea419fd5a8108222ac1f639bf84
Opcode Fuzzy Hash: bead5da382d072ffecf93f64b6423bb5c78cb7c01b615197cee4e7823d5c7699
Instruction Fuzzy Hash: F6F257709093A88FDB66CF24CD647DABBB1AF06304F0481DAD448BB292DB755E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EB6E30, Relevance: 10.9, APIs: 7, Instructions: 425stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

__aulldiv.LIBCMT ref: 00EB703C
__aulldiv.LIBCMT ref: 00EB7234
_strstr.LIBCMT ref: 00EB73D3
lstrcpyA.KERNEL32(?,00000000,?,?,?,00000000,00ED1576,?), ref: 00EB73E9
lstrcatA.KERNEL32(?,30B9A4B5,?,?,?,00000000,00ED1576,?), ref: 00EB7463
GetModuleHandleA.KERNEL32(?,?,?,?,00000000,00ED1576,?), ref: 00EB7470
_strstr.LIBCMT ref: 00EB750C

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv$_strstr$HandleModulelstrcatlstrcpy
String ID:
API String ID: 1585005572-0
Opcode ID: 9123875c31312b38dd5e9ace2dc8a184f172acb58616c5fdd94b40b0db6aab8e
Instruction ID: 2cc7ff6908aab06d67cb321ac2db993969a1adcd378092e71186588cdb760018
Opcode Fuzzy Hash: 9123875c31312b38dd5e9ace2dc8a184f172acb58616c5fdd94b40b0db6aab8e
Instruction Fuzzy Hash: 97124BB1E052288FDB24DF29DD51BEAB7B1AF99304F1441DAD888B7351DB319E858F80

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC280, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00EBEED0: GetModuleHandleA.KERNEL32(?,3F0B4357,00ED1576,00000000), ref: 00EBEFA4
Part of subcall function 00EBEED0: GetProcAddress.KERNEL32(00000000,26382BB1), ref: 00EBF012

Part of subcall function 00EB6D70: __aulldiv.LIBCMT ref: 00EB6E10

__aulldiv.LIBCMT ref: 00EBC635

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00EBC368
+\e[, xrefs: 00EBC448
+\e[, xrefs: 00EBC41E

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv$AddressHandleModuleProc
String ID: +\e[$+\e[$Content-Type: application/x-www-form-urlencoded
API String ID: 3748425447-1123434338
Opcode ID: e15529dfdf39923bc85d82d859f1e1252871658f652b601ea5b32335f4a1e296
Instruction ID: ca7a9b48af0d3fe11aba7fd0d677f3ae69ffcb0f5411732cd26c55cd505c414d
Opcode Fuzzy Hash: e15529dfdf39923bc85d82d859f1e1252871658f652b601ea5b32335f4a1e296
Instruction Fuzzy Hash: BEF197B0D04348CBDB24DFA8C9457EEBBB1EF44304F208299D845BB286DB755A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC73C4, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00EC2FAC), ref: 00EC74BC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00EC2FAC), ref: 00EC74C6
UnhandledExceptionFilter.KERNEL32(75501888,?,?,?,?,?,00EC2FAC), ref: 00EC74D3

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7b2f1e9afb2d716f2ba2512b9b2314cfde936a54d4fb3ededdeee815013dbbba
Instruction ID: f33a1050286784278866f725e63e979a220d6fd7f1d8be7041f7f344e6640dca
Opcode Fuzzy Hash: 7b2f1e9afb2d716f2ba2512b9b2314cfde936a54d4fb3ededdeee815013dbbba
Instruction Fuzzy Hash: 3C31D4759013189BCB21DF25D989B8CBBF8BF08311F5051EAE41DA62A0E7319B86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00EC703C, Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,00EBDA87,00000000,936223C8,00000000,936223CE,00000000,936223C8,00000000,00000013,00000000,00000000), ref: 00EC704F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EC7080

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: c5dfa4b354885f613f94067a42bc01d5c1d69078a1a156e6885293f837ae699f
Instruction ID: 16e2e89bb1029dfe4596d12418eb3b110680db5cc4161b4867fc05877cff78bb
Opcode Fuzzy Hash: c5dfa4b354885f613f94067a42bc01d5c1d69078a1a156e6885293f837ae699f
Instruction Fuzzy Hash: 39F0F071900304BBEB148FA8C946FAD7BE8FB4031AF24965CA402F2280D6B2EA058B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECFF12, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00ECFF0D,?,?,00000008,?,?,00ECFBA5,00000000), ref: 00ED013F

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 36ce36c54788f00d8d65e93fb43f688622e1c46708698076c95c8953aec8f316
Instruction ID: 595fd0c5e11edf2040fdf16a65b2c17e785f5b1b3a67fd098954c1fe8f848018
Opcode Fuzzy Hash: 36ce36c54788f00d8d65e93fb43f688622e1c46708698076c95c8953aec8f316
Instruction Fuzzy Hash: 56B14B31210609DFD715CF28C48ABA57BA1FF45368F29965DE899DF3A1C336E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EC39E4, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EC39FA

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: a29a72b362b150cb6995910838a417000b24a357dd1b178fda06ea8a56c11b4b
Instruction ID: 4212ba175c314261dac9ed32ed110e60c2bfe2076255a8ae79e51d2af3dca8aa
Opcode Fuzzy Hash: a29a72b362b150cb6995910838a417000b24a357dd1b178fda06ea8a56c11b4b
Instruction Fuzzy Hash: 545168B19012058FDB24CF66E985BAABBF0FB48314F24802AC405FB251D3759F59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA061, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10ddeeffbb7442fb834d8c52eccf0b392d6d50f7665531b0bd94e8ac36e91cd
Instruction ID: e6a33138a9e095d853e339d3ee6103fc071b3626f7b2c5b18cfa2f30ccba6439
Opcode Fuzzy Hash: c10ddeeffbb7442fb834d8c52eccf0b392d6d50f7665531b0bd94e8ac36e91cd
Instruction Fuzzy Hash: 5F41C7B180421CAEDB24DF69CD89FAEB7B9AF45308F1842EDE41DE3211D6359E858F10

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0E50, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7bf6133b9f3bdd6ae19dea92242b380d8caf19b8194dcc69f7b517d97f7a7da6
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A6115B7720014183DE24C62DD4B47BBA795EBD9328F2C6F7BD882AB754C122D8479600

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8752, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988ac5a2d0849f66e6d670c51f8fa58b81c7bdb3be24b47c7bd239cdbdcfcaac
Instruction ID: bddde75f49f0aed0b3a8a1403636c599e58f45c97dc9ca7f99656385d0b0204b
Opcode Fuzzy Hash: 988ac5a2d0849f66e6d670c51f8fa58b81c7bdb3be24b47c7bd239cdbdcfcaac
Instruction Fuzzy Hash: 89E08C32911238EBCB15DBC8CB08E8AF3ECEB49F40B21009AB501E3111D671DE01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECBF2C, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00ECBF70

Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB26
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB38
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB4A
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB5C
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB6E
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB80
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBB92
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBA4
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBB6
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBC8
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBDA
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBEC
Part of subcall function 00ECBB09: _free.LIBCMT ref: 00ECBBFE

_free.LIBCMT ref: 00ECBF65

Part of subcall function 00EC9464: HeapFree.KERNEL32(00000000,00000000,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?), ref: 00EC947A
Part of subcall function 00EC9464: GetLastError.KERNEL32(?,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?,?), ref: 00EC948C

_free.LIBCMT ref: 00ECBF87
_free.LIBCMT ref: 00ECBF9C
_free.LIBCMT ref: 00ECBFA7
_free.LIBCMT ref: 00ECBFC9
_free.LIBCMT ref: 00ECBFDC
_free.LIBCMT ref: 00ECBFEA
_free.LIBCMT ref: 00ECBFF5
_free.LIBCMT ref: 00ECC02D
_free.LIBCMT ref: 00ECC034
_free.LIBCMT ref: 00ECC051
_free.LIBCMT ref: 00ECC069

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 15b94aa375ceb8286d7a39a668e93911266cf74edd7d8aab4378224c1afe451a
Instruction ID: c33b3d2004c4747f30bae8df0dd056b533fa4da965fb2c60a3da1123aa406303
Opcode Fuzzy Hash: 15b94aa375ceb8286d7a39a668e93911266cf74edd7d8aab4378224c1afe451a
Instruction Fuzzy Hash: 00311AB16007409FDB25AB39DE4AF5A77E9BF00354F24A41DE069E6252DB32E943CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4EF7, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00EC4FF2
type_info::operator==.LIBVCRUNTIME ref: 00EC5019
___TypeMatch.LIBVCRUNTIME ref: 00EC5125
IsInExceptionSpec.LIBVCRUNTIME ref: 00EC5200
_UnwindNestedFrames.LIBCMT ref: 00EC5287
CallUnexpected.LIBVCRUNTIME ref: 00EC52A2

Strings

csm, xrefs: 00EC4F9F
csm, xrefs: 00EC4F32
csm, xrefs: 00EC5050

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 95ee76f57aa10b1d5e4d00296207e84e3542242c021779c71f9f9f4fdfffb1aa
Instruction ID: 8ae6f3912d2666629966bf46494094b655a7fb4bee69a6f52c9a6c3d5ac402c2
Opcode Fuzzy Hash: 95ee76f57aa10b1d5e4d00296207e84e3542242c021779c71f9f9f4fdfffb1aa
Instruction Fuzzy Hash: F5C15972800A09AFCF19DF94CA85FAEB7B5EF14314B04615DE8507B252D732EA92CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC89A9, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC89BF

Part of subcall function 00EC9464: HeapFree.KERNEL32(00000000,00000000,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?), ref: 00EC947A
Part of subcall function 00EC9464: GetLastError.KERNEL32(?,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?,?), ref: 00EC948C

_free.LIBCMT ref: 00EC89CB
_free.LIBCMT ref: 00EC89D6
_free.LIBCMT ref: 00EC89E1
_free.LIBCMT ref: 00EC89EC
_free.LIBCMT ref: 00EC89F7
_free.LIBCMT ref: 00EC8A02
_free.LIBCMT ref: 00EC8A0D
_free.LIBCMT ref: 00EC8A18
_free.LIBCMT ref: 00EC8A26

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6578deb37d2edec13151495ad02185ab4b32a893d4ab78e6d9646ef930b4116a
Instruction ID: 822518d327a6d91ed7edfdc993860207753737a08ccea3e72dc4583db8f82aa6
Opcode Fuzzy Hash: 6578deb37d2edec13151495ad02185ab4b32a893d4ab78e6d9646ef930b4116a
Instruction Fuzzy Hash: D92189B6900108EFCF45EF94C985EDE7BB9BF08750F40916AB515AB122DB32DA46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EC46E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EC4717
___except_validate_context_record.LIBVCRUNTIME ref: 00EC471F
_ValidateLocalCookies.LIBCMT ref: 00EC47A8
__IsNonwritableInCurrentImage.LIBCMT ref: 00EC47D3
_ValidateLocalCookies.LIBCMT ref: 00EC4828

Strings

csm, xrefs: 00EC47BD
>H, xrefs: 00EC47C5, 00EC47CE, 00EC47DF

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: >H$csm
API String ID: 1170836740-1075740280
Opcode ID: 8b0db7d819a3e060b7d0d2e6ddb67decf2bd615fe4a2f9d83fff2fb05b2e9b74
Instruction ID: 5b626194de5c250a5cfbf32baa64d3a32aedfef7528073775cbe8602206d6f70
Opcode Fuzzy Hash: 8b0db7d819a3e060b7d0d2e6ddb67decf2bd615fe4a2f9d83fff2fb05b2e9b74
Instruction Fuzzy Hash: 7041D7749002089FCF10DF68C994F9E7BF5EF45318F14915AE815BB392D732AA16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB0D5, Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00ECB0FF
_free.LIBCMT ref: 00ECB1D8
_free.LIBCMT ref: 00ECB205

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: e911a1341abd31a15c87b416c46fa3aceb75619413b8d5a73e599739fab572fe
Instruction ID: b460b756ff8d2eeddbd42e5fb89a265f0751eb35f3dbf03d532f4a933cae9bd8
Opcode Fuzzy Hash: e911a1341abd31a15c87b416c46fa3aceb75619413b8d5a73e599739fab572fe
Instruction Fuzzy Hash: E551F570904345AFDB18AFB99A87FAD7BF8EF06314F04516EE510B7292DB3389038651

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9731, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 00EC9788
ext-ms-, xrefs: 00EC979C

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f64d588c314194c8540db10855e195b74db2975079f79c273c2b08007eabd9e8
Instruction ID: 368e787b23b3c34d480515730519a34ae5a6fc31e72a6b5c7de4b07390e6ce53
Opcode Fuzzy Hash: f64d588c314194c8540db10855e195b74db2975079f79c273c2b08007eabd9e8
Instruction Fuzzy Hash: 0E21D272A13620AFCB218F359E8DF9A37589F01764F21251AED06B7292D732ED06C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECBCA8, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00ECBC70: _free.LIBCMT ref: 00ECBC95

_free.LIBCMT ref: 00ECBCF6

Part of subcall function 00EC9464: HeapFree.KERNEL32(00000000,00000000,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?), ref: 00EC947A
Part of subcall function 00EC9464: GetLastError.KERNEL32(?,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?,?), ref: 00EC948C

_free.LIBCMT ref: 00ECBD01
_free.LIBCMT ref: 00ECBD0C
_free.LIBCMT ref: 00ECBD60
_free.LIBCMT ref: 00ECBD6B
_free.LIBCMT ref: 00ECBD76
_free.LIBCMT ref: 00ECBD81

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1740a53dd6a171bbcdb34c46e1fff11799b71a0769f26df8f93cd01df8ba4f74
Instruction ID: 6cee79e417df5e5173a5f29f3555e035796dc26769f63f6b01831431745f4716
Opcode Fuzzy Hash: 1740a53dd6a171bbcdb34c46e1fff11799b71a0769f26df8f93cd01df8ba4f74
Instruction Fuzzy Hash: 0C11EF71550B08EADB20B7B0CE4BFCBB7ECAF05700F40581DB2A976153DB66B5468790

Uniqueness

Uniqueness Score: -1.00%

Function 00ECC899, Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00ECC8E1
__fassign.LIBCMT ref: 00ECCAC6
__fassign.LIBCMT ref: 00ECCAE3
WriteFile.KERNEL32(?,00EC90E1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ECCB2B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00ECCB6B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ECCC13

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 4271f6a678a53da8f461d1676766b5ed397a08f5e469961b48e72d6dd54db94e
Instruction ID: 50b1738ec324cb5bac9b9989da7739eb0e67af5b30cb2cdd4c8699408f79e945
Opcode Fuzzy Hash: 4271f6a678a53da8f461d1676766b5ed397a08f5e469961b48e72d6dd54db94e
Instruction Fuzzy Hash: 1BC19CB5D012589FCB10CFE9C980EEDBBB5EF48314F28516EE85AB7241D6329D46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EBE8F0, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 356COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00EBEA43
std::_Xinvalid_argument.LIBCPMT ref: 00EBEA55

Strings

string too long, xrefs: 00EBEA50

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
String ID: string too long
API String ID: 3646673767-2556327735
Opcode ID: aedbce7fb73f22a50f99f0c3fbe58a01843e0327c1867cb4783c4fbecafaa4ac
Instruction ID: f59860894558584ad06f060144b5e92dede5f4a8a85308f5053b2b63c73b6d94
Opcode Fuzzy Hash: aedbce7fb73f22a50f99f0c3fbe58a01843e0327c1867cb4783c4fbecafaa4ac
Instruction Fuzzy Hash: FEB1F472A002049FCB28DF78D981AEFBBE9EF44310B14567DE416E7351E731EA158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4BC0, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EC4BB7,00EC49EA,00EC3D79), ref: 00EC4BCE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EC4BDC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EC4BF5
SetLastError.KERNEL32(00000000,00EC4BB7,00EC49EA,00EC3D79), ref: 00EC4C47

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2477e731fbf142502caa73281ed4580e583edc740b58891fc7b51ea0a44daa05
Instruction ID: 7bb81ab07cc3d090dee0833fd0141fc29e774d270e96113b2eff1fdeeb472e48
Opcode Fuzzy Hash: 2477e731fbf142502caa73281ed4580e583edc740b58891fc7b51ea0a44daa05
Instruction Fuzzy Hash: 560128B321B7125DB62827767F95F66A794EB007B9720232EF920710F0EF134C079140

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA4EE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\T3AtsGGHEL.exe, xrefs: 00ECA4F3

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\Desktop\T3AtsGGHEL.exe
API String ID: 0-3341910482
Opcode ID: 9ef7dbed37845af50b54e9d1f8b8be662f6a0834d34ebb237882817ea0bd6d04
Instruction ID: 013e79de778f01fb5ec35b9ba7a525ce1fda95b675eb53fa85b17fcc9d80b5da
Opcode Fuzzy Hash: 9ef7dbed37845af50b54e9d1f8b8be662f6a0834d34ebb237882817ea0bd6d04
Instruction Fuzzy Hash: 6421927160020DAF9B20AF659F80F6A77ADEF0036D718963DF915B7150EB32DD4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5D97, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00EC5E58,?,?,00ED3DF4,00000000,?,00EC5F83,00000004,InitializeCriticalSectionEx,00EB1EF0,mscoree.dll,00000000), ref: 00EC5E27

Strings

api-ms-, xrefs: 00EC5DE7

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: e0afc7a5241ea569a82ec426a52e7daf827d914dcb555e12dc09f60bf23f8935
Instruction ID: 33bee97a4063591228681f3dda41694d2d9881314acca013612427de11fe21b5
Opcode Fuzzy Hash: e0afc7a5241ea569a82ec426a52e7daf827d914dcb555e12dc09f60bf23f8935
Instruction Fuzzy Hash: 5211C133A01B20AFDB224B69AE44F9A37A4DF01774F101115F911FB280D761FE4686D1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6E33, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00EC6E28,?,?,00EC6DF0,00000000,00000000,?), ref: 00EC6E48
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EC6E5B
FreeLibrary.KERNEL32(00000000,?,?,00EC6E28,?,?,00EC6DF0,00000000,00000000,?), ref: 00EC6E7E

Strings

mscoree.dll, xrefs: 00EC6E41
CorExitProcess, xrefs: 00EC6E53

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 70fb5dd53a389b5007e1ce7fb8dfd46f5bdbfd8776f06a873b1c4adaef0919ac
Instruction ID: de96307ae8c58f695570ff64268d6050042b476ba1760662b054d435ba0e6fb7
Opcode Fuzzy Hash: 70fb5dd53a389b5007e1ce7fb8dfd46f5bdbfd8776f06a873b1c4adaef0919ac
Instruction Fuzzy Hash: 87F08C36602A18FFDB119B61ED1AF9FBB79EF0075AF104066E800B60A0CB718F05DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE7DF, Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0111E658,0111E658,?,7FFFFFFF,?,?,00ECEA9B,0111E658,0111E658,?,0111E658,?,?,?,?,0111E658), ref: 00ECE882
__alloca_probe_16.LIBCMT ref: 00ECE938
__alloca_probe_16.LIBCMT ref: 00ECE9CE
__freea.LIBCMT ref: 00ECEA39
__freea.LIBCMT ref: 00ECEA45

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 7feba8394ff7430c91be56dc9a58232b2e8532ebfeb56b377188d9c33d017764
Instruction ID: f1ea8a163d91d35d89aa8e3cfda55ae0d275c863f0fd30b2d9a1db7e9490ae80
Opcode Fuzzy Hash: 7feba8394ff7430c91be56dc9a58232b2e8532ebfeb56b377188d9c33d017764
Instruction Fuzzy Hash: FA81CD32D0025A9EDF249E65CA82FEE7BB9EF49318F18215DE904B7341D637CC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC12D0, Relevance: 7.7, APIs: 5, Instructions: 216stringCOMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00EC14D7
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,00000000,74E04DE0), ref: 00EC14ED
lstrcatA.KERNEL32(?,96B52913,?,?,?,?,00000000,74E04DE0), ref: 00EC1567
GetModuleHandleA.KERNEL32(?,?,?,?,?,00000000,74E04DE0), ref: 00EC1574
_strstr.LIBCMT ref: 00EC1610

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _strstr$HandleModulelstrcatlstrcpy
String ID:
API String ID: 4190046329-0
Opcode ID: f90bd0f86ec845e45117a38b87e0e59db97730a0d93b8a2fb995907772c3e518
Instruction ID: ba948584f69ecdc2a6e7fcf45bf73366b075b5208ae6b0720cdd5b22b8708a32
Opcode Fuzzy Hash: f90bd0f86ec845e45117a38b87e0e59db97730a0d93b8a2fb995907772c3e518
Instruction Fuzzy Hash: 96919CB59042688BDB258F29CD41BE9B7F5AF59304F0541E9D889B7312EB319E82CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00ECDC14, Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00ECDC98
__alloca_probe_16.LIBCMT ref: 00ECDD5E
__freea.LIBCMT ref: 00ECDDCA

Part of subcall function 00EC949E: RtlAllocateHeap.NTDLL(00000000,00EC2FAC,75501BB0,?,00EC4332,75501BB2,75501BB0,?,?,?,00EC2EC5,00EC2FAC,75501BB4,75501BB0,75501BB0,75501BB0), ref: 00EC94D0

__freea.LIBCMT ref: 00ECDDD3
__freea.LIBCMT ref: 00ECDDF6

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 8bb3bd7ee6648fb70e0db04111c34bf869772addb116cf334696f8aae7112e04
Instruction ID: 4f0d7d5e586ab24d1a65295f272cb23738d1aa4f0df434a0de04c36f65c85798
Opcode Fuzzy Hash: 8bb3bd7ee6648fb70e0db04111c34bf869772addb116cf334696f8aae7112e04
Instruction Fuzzy Hash: 0751B17290420AABEF219E64CE41FFB7BA9DB80754F19163DFD05B6140E773DC1296A0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECBC07, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00ECBC1F

Part of subcall function 00EC9464: HeapFree.KERNEL32(00000000,00000000,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?), ref: 00EC947A
Part of subcall function 00EC9464: GetLastError.KERNEL32(?,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?,?), ref: 00EC948C

_free.LIBCMT ref: 00ECBC31
_free.LIBCMT ref: 00ECBC43
_free.LIBCMT ref: 00ECBC55
_free.LIBCMT ref: 00ECBC67

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 01be46ce9e57c7fe4241ab6adb4c094e4502821a2172b07fc04026dd5409b36d
Instruction ID: d287e6250337103d1300fad19963db831a42a06a7c55519372220e296e69003b
Opcode Fuzzy Hash: 01be46ce9e57c7fe4241ab6adb4c094e4502821a2172b07fc04026dd5409b36d
Instruction Fuzzy Hash: F4F044F2501610AB8614DB65F7C7D1BB7EDFB00710B58680EF054F7512CB22FD828A54

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9E72, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00ECA00C

Strings

*?, xrefs: 00EC9EB5

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: eb78099a05444889c7f0422f48bb418c702d0d5193556a31802557e59872eb29
Instruction ID: 4a77aadc4c55f101ee702781c2ae95f54067322f60fbc120138e423dfd636ce3
Opcode Fuzzy Hash: eb78099a05444889c7f0422f48bb418c702d0d5193556a31802557e59872eb29
Instruction Fuzzy Hash: 07613D75E002199FCB14CFA8C981AEDFBF5EF48354B18916EE855F7301D6369E428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00EBEA50, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00EBEA55

Part of subcall function 00EC2F9B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00EC2FA7

Concurrency::cancel_current_task.LIBCPMT ref: 00EBEAB0

Strings

string too long, xrefs: 00EBEA50

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 3990507346-2556327735
Opcode ID: a2769d051d900ef1d5fc21d71fd8aa0f3ab250967a9e1e452c948e7299ae2c12
Instruction ID: 8dd2d498f8d175bb04f589a52f0d44c81f659cd58c8c8520c2c35ee860e6724d
Opcode Fuzzy Hash: a2769d051d900ef1d5fc21d71fd8aa0f3ab250967a9e1e452c948e7299ae2c12
Instruction Fuzzy Hash: 56411371A002045BDB28DB28D982AEFFBF9EF84310B24562DE417E7352E731AA458A54

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8E08, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC8E36
_free.LIBCMT ref: 00EC8E5C

Strings

x,, xrefs: 00EC8EC3
p0, xrefs: 00EC8E75

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: p0$x,
API String ID: 269201875-2649084677
Opcode ID: d047c3ab3822ae925efb7142756387786ded454795aa52785f38d6c5c1c3d03b
Instruction ID: f64f6f0d1971ad247c3ab6b1760615281f0e445eaf40d8f1ea3674d199b83f21
Opcode Fuzzy Hash: d047c3ab3822ae925efb7142756387786ded454795aa52785f38d6c5c1c3d03b
Instruction Fuzzy Hash: C91193B1A022119FD7205B3ABF45F553794E761724F14222FF525FB2E1EB71C8874641

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4CA0, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00EC4D67
___AdjustPointer.LIBCMT ref: 00EC4D8A
___AdjustPointer.LIBCMT ref: 00EC4E26

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 01bd07553223d761dee7a4ee403d9fafe290e9d2b8e8999fe1155ecef5d5164d
Instruction ID: 7e3975ccde1d818fafbd1e796e1435110f0a9ebab2e84977f27ee73faa76e7a6
Opcode Fuzzy Hash: 01bd07553223d761dee7a4ee403d9fafe290e9d2b8e8999fe1155ecef5d5164d
Instruction Fuzzy Hash: 1F5101B26012029FEB29AF10DA61FAABBA0FF40715F10552DE917772D0E733AC92C750

Uniqueness

Uniqueness Score: -1.00%

Function 00EB7D90, Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00EBCF6D,80000000,00000000,00000000,00000003,00000000,00000000,00EB5EE5,00000000,3F0B4357), ref: 00EB7E17
GetFileSize.KERNEL32(00000000,00000000), ref: 00EB7E26
ReadFile.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00EB7E51
CloseHandle.KERNEL32(00000000), ref: 00EB7E58

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: eff808406b1f3ae66d8d058553723309d1edb228cf00be36d799d66ead5367a0
Instruction ID: 53e6f5ce180b05562a129aa009ea2a6bffa43f573135dadd4934e57df9fffb4d
Opcode Fuzzy Hash: eff808406b1f3ae66d8d058553723309d1edb228cf00be36d799d66ead5367a0
Instruction Fuzzy Hash: 9431AF71610208AFEB24DF68DD45BAFBBB8EB45B00F20451EF505AB2C1D7B59A44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9D86, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00ECA3A8: _free.LIBCMT ref: 00ECA3B6

Part of subcall function 00ECAF63: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00ECDDC0,?,00000000,00000000), ref: 00ECB00F

GetLastError.KERNEL32 ref: 00EC9DEE
__dosmaperr.LIBCMT ref: 00EC9DF5
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00EC9E34
__dosmaperr.LIBCMT ref: 00EC9E3B

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 52791fdb4ec5474ce7ab554155cd41b471cb6cd9e5c4af739f00871386847637
Instruction ID: 49061a070eb564f44a9a7dc6cade0d7d4e4cd6f558edbcd92c09d10b987e8efb
Opcode Fuzzy Hash: 52791fdb4ec5474ce7ab554155cd41b471cb6cd9e5c4af739f00871386847637
Instruction Fuzzy Hash: 8B21D871600219AF9B10AF658F85FAB77ECEF1036C714552DF91AB7141DB32EC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8AC1, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EC6FD7,?,00000000,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 00EC8AC6
_free.LIBCMT ref: 00EC8B23
_free.LIBCMT ref: 00EC8B59
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,?,00EC6FD7,?,00000000,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 00EC8B64

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 66cab8ff6326dcec1c60855cf76336960a60929618797fec6e3291b87076ff7d
Instruction ID: c1113c316258a45e19c345253d45a07f22a627d94ea2511b31e8780b98611f27
Opcode Fuzzy Hash: 66cab8ff6326dcec1c60855cf76336960a60929618797fec6e3291b87076ff7d
Instruction Fuzzy Hash: F511A3762056052FC7146779AF8AF3B2399DBC5778724232EF124B21D2DE738C075215

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8C18, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00EC2FAC,00EC2FAC,75501BB2,00EC8DFA,00EC94E1,75501BB0,?,00EC4332,75501BB2,75501BB0,?,?,?,00EC2EC5,00EC2FAC,75501BB4), ref: 00EC8C1D
_free.LIBCMT ref: 00EC8C7A
_free.LIBCMT ref: 00EC8CB0
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00EC4332,75501BB2,75501BB0,?,?,?,00EC2EC5,00EC2FAC,75501BB4,75501BB0,75501BB0,75501BB0), ref: 00EC8CBB

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: efddd4c73f44743cc5ff93153f802c74e0155418cd9b86a3df3c628d70af1b71
Instruction ID: 22a0371b7c8df00e34b557a239c16cc49d25f62256ba02ec1f3aa588c8c31592
Opcode Fuzzy Hash: efddd4c73f44743cc5ff93153f802c74e0155418cd9b86a3df3c628d70af1b71
Instruction Fuzzy Hash: 1311A3722466006ED71527796F89F3A6299DBC1779734222DF524B21D2DD338C075222

Uniqueness

Uniqueness Score: -1.00%

Function 00ECECF5, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00ECE29B,?,00000001,?,00000001,?,00ECCC70,?,?,00000001), ref: 00ECED0C
GetLastError.KERNEL32(?,00ECE29B,?,00000001,?,00000001,?,00ECCC70,?,?,00000001,?,00000001,?,00ECD1BF,00EC90E1), ref: 00ECED18

Part of subcall function 00ECECDE: CloseHandle.KERNEL32(FFFFFFFE,00ECED28,?,00ECE29B,?,00000001,?,00000001,?,00ECCC70,?,?,00000001,?,00000001), ref: 00ECECEE

___initconout.LIBCMT ref: 00ECED28

Part of subcall function 00ECECA0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00ECECCF,00ECE288,00000001,?,00ECCC70,?,?,00000001,?), ref: 00ECECB3

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00ECE29B,?,00000001,?,00000001,?,00ECCC70,?,?,00000001,?), ref: 00ECED3D

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 557456bd5487c31a0678548d16c37afa705596ad97ac828cbfe544d38585c671
Instruction ID: 96598b15d47b5905ed8d3fc0f56209cd5f3ce4ad9d061feac07f49468c83742e
Opcode Fuzzy Hash: 557456bd5487c31a0678548d16c37afa705596ad97ac828cbfe544d38585c671
Instruction Fuzzy Hash: 58F01237402158BFCF122FA2ED09E897F66EB083A0B045015FA19B9220C63389259B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC815A, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC8163

Part of subcall function 00EC9464: HeapFree.KERNEL32(00000000,00000000,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?), ref: 00EC947A
Part of subcall function 00EC9464: GetLastError.KERNEL32(?,?,00ECBC9A,?,00000000,?,75501BB2,?,00ECBCC1,?,00000007,?,?,00ECC0C3,?,?), ref: 00EC948C

_free.LIBCMT ref: 00EC8176
_free.LIBCMT ref: 00EC8187
_free.LIBCMT ref: 00EC8198

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a3cbb510fa78bced5193185a3acfc49e4911010f2acceb9841e0aece9cc043fb
Instruction ID: 0159c43e3fccc5f2e63084b69e119247c62cd51c5b118ab089e2a189344d8566
Opcode Fuzzy Hash: a3cbb510fa78bced5193185a3acfc49e4911010f2acceb9841e0aece9cc043fb
Instruction Fuzzy Hash: 17E0BFF19422649F8B096F2ABD8599D3B75F764B14345500BF420322B3C737065BDB82

Uniqueness

Uniqueness Score: -1.00%

Function 00EC77CC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\T3AtsGGHEL.exe, xrefs: 00EC780F, 00EC7816, 00EC784C

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\Desktop\T3AtsGGHEL.exe
API String ID: 0-3341910482
Opcode ID: 0da71a971876ea2d349e7a5c611c2a6a523a5950821bea60fd59ca8ecadc9b3b
Instruction ID: a26c0e68d06c89fc9f067a2f0858318f8f8d4fcb148efff13b94bcc469acf5a4
Opcode Fuzzy Hash: 0da71a971876ea2d349e7a5c611c2a6a523a5950821bea60fd59ca8ecadc9b3b
Instruction Fuzzy Hash: D141E772E04218AFCB15DF99DE85E9EBBF8EB85300B14106EE544B7251D6728E42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC52AD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00EC52D2

Strings

MOC, xrefs: 00EC52E4
RCC, xrefs: 00EC52EC

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 96c64c3535e59500d48695bf00b47166245760e4bbaae752615197a2248e4ffc
Instruction ID: f751f1afa82513f2f67dc673f8eb6cbd58cbae2ff879219acfed67fdd9cad576
Opcode Fuzzy Hash: 96c64c3535e59500d48695bf00b47166245760e4bbaae752615197a2248e4ffc
Instruction Fuzzy Hash: 04416672900648EFCF15CF98CA81FEEBBB1BF08344F185098F9047A255D276A992DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA9F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00ECA79F: GetOEMCP.KERNEL32(00000000,00ECAA10,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ECA7CA

_free.LIBCMT ref: 00ECAA6D

Strings

1, xrefs: 00ECAA95

Memory Dump Source

Source File: 00000001.00000002.275028533.0000000000EB1000.00000020.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000001.00000002.275025538.0000000000EB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.275040737.0000000000ED3000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: 1
API String ID: 269201875-1475023258
Opcode ID: d1211672d5e2cb3a637d7d8bee10319d1c8d1a2162d5580ebf1e2aff649746cb
Instruction ID: ff92caa9b68f6274f9f4e0d950a4b1f36df52a763372dc4b85c240b8b83b6dfb
Opcode Fuzzy Hash: d1211672d5e2cb3a637d7d8bee10319d1c8d1a2162d5580ebf1e2aff649746cb
Instruction Fuzzy Hash: 41318A72900209AFCB11DF68DA80F9E77F5EF44318F19516EF814AB291EB329D12CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report T3AtsGGHEL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 00EC3002, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167
libraryloaderCOMMON