Edit tour

Windows Analysis Report
WOa6j2H74T.exe

Overview

General Information

Sample name:	WOa6j2H74T.exe renamed because original name is a hash value
Original sample name:	Trojan.Autorun.ATA_virussign.com_51860ea17becba33c595476abe682eb2.exe
Analysis ID:	1507015
MD5:	51860ea17becba33c595476abe682eb2
SHA1:	fc01d590d36f9257ae07c4ab725cef1fc8263915
SHA256:	c0d5fa19da063ee5cb0b19609af266de36130222ae896eee0e26f44429c2dc26
Infos:

Detection

Urelas

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Urelas

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion NT Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WOa6j2H74T.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\WOa6j2H74T.exe" MD5: 51860EA17BECBA33C595476ABE682EB2)

biudfw.exe (PID: 7024 cmdline: "C:\Users\user\AppData\Local\Temp\biudfw.exe" MD5: AAA38936E9DF59C23E9D53A4C521892C)

cmd.exe (PID: 7092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: Urelas

{"C2 url": ["218.54.47.77", "218.54.47.74"], "Drop filename": ["houtue", "biudfw"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Urelas	Yara detected Urelas	Joe Security
00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Urelas	Yara detected Urelas	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WOa6j2H74T.exe.3f0000.0.unpack	JoeSecurity_Urelas	Yara detected Urelas	Joe Security
1.2.biudfw.exe.270000.0.unpack	JoeSecurity_Urelas	Yara detected Urelas	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\biudfw.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WOa6j2H74T.exe, ProcessId: 6796, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Suricata Signatures

ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-08T06:59:11.093180+0200	2804923	1	Malware Command and Control Activity Detected	192.168.2.4	49730	218.54.47.76	11120	TCP
2024-09-08T06:59:32.453428+0200	2804923	1	Malware Command and Control Activity Detected	192.168.2.4	49737	218.54.47.74	11150	TCP
2024-09-08T06:59:53.828468+0200	2804923	1	Malware Command and Control Activity Detected	192.168.2.4	49738	218.54.47.76	11170	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WOa6j2H74T.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\biudfw.exe

Avira: detection malicious, Label: BDS/Backdoor.Gen7

Found malware configuration

Source: golfinfo.ini.0.dr

Malware Configuration Extractor: Urelas {"C2 url": ["218.54.47.77", "218.54.47.74"], "Drop filename": ["houtue", "biudfw"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\biudfw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: WOa6j2H74T.exe

Joe Sandbox ML: detected

Source: WOa6j2H74T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WOa6j2H74T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2804923 - Severity 1 - ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic : 192.168.2.4:49738 -> 218.54.47.76:11170
Source: Network traffic	Suricata IDS: 2804923 - Severity 1 - ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic : 192.168.2.4:49737 -> 218.54.47.74:11150
Source: Network traffic	Suricata IDS: 2804923 - Severity 1 - ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic : 192.168.2.4:49730 -> 218.54.47.76:11120

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 218.54.47.77
Source: Malware configuration extractor	IPs: 218.54.47.74

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 218.54.47.76:11120
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 218.54.47.74:11150

Source: Joe Sandbox View	IP Address: 218.54.47.74 218.54.47.74
Source: Joe Sandbox View	IP Address: 218.54.47.76 218.54.47.76
Source: Joe Sandbox View	IP Address: 218.54.47.77 218.54.47.77

Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR

Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.74
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.74
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.74
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.74
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.74
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76
Source: unknown	TCP traffic detected without corresponding DNS query: 218.54.47.76

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003F54C0 _memset,_memset,recv,recv,WSAGetLastError,_memcmp,_memmove,_memmove,

0_2_003F54C0

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003F3280: CreateFileW,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindCloseChangeNotification,

0_2_003F3280

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003FAD16	0_2_003FAD16
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003F25D0	0_2_003F25D0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_004024D6	0_2_004024D6
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003F7CA8	0_2_003F7CA8
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_00401C89	0_2_00401C89
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_004020A1	0_2_004020A1
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_0040290B	0_2_0040290B
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_00401795	0_2_00401795
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_002725D0	1_2_002725D0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_002820A1	1_2_002820A1
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00277CA8	1_2_00277CA8
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00281C89	1_2_00281C89
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_002824D6	1_2_002824D6
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_0028290B	1_2_0028290B
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_0027AD16	1_2_0027AD16
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00281795	1_2_00281795

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: String function: 003F94F0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: String function: 002794F0 appears 34 times

Source: WOa6j2H74T.exe, 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamebhydtfre.exe8 vs WOa6j2H74T.exe

Source: WOa6j2H74T.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@0/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File created: C:\Users\user\AppData\Local\Temp\golfinfo.ini

Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" "

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: Hutdre	0_2_003F19F0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: Polkkhdfte	0_2_003F19F0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: Hutdre	0_2_003F19F0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: Polkkhdfte	0_2_003F19F0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: 218.54.31.226	0_2_003F19F0
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Command line argument: djfuhgdt.exe	0_2_003F19F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: Hutdre	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: Polkkhdfte	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: Hutdre	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: Polkkhdfte	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: 218.54.47.74	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: djfuhgdt.exe	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: djfuhgdt.exe	1_2_002719F0
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Command line argument: djfuhgdt.exe	1_2_002719F0

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File read: C:\Users\user\Desktop\WOa6j2H74T.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WOa6j2H74T.exe "C:\Users\user\Desktop\WOa6j2H74T.exe"
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Users\user\AppData\Local\Temp\biudfw.exe "C:\Users\user\AppData\Local\Temp\biudfw.exe"
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Users\user\AppData\Local\Temp\biudfw.exe "C:\Users\user\AppData\Local\Temp\biudfw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" "	Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File written: C:\Users\user\AppData\Local\Temp\golfinfo.ini

Jump to behavior

Source: WOa6j2H74T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Unpacked PE file: 0.2.WOa6j2H74T.exe.3f0000.0.unpack HSUDHUHW:EW;HSUDHUHW:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Unpacked PE file: 1.2.biudfw.exe.270000.0.unpack HSUDHUHW:EW;HSUDHUHW:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_00400829 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00400829

Source: initial sample

Static PE information: section where entry point is pointing to: HSUDHUHW

Source: WOa6j2H74T.exe	Static PE information: section name: HSUDHUHW
Source: WOa6j2H74T.exe	Static PE information: section name: HSUDHUHW
Source: biudfw.exe.0.dr	Static PE information: section name: HSUDHUHW
Source: biudfw.exe.0.dr	Static PE information: section name: HSUDHUHW

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003F9535 push ecx; ret	0_2_003F9548
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003FE58D push edi; ret	0_2_003FE58F
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003FE62B push edi; ret	0_2_003FE62D
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003FE359 push esi; ret	0_2_003FE369
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00279535 push ecx; ret	1_2_00279548
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_0027E58D push edi; ret	1_2_0027E58F
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_0027E62B push edi; ret	1_2_0027E62D
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_0027E359 push esi; ret	1_2_0027E369

Source: WOa6j2H74T.exe	Static PE information: section name: HSUDHUHW entropy: 7.889335703941072
Source: biudfw.exe.0.dr	Static PE information: section name: HSUDHUHW entropy: 7.889335703941072

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File created: C:\Users\user\AppData\Local\Temp\biudfw.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Run

Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003F7CA8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003F7CA8

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\biudfw.exe

Window / User API: threadDelayed 706

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\biudfw.exe TID: 6176	Thread sleep count: 706 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe TID: 6176	Thread sleep time: -141200s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: biudfw.exe, 00000001.00000003.2408452676.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, biudfw.exe, 00000001.00000002.2408852624.00000000008C9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

0_2_00400829

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

0_2_00400829

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

0_2_00400829

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_00403429 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00403429

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003F7EE7 SetUnhandledExceptionFilter,	0_2_003F7EE7
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Code function: 0_2_003F7F0A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003F7F0A
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00277EE7 SetUnhandledExceptionFilter,	1_2_00277EE7
Source: C:\Users\user\AppData\Local\Temp\biudfw.exe	Code function: 1_2_00277F0A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00277F0A

Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Users\user\AppData\Local\Temp\biudfw.exe "C:\Users\user\AppData\Local\Temp\biudfw.exe"			Jump to behavior
Source: C:\Users\user\Desktop\WOa6j2H74T.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" "			Jump to behavior

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003FC755 cpuid

0_2_003FC755

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003FC5D3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003FC5D3

Source: C:\Users\user\Desktop\WOa6j2H74T.exe

Code function: 0_2_003F2B50 _memset,GetVersionExW,

0_2_003F2B50

Stealing of Sensitive Information

Yara detected Urelas

Source: Yara match	File source: 0.2.WOa6j2H74T.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biudfw.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Urelas

Source: Yara match	File source: 0.2.WOa6j2H74T.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.biudfw.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Scripting	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WOa6j2H74T.exe	100%	Avira	BDS/Backdoor.Gen7
WOa6j2H74T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\biudfw.exe	100%	Avira	BDS/Backdoor.Gen7
C:\Users\user\AppData\Local\Temp\biudfw.exe	100%	Joe Sandbox ML

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
218.54.47.74	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
218.54.47.76	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
218.54.47.77	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1507015
Start date and time:	2024-09-08 06:58:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WOa6j2H74T.exe renamed because original name is a hash value
Original Sample Name:	Trojan.Autorun.ATA_virussign.com_51860ea17becba33c595476abe682eb2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@0/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 77 Number of non-executed functions: 63
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: WOa6j2H74T.exe

Simulations

Behavior and APIs

Time	Type	Description
00:59:40	API Interceptor	562x Sleep call for process: biudfw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
218.54.47.74	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse
	LisectAVT_2403002C_111.exe	Get hash	malicious	Urelas	Browse
	LisectAVT_2403002C_111.exe	Get hash	malicious	Urelas	Browse
	7Y18r(153).exe	Get hash	malicious	Unknown	Browse
	7Y18r(153).exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop27.23534.8399.1150.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
218.54.47.76	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse
	LisectAVT_2403002C_111.exe	Get hash	malicious	Urelas	Browse
	LisectAVT_2403002C_111.exe	Get hash	malicious	Urelas	Browse
	7Y18r(153).exe	Get hash	malicious	Unknown	Browse
	7Y18r(153).exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop27.23534.8399.1150.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
218.54.47.77	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	NE4fwXuRau.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
	7vbzmyVelq.exe	Get hash	malicious	Urelas	Browse
	QNM3FstFZi.exe	Get hash	malicious	Unknown	Browse
	QNM3FstFZi.exe	Get hash	malicious	Unknown	Browse
	B6eW7WDNf1.exe	Get hash	malicious	Unknown	Browse
	B6eW7WDNf1.exe	Get hash	malicious	Unknown	Browse
	9eLEXkOKIf.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKB-ASSKBroadbandCoLtdKR	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse	218.54.47.77
	jjq16IZYZT.exe	Get hash	malicious	Urelas	Browse	218.54.31.165
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	JeFu7HwJRa.exe	Get hash	malicious	SmokeLoader	Browse	123.213.233.131
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	114.203.17.23
	arm5.elf	Get hash	malicious	Unknown	Browse	211.49.172.2
	arm6.elf	Get hash	malicious	Unknown	Browse	116.121.126.16
	m68k.elf	Get hash	malicious	Unknown	Browse	116.121.149.115
	sh4.elf	Get hash	malicious	Unknown	Browse	175.120.106.89
SKB-ASSKBroadbandCoLtdKR	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse	218.54.47.77
	jjq16IZYZT.exe	Get hash	malicious	Urelas	Browse	218.54.31.165
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	JeFu7HwJRa.exe	Get hash	malicious	SmokeLoader	Browse	123.213.233.131
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	114.203.17.23
	arm5.elf	Get hash	malicious	Unknown	Browse	211.49.172.2
	arm6.elf	Get hash	malicious	Unknown	Browse	116.121.126.16
	m68k.elf	Get hash	malicious	Unknown	Browse	116.121.149.115
	sh4.elf	Get hash	malicious	Unknown	Browse	175.120.106.89
SKB-ASSKBroadbandCoLtdKR	sJM8debK7e.exe	Get hash	malicious	Urelas	Browse	218.54.47.77
	jjq16IZYZT.exe	Get hash	malicious	Urelas	Browse	218.54.31.165
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	KoAPjNznKV.exe	Get hash	malicious	RifDoor	Browse	175.117.144.67
	JeFu7HwJRa.exe	Get hash	malicious	SmokeLoader	Browse	123.213.233.131
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	114.203.17.23
	arm5.elf	Get hash	malicious	Unknown	Browse	211.49.172.2
	arm6.elf	Get hash	malicious	Unknown	Browse	116.121.126.16
	m68k.elf	Get hash	malicious	Unknown	Browse	116.121.149.115
	sh4.elf	Get hash	malicious	Unknown	Browse	175.120.106.89

Process:	C:\Users\user\Desktop\WOa6j2H74T.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.836430081479301
Encrypted:	false
SSDEEP:	768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPB:nK0GjMeQG3iaQREuVZ6ro29p4YxbKd2
MD5:	AAA38936E9DF59C23E9D53A4C521892C
SHA1:	BE2B044DEFE5AF96A5332D4A2360CFACEAADFDE5
SHA-256:	48E7481AD23B454F2078D9490F460702EF9A6EABE2ABB6803D906B9173A11C9A
SHA-512:	0571D5FCF4948BFACD077C07A5EAD6BA4D42C276943AEA1398EE69BEF5F8880CA26FC0C337C413449AC7566B0B579A5AE1AAB37F08F7B933035391D50DF1C795
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...................................\|...........!..L.!This program cannot be run in DOS mode....$...PE..L.....T............................[E.......@....@..........................P............@.................................`d.......`..E....................f.......................................e..H...........................................HSUDHUHW.P..............................HSUDHUHW.....`..........................................................................................................H...............X.......................................................x...........................................................................................................................................................................................................m...0.......................H.......J...........................g...p...........................................................................................X...@...........................

C:\Users\user\AppData\Local\Temp\golfinfo.ini

Download File

Process:	C:\Users\user\Desktop\WOa6j2H74T.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (512), with no line terminators
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.912697033216233
Encrypted:	false
SSDEEP:	3:0yafGaY+k8RMarpaNafPalrRRhkAvj8a2C+aZR0Aaz:0++kuP0IakKH2c92
MD5:	55E10A9AF74D3F3FA5AE3CB7FF5AD9D4
SHA1:	449221FD8D7196A54DE2BD583625D8D1B64DB56A
SHA-256:	A945A44CFE50423C01F26A16445ED177A347052E791364A9CB7DE6BCAA18F3C1
SHA-512:	4AF5BA74467B4C61302EA9571F19346C05F911843F2C6153FCD9A7340F9BC6E1F8867CDB72EC7BA0DC4930199AA5C302711AD5DA9FD35241839418F6E70A515A
Malicious:	false
Reputation:	low
Preview:	......................................................................................................................................................................................................................................................................................................q.....................................................................................................................................................................+...................................................

C:\Users\user\AppData\Local\Temp\sanfdr.bat

Download File

Process:	C:\Users\user\Desktop\WOa6j2H74T.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.81692577913247
Encrypted:	false
SSDEEP:	6:mRoiowvyFOwvyf0WIwRo2Fowkn23fvhLYH:mRoeSJKLrRlRfXdq
MD5:	E2E65CC3C9C10642257914C3477D9BF2
SHA1:	4143BF53CE902B5845663045239D9E6F90747FF3
SHA-256:	94AEB1CAB015796F09C07CC3E7158D1529E3A0FEBAD0C3AB073BE27ED00A01BF
SHA-512:	628F6ABBF0E3FDEF6A33315BFCD71D5B5FE7FC3F1B61A1D7F23CF0082D1782857CBD435F7CF9D0619E21351BD42A8DF863F11EA36F5BDD88B994FA901765ABB6
Malicious:	false
Reputation:	low
Preview:	:Repeat..del "C:\Users\user\Desktop\WOa6j2H74T.exe".if exist "C:\Users\user\Desktop\WOa6j2H74T.exe" goto Repeat..rmdir "C:\Users\user\Desktop"..del "C:\Users\user\AppData\Local\Temp\sanfdr.bat"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.836997409371848
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WOa6j2H74T.exe
File size:	61'390 bytes
MD5:	51860ea17becba33c595476abe682eb2
SHA1:	fc01d590d36f9257ae07c4ab725cef1fc8263915
SHA256:	c0d5fa19da063ee5cb0b19609af266de36130222ae896eee0e26f44429c2dc26
SHA512:	5c672bd185dd487c6065b0628e23f1d9ee9af77c6a21699f39b5b9f7fa3a0bd03c46a1120301248ba1f28ba01eee01d5872f85bde619c0b05eb71b2be3cfd5d9
SSDEEP:	768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPr:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdg
TLSH:	3053F1734199085FC04E037F42E28E98B63BDF4613664D81867F68A899A4CE87F5FD0E
File Content Preview:	MZ......................@...................................\|...........!..L.!This program cannot be run in DOS mode....$...PE..L......T............................[E.......@....@..........................P............@.................................`d.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x43455b
Entrypoint Section:	HSUDHUHW
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x549CE7C3 [Fri Dec 26 04:44:51 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b892955ae494fe908bdf52e81e1dfa4c

Entrypoint Preview

Instruction
pushad
call 00007FCF38F76025h
pop ebx
lea ebx, dword ptr [ebx-3Ah]
add dword ptr [ebx], ebx
mov edx, dword ptr [ebx]
lea esi, dword ptr [ebx+14h]
push 00000008h
pop ecx
add dword ptr [esi], edx
lodsd
dec ecx
jne 00007FCF38F7601Ch
mov ebp, eax
mov byte ptr [esi], FFFFFFE9h
mov eax, dword ptr [ebx+0Ch]
mov dword ptr [esi+01h], eax
push 00000004h
push 00001000h
push dword ptr [ebx+08h]
push ecx
call dword ptr [ebp+08h]
mov edx, eax
mov esi, dword ptr [ebx+18h]
jmp 00007FCF38F7603Dh
mov edi, eax
add edi, dword ptr [ebx]
lodsd
mov ecx, eax
btr edi, 1Fh
jnc 00007FCF38F76026h
rep movsd
jmp 00007FCF38F7602Ch
pushad
push edx
push esi
push edi
call dword ptr [ebx+14h]
popad
add esi, ecx
lodsd
test eax, eax
jne 00007FCF38F76002h
push 00008000h
push eax
push edx
call dword ptr [ebp+0Ch]
lea eax, dword ptr [ebx+0Ch]
push eax
push 00000004h
push 00000001h
push dword ptr [ebx]
call dword ptr [ebp+10h]
mov eax, dword ptr [ebx+08h]
sub eax, dword ptr [ebx+04h]
push 00000004h
push 00001000h
push eax
push 00000000h
call dword ptr [ebp+08h]
pushad
push eax
push dword ptr [ebx+1Ch]
push dword ptr [ebx]
call dword ptr [ebx+14h]
popad
push 00008000h
push 00000000h
push eax
call dword ptr [ebp+0Ch]
lea eax, dword ptr [ebx+0Ch]
push eax
push dword ptr [ebx+0Ch]
push 00000001h
push dword ptr [ebx]
call dword ptr [ebp+10h]
mov esi, dword ptr [ebx+20h]
jmp 00007FCF38F76049h
add eax, dword ptr [ebx]
push eax
call dword ptr [ebp+00h]
mov edi, dword ptr [esi]
add edi, dword ptr [ebx]
jmp 00007FCF38F76034h
btr ecx, 1Fh
jc 00007FCF38F76026h
add ecx, dword ptr [ebx]
inc ecx
inc ecx
push eax
push ecx
push eax
call dword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26460	0x8c	HSUDHUHW
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x445	HSUDHUHW
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26600	0x14	HSUDHUHW
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x265b8	0x48	HSUDHUHW
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
HSUDHUHW	0x1000	0x25000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
HSUDHUHW	0x26000	0xf000	0xe708	9f0e0d9e0403c0423cfe39666a344ec1	False	0.977546327607196	data	7.889335703941072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1f310	0x2e8	empty	English	United States	0
RT_ICON	0x1f5f8	0x8a8	empty	English	United States	0
RT_ICON	0x1fec8	0x2e8	empty	English	United States	0
RT_ICON	0x201b0	0x8a8	empty	English	United States	0
RT_MENU	0x20a80	0x4a	empty	English	United States	0
RT_DIALOG	0x20ae0	0xc0	empty	English	United States	0
RT_STRING	0x20e58	0x40	empty	English	United States	0
RT_ACCELERATOR	0x20ad0	0x10	empty	English	United States	0
RT_GROUP_ICON	0x1fea0	0x22	empty	English	United States	0
RT_GROUP_ICON	0x20a58	0x22	empty	English	United States	0
RT_MANIFEST	0x262c8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress, VirtualAlloc, VirtualFree, VirtualProtect
USER32.dll	EndPaint
ADVAPI32.dll	RegCloseKey
SHELL32.dll	ShellExecuteA
WS2_32.dll	WSAStartup
IPHLPAPI.DLL	GetAdaptersAddresses

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-08T06:59:11.093180+0200	2804923	ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic	1	192.168.2.4	49730	218.54.47.76	11120	TCP
2024-09-08T06:59:32.453428+0200	2804923	ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic	1	192.168.2.4	49737	218.54.47.74	11150	TCP
2024-09-08T06:59:53.828468+0200	2804923	ETPRO MALWARE Rootkit.Win32.Bootkor.ha CnC Traffic	1	192.168.2.4	49738	218.54.47.76	11170	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 8, 2024 06:59:11.088063002 CEST	49730	11120	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:11.093033075 CEST	11120	49730	218.54.47.76	192.168.2.4
Sep 8, 2024 06:59:11.093131065 CEST	49730	11120	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:11.093179941 CEST	49730	11120	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:11.097973108 CEST	11120	49730	218.54.47.76	192.168.2.4
Sep 8, 2024 06:59:32.445051908 CEST	11120	49730	218.54.47.76	192.168.2.4
Sep 8, 2024 06:59:32.445163965 CEST	49730	11120	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:32.447900057 CEST	49730	11120	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:32.448472023 CEST	49737	11150	192.168.2.4	218.54.47.74
Sep 8, 2024 06:59:32.452680111 CEST	11120	49730	218.54.47.76	192.168.2.4
Sep 8, 2024 06:59:32.453262091 CEST	11150	49737	218.54.47.74	192.168.2.4
Sep 8, 2024 06:59:32.453330040 CEST	49737	11150	192.168.2.4	218.54.47.74
Sep 8, 2024 06:59:32.453428030 CEST	49737	11150	192.168.2.4	218.54.47.74
Sep 8, 2024 06:59:32.458157063 CEST	11150	49737	218.54.47.74	192.168.2.4
Sep 8, 2024 06:59:53.819618940 CEST	11150	49737	218.54.47.74	192.168.2.4
Sep 8, 2024 06:59:53.819765091 CEST	49737	11150	192.168.2.4	218.54.47.74
Sep 8, 2024 06:59:53.823062897 CEST	49737	11150	192.168.2.4	218.54.47.74
Sep 8, 2024 06:59:53.823471069 CEST	49738	11170	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:53.827840090 CEST	11150	49737	218.54.47.74	192.168.2.4
Sep 8, 2024 06:59:53.828316927 CEST	11170	49738	218.54.47.76	192.168.2.4
Sep 8, 2024 06:59:53.828409910 CEST	49738	11170	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:53.828468084 CEST	49738	11170	192.168.2.4	218.54.47.76
Sep 8, 2024 06:59:53.833240986 CEST	11170	49738	218.54.47.76	192.168.2.4
Sep 8, 2024 07:00:15.198487043 CEST	11170	49738	218.54.47.76	192.168.2.4
Sep 8, 2024 07:00:15.198589087 CEST	49738	11170	192.168.2.4	218.54.47.76
Sep 8, 2024 07:00:15.199013948 CEST	49738	11170	192.168.2.4	218.54.47.76
Sep 8, 2024 07:00:15.203830957 CEST	11170	49738	218.54.47.76	192.168.2.4

Target ID:	0
Start time:	00:59:05
Start date:	08/09/2024
Path:	C:\Users\user\Desktop\WOa6j2H74T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WOa6j2H74T.exe"
Imagebase:	0x3f0000
File size:	61'390 bytes
MD5 hash:	51860EA17BECBA33C595476ABE682EB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Urelas, Description: Yara detected Urelas, Source: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:59:07
Start date:	08/09/2024
Path:	C:\Users\user\AppData\Local\Temp\biudfw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\biudfw.exe"
Imagebase:	0x270000
File size:	61'414 bytes
MD5 hash:	AAA38936E9DF59C23E9D53A4C521892C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Urelas, Description: Yara detected Urelas, Source: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:59:07
Start date:	08/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sanfdr.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:59:07
Start date:	08/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 003F25D0 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 263sleepfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F25FC
_memset.LIBCMT ref: 003F261A
_memset.LIBCMT ref: 003F2631
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,74DF0F00), ref: 003F2646

Part of subcall function 003F1DA0: _memset.LIBCMT ref: 003F1DCC

GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F266B
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F26AC

Part of subcall function 003F2C40: _memset.LIBCMT ref: 003F2C6A
Part of subcall function 003F2C40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F2C87
Part of subcall function 003F2C40: wsprintfW.USER32 ref: 003F2CCE

Part of subcall function 003F2CF0: _memset.LIBCMT ref: 003F2D24
Part of subcall function 003F2CF0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003F2D86

_memset.LIBCMT ref: 003F2714
_memset.LIBCMT ref: 003F272F
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F27B5
CloseHandle.KERNEL32(00000000), ref: 003F27C2
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 003F27D5
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F27E7
CloseHandle.KERNEL32(00000000), ref: 003F27F6
Sleep.KERNEL32(000001F4), ref: 003F2802
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F280F
Sleep.KERNEL32(000003E8), ref: 003F281A
DeleteFileW.KERNEL32(?), ref: 003F2823
_memset.LIBCMT ref: 003F28D2

Strings

_STOP, xrefs: 003F278D
.exe, xrefs: 003F2692

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$EventFile$Open$CloseDeleteHandleModuleNameSleep$CreateDirectoryPathSystemTempwsprintf
String ID: .exe$_STOP
API String ID: 1186630344-2317897149
Opcode ID: 09c94d15824b0850de3329d7a845e2deff176e805826054c1054cb16c7dc45b7
Instruction ID: 75a56a8e5e1f8c2b855cf33e1a84cf320953a8de038797d2cc00f24cf417957e
Opcode Fuzzy Hash: 09c94d15824b0850de3329d7a845e2deff176e805826054c1054cb16c7dc45b7
Instruction Fuzzy Hash: 8AA1A3B590021DDADB11EBA0DC86BFA73B8EF04704F1001AAFB0DE7181EB759A55CB55

Function 003F19F0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 116sleepCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000067,Hutdre,00000064), ref: 003F1A1F
LoadStringW.USER32(?,0000006D,Polkkhdfte,00000064), ref: 003F1A2B

Part of subcall function 003F1B90: LoadIconW.USER32(?,0000006B), ref: 003F1BC9
Part of subcall function 003F1B90: LoadCursorW.USER32(00000000,00007F00), ref: 003F1BD9
Part of subcall function 003F1B90: LoadIconW.USER32(?,0000006C), ref: 003F1BFC
Part of subcall function 003F1B90: RegisterClassExW.USER32(00000030), ref: 003F1C09

CreateWindowExW.USER32(00000000,Polkkhdfte,Hutdre,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 003F1A60
LoadAcceleratorsW.USER32(?,0000006D), ref: 003F1A85
Sleep.KERNELBASE(000007D0), ref: 003F1A96
ExitProcess.KERNEL32 ref: 003F1AB5

Strings

Hutdre, xrefs: 003F1A17, 003F1A4E
Polkkhdfte, xrefs: 003F1A23, 003F1A53
218.54.31.226, xrefs: 003F1ADC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Load$IconString$AcceleratorsClassCreateCursorExitProcessRegisterSleepWindow
String ID: 218.54.31.226$Hutdre$Polkkhdfte
API String ID: 1591761199-1006412384
Opcode ID: 645869f1c5869235e3e6a2ab46b1e9cb15c890221328186aee005d050da0d1a3
Instruction ID: 4cded816038eee36410249a08547a77c292495fe25218be246eb9c283d012279
Opcode Fuzzy Hash: 645869f1c5869235e3e6a2ab46b1e9cb15c890221328186aee005d050da0d1a3
Instruction Fuzzy Hash: AD319671784309E6E621BB60AD4BF7B36689F44B41F10012AFB44BE1D1EBF5A41487EE

Function 003FAD16 Relevance: 21.5, APIs: 14, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4132d93da7320108dd3783748a3d7780dac92a0d338165bcd42e85259dfcda29
Instruction ID: 9454f393dc910a327aace00ae09c4551afe4dadb50702cf5d35d3a9a1febf80c
Opcode Fuzzy Hash: 4132d93da7320108dd3783748a3d7780dac92a0d338165bcd42e85259dfcda29
Instruction Fuzzy Hash: DB326CB5A022298BCB26CF15DD916E9B7B5FB06310F0940E9E50AE7A91D7349E80CF52

Function 003F3280 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F5D00: vswprintf.LIBCMT ref: 003F5D18

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 003F3332
DeviceIoControl.KERNELBASE(000000FF,00560000,00000000,00000000,?,00000400,?,00000000), ref: 003F3370
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F3399
FindCloseChangeNotification.KERNELBASE(00000000), ref: 003F33CB

Strings

\\.\%s, xrefs: 003F330E
>0?, xrefs: 003F32F5, 003F330A, 003F330D
>0?, xrefs: 003F33AC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotificationUnothrow_t@std@@@__ehfuncinfo$??2@vswprintf
String ID: >0?$>0?$\\.\%s
API String ID: 2740123200-1534651141
Opcode ID: 569ac4cdd73b5a5626cdc81144af59215da418e8b917990c4baa602cc3d947e9
Instruction ID: 480bc8a18bd9c437e68b43f51f1264f98e71aa15aac65b7ff70ec50f1a342e60
Opcode Fuzzy Hash: 569ac4cdd73b5a5626cdc81144af59215da418e8b917990c4baa602cc3d947e9
Instruction Fuzzy Hash: 9A414EB5E002089FDB24DF64D945BAEB7B5EF48700F5080A9E708FB281DA709B44CF59

Function 003FF20C Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMON

Download Yara Rule

APIs

___createFile.LIBCMT ref: 003FF457
___createFile.LIBCMT ref: 003FF498
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 003FF4C1
__dosmaperr.LIBCMT ref: 003FF4C8
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 003FF4DB
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 003FF4FE
__dosmaperr.LIBCMT ref: 003FF507
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 003FF510
__set_osfhnd.LIBCMT ref: 003FF540
__lseeki64_nolock.LIBCMT ref: 003FF5AA
__close_nolock.LIBCMT ref: 003FF5D0
__chsize_nolock.LIBCMT ref: 003FF600
__lseeki64_nolock.LIBCMT ref: 003FF612
__lseeki64_nolock.LIBCMT ref: 003FF70A
__lseeki64_nolock.LIBCMT ref: 003FF71F
__close_nolock.LIBCMT ref: 003FF77F

Part of subcall function 003FA382: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,003FF5D5,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003FA3D2
Part of subcall function 003FA382: GetLastError.KERNEL32(?,003FF5D5,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003FA3DC
Part of subcall function 003FA382: __free_osfhnd.LIBCMT ref: 003FA3E9
Part of subcall function 003FA382: __dosmaperr.LIBCMT ref: 003FA40B

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

__lseeki64_nolock.LIBCMT ref: 003FF7A1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 003FF8D6
___createFile.LIBCMT ref: 003FF8F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003FF902
__dosmaperr.LIBCMT ref: 003FF909
__free_osfhnd.LIBCMT ref: 003FF929
__invoke_watson.LIBCMT ref: 003FF957
__wsopen_helper.LIBCMT ref: 003FF971

Strings

@, xrefs: 003FF52C

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3388700018-2766056989
Opcode ID: f8c2e9ea42b8481220370d4a491fced7fbf6f00b299e884bbf67f43782edefd1
Instruction ID: 597846fc884ceaaceaa37bb2bb45ebc0b32873134a863c08492f127a4e99f963
Opcode Fuzzy Hash: f8c2e9ea42b8481220370d4a491fced7fbf6f00b299e884bbf67f43782edefd1
Instruction Fuzzy Hash: 6622D07590010EAFEB2B9F68D842BBE7B65EF05350F254239EF21AB2E1CB358D448751

Function 003F2110 Relevance: 35.3, APIs: 12, Strings: 8, Instructions: 323fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F213C
_memset.LIBCMT ref: 003F215A
_memset.LIBCMT ref: 003F2170
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F2184
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F21AA

Part of subcall function 003F25D0: _memset.LIBCMT ref: 003F25FC
Part of subcall function 003F25D0: _memset.LIBCMT ref: 003F261A
Part of subcall function 003F25D0: _memset.LIBCMT ref: 003F2631
Part of subcall function 003F25D0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,74DF0F00), ref: 003F2646
Part of subcall function 003F25D0: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F266B
Part of subcall function 003F25D0: DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F26AC

Strings

houtue, xrefs: 003F23CC
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 003F252A
HGDraw.dll, xrefs: 003F218A
Run, xrefs: 003F2573
biudfw, xrefs: 003F23EC
MSMP, xrefs: 003F2457
218.54.47.74, xrefs: 003F22F2
MSMP, xrefs: 003F2473

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$File$DeletePathTemp$ModuleName
String ID: 218.54.47.74$HGDraw.dll$MSMP$MSMP$Run$Software\Microsoft\Windows NT\CurrentVersion\Windows$biudfw$houtue
API String ID: 3389175124-4147073176
Opcode ID: af4c606a4df4b75c86989a942bd726589175cbccb00679218e6609dc27fa79de
Instruction ID: ef29f20083186a64fe8c39d21d84f696313e1ac172c766541007f45fd3f3679b
Opcode Fuzzy Hash: af4c606a4df4b75c86989a942bd726589175cbccb00679218e6609dc27fa79de
Instruction Fuzzy Hash: 8DC1E6B1A4021CD6DB21DF60CC46BFA7374AF54700F0540EAEB49EB181EBB59A85CF98

Function 003F3780 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 287COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F37AA
_memset.LIBCMT ref: 003F37C7
_memset.LIBCMT ref: 003F37E4
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F3827
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 003F38DA

Part of subcall function 003F66F4: __lock_file.LIBCMT ref: 003F6733

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 003F3C02

Strings

" goto Repeat, xrefs: 003F3A95
sanfdr.bat, xrefs: 003F37EC
open, xrefs: 003F3BFB
del ", xrefs: 003F3979
:Repeat, xrefs: 003F3961
", xrefs: 003F3B2F
if exist ", xrefs: 003F3A13
rmdir ", xrefs: 003F3AAD
del ", xrefs: 003F3B47
", xrefs: 003F39FB

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$ExecuteFileModuleNamePathShellTemp__lock_file
String ID: "$"$" goto Repeat$:Repeat$del "$del "$if exist "$open$rmdir "$sanfdr.bat
API String ID: 2882992250-1728629311
Opcode ID: f4ffb2991238722bf4d0dcdd285a15c0a1a8efde6e25bee5d4f05d90e4574618
Instruction ID: 675bad81a437131f47fd08005eb5c42558fbd1230ec7ce045ed57fc7c919acb1
Opcode Fuzzy Hash: f4ffb2991238722bf4d0dcdd285a15c0a1a8efde6e25bee5d4f05d90e4574618
Instruction Fuzzy Hash: C7D12C71D0032CABDB26DB54CC86BE9B7B9AB58700F4441D9E6087B281DA716FC4CF55

Function 003F9B29 Relevance: 26.2, APIs: 17, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 933970785839b385e77f9b591488edb1f5b9c89a83778ebf43ef067b0be1b390
Instruction ID: 15a0a9d153d4962b35379b3e8f2657cdf03b78d800a6bd3498767c8109e89a02
Opcode Fuzzy Hash: 933970785839b385e77f9b591488edb1f5b9c89a83778ebf43ef067b0be1b390
Instruction Fuzzy Hash: 5B3247B1A0424EDFDB23CF58D840BBD7BB5EF15304F26445AEA95AB292C7308845C7A6

Function 003F2339 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 174COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,0040BFEC), ref: 003F23A2

Strings

houtue, xrefs: 003F23CC
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 003F252A
Run, xrefs: 003F2573
biudfw, xrefs: 003F23EC
MSMP, xrefs: 003F2457
MSMP, xrefs: 003F2473

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: EventOpen
String ID: MSMP$MSMP$Run$Software\Microsoft\Windows NT\CurrentVersion\Windows$biudfw$houtue
API String ID: 3658969616-224884892
Opcode ID: c924b0b1293fdf8713697f6d6dcb1238e69f8046fa13f8ff30f367136f4483f1
Instruction ID: bdd75acc91e2b3712b1d4f4e59d0d3d3d7056a27c0fdfc6ff0925153d1f1e313
Opcode Fuzzy Hash: c924b0b1293fdf8713697f6d6dcb1238e69f8046fa13f8ff30f367136f4483f1
Instruction Fuzzy Hash: 7161E6B1A4020C9BDB25DF10CC56BFAB775AB44700F0540E9EB49BB181EBB56E85CF98

Function 003F2DD0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003F2E0F
_memset.LIBCMT ref: 003F2E27
_free.LIBCMT ref: 003F2E5E

Strings

_GBP, xrefs: 003F2F23
_GBP, xrefs: 003F2E75

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _free_malloc_memset
String ID: _GBP$_GBP
API String ID: 2338540524-3430829148
Opcode ID: f2d56ed3f4a2df43cc23072fb77df519d23461a9fbfac859fb8effaafa699599
Instruction ID: 8e83aea77c13fecb08911a840cb7aff5cf86e6fa82f1420837fc92f29a071059
Opcode Fuzzy Hash: f2d56ed3f4a2df43cc23072fb77df519d23461a9fbfac859fb8effaafa699599
Instruction Fuzzy Hash: 955159B5D1020CEBDF10DFA8C842AFFB7B5AF54314F148169E615BB380E679AA40CB91

Function 003F1B90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,0000006B), ref: 003F1BC9
LoadCursorW.USER32(00000000,00007F00), ref: 003F1BD9
LoadIconW.USER32(?,0000006C), ref: 003F1BFC
RegisterClassExW.USER32(00000030), ref: 003F1C09

Strings

Polkkhdfte, xrefs: 003F1BF5
m, xrefs: 003F1BEE
0, xrefs: 003F1BA3

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Load$Icon$ClassCursorRegister
String ID: 0$Polkkhdfte$m
API String ID: 4202395251-997551336
Opcode ID: 53eeb19766fa829599ac07fec233cec1519a78f55e8224bf170674ba96667235
Instruction ID: f9e54ebb98f6d1ade5ef0a9b10df0d36e8d7967174e8a95fa1a9d5cd357def22
Opcode Fuzzy Hash: 53eeb19766fa829599ac07fec233cec1519a78f55e8224bf170674ba96667235
Instruction Fuzzy Hash: A3010CB0D0130CEBDB00DFE0D91D79EBBB5EB08304F504169E6017B280D77A06548F98

Function 003F35D0 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

__wfopen_s.LIBCMT ref: 003F35FB
_fseek.LIBCMT ref: 003F361D
_fseek.LIBCMT ref: 003F363C
_malloc.LIBCMT ref: 003F364B
__fread_nolock.LIBCMT ref: 003F3664
__wfopen_s.LIBCMT ref: 003F3698

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __wfopen_s_fseek$__fread_nolock_malloc
String ID:
API String ID: 3146148979-0
Opcode ID: 94bf324ed4701b69f3b5211ad84b13413e8a4897038f51742875c25c9b7e1d3f
Instruction ID: d045d9d483d5ad8ebe94b71dc5790e9806490574535463ce3da44885a18e9289
Opcode Fuzzy Hash: 94bf324ed4701b69f3b5211ad84b13413e8a4897038f51742875c25c9b7e1d3f
Instruction Fuzzy Hash: 49311EF6E0020CBBDB01EBA4DC82BBF7778AF54300F144558FA05AB246E675A654CB95

Function 003F1C20 Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON

Download Yara Rule

APIs

73A246C0.USER32(?,?,?,?), ref: 003F1C5E
73A246C0.USER32(?,00000111,?,?), ref: 003F1C8E
BeginPaint.USER32(?,?), ref: 003F1CF1
EndPaint.USER32(?,?), ref: 003F1CFD
PostQuitMessage.USER32(00000000), ref: 003F1D19

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: A246Paint$BeginMessagePostQuit
String ID:
API String ID: 1189651601-0
Opcode ID: 3df1429d36fa3c7630d5385c40e1715d7e8e7f8b9a666af046d0e292975b1518
Instruction ID: 35dd1f031885c9867443f5efadc2080536b7acb02aa6fcab649f76aa884618c1
Opcode Fuzzy Hash: 3df1429d36fa3c7630d5385c40e1715d7e8e7f8b9a666af046d0e292975b1518
Instruction Fuzzy Hash: 8E21C37221450C9FCA15EF68ED0EABB7BA8EF89310F40051AFB469E191DA719820D796

Function 00424521 Relevance: 9.2, APIs: 6, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000007,?,00001000,00000004), ref: 0042458B
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004245BC
VirtualProtect.KERNELBASE(?,00000001,00000004,?), ref: 004245C9
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004245DC
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004245F2
VirtualProtect.KERNELBASE(?,00000001,?,?), ref: 00424600

Memory Dump Source

Source File: 00000000.00000002.1741743563.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00416000, based on PE: false

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: 4a367001df8ef4e723b2e4cf8afa5cea097167e6aa5976151d48924d4a0711c6
Instruction ID: faa9504c2701ae60bdc969d52770988cdc8cf1a53ac9ba9592b8549f1a7dc72a
Opcode Fuzzy Hash: 4a367001df8ef4e723b2e4cf8afa5cea097167e6aa5976151d48924d4a0711c6
Instruction Fuzzy Hash: 3751D171208351AFDB168F24CC85B663FB5FF43310B19808AE986DF187D678E805CB66

Function 003F2020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2062
GetTempPathW.KERNEL32(00000104,?,?,?,MSMP), ref: 003F2084
__wfopen_s.LIBCMT ref: 003F20B3

Strings

golfinfo.ini, xrefs: 003F208A
MSMP, xrefs: 003F2033

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: PathTemp__wfopen_s_memset
String ID: MSMP$golfinfo.ini
API String ID: 1039979586-1742890095
Opcode ID: 33ea832fed1b653483d2111d8a79d46072af38ee9cce5ea5433a59060a23b53c
Instruction ID: 122766c6867dd19bf8307fd19e83a41c2149686e8bc48de5692d05649e7f9072
Opcode Fuzzy Hash: 33ea832fed1b653483d2111d8a79d46072af38ee9cce5ea5433a59060a23b53c
Instruction Fuzzy Hash: 92116A71A5021D9BDB11EB648D4AFFE737C9F54300F0404E6BA09AA181EEB49E948B55

Function 003F1E40 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F1E9B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F1EBE
GetTempPathW.KERNEL32(00000104,?,?,0040CB20), ref: 003F1EEB
__wfopen_s.LIBCMT ref: 003F1F20
__fread_nolock.LIBCMT ref: 003F1F3B

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: DirectoryPathSystemTemp__fread_nolock__wfopen_s_memset
String ID:
API String ID: 3270528022-0
Opcode ID: 284be05446126f3439301754b687ef245ff90fbb580f527c13e8f5d9ee3bdbf4
Instruction ID: a657b4e4453829b6ccd70c502724af616d8f795c72fc41f3f9a7039e0a91b5b7
Opcode Fuzzy Hash: 284be05446126f3439301754b687ef245ff90fbb580f527c13e8f5d9ee3bdbf4
Instruction Fuzzy Hash: D431C5B2A0031CABCB11EB64DC4AFFA737C9F44700F0441EAFB19AB181E7B09A458B51

Function 003F29A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F29C9
_memset.LIBCMT ref: 003F29DF

Part of subcall function 003F1F80: _memset.LIBCMT ref: 003F1FAC

DeleteFileW.KERNEL32(?), ref: 003F2AB9

Strings

golfset.ini, xrefs: 003F2A9F

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DeleteFile
String ID: golfset.ini
API String ID: 503654765-3745977089
Opcode ID: ce095b89a893963f20f67eee4f42b9db4577ae575d0c241836f000e6fd0a9f29
Instruction ID: 435deb310d2a97bb8075f96033a45ca0659464c52009af7f86d662fe708de098
Opcode Fuzzy Hash: ce095b89a893963f20f67eee4f42b9db4577ae575d0c241836f000e6fd0a9f29
Instruction Fuzzy Hash: 4F31A47490020CD6CF25DFA0D946BFA7374AF14704F1005AEEE09AB1C1FB719AA4CB95

Function 003F624B Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F62A7
_memcpy_s.LIBCMT ref: 003F6319
__filbuf.LIBCMT ref: 003F639A
_memset.LIBCMT ref: 003F63DE

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 6f58bde4591ef774052385129c276cc52ccbb9ade525ec3238369c7ece82400a
Instruction ID: 8783315da8df5f20f47cc17b883451d52d7b65c7e3ada40816cd37c635ea58bf
Opcode Fuzzy Hash: 6f58bde4591ef774052385129c276cc52ccbb9ade525ec3238369c7ece82400a
Instruction Fuzzy Hash: 9151E634A0020DEBCB268FA9C98267E77B5EF50320F24872AFA35962E1D7709D509B40

Function 003F33F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000), ref: 003F3485

Strings

\\.\PHYSICALDRIVE, xrefs: 003F340E

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CreateFile
String ID: \\.\PHYSICALDRIVE
API String ID: 823142352-1766338221
Opcode ID: 308bf6799015db2e8f02bd21b7af5e9ff003f7f396b33a0c006751a0aeeb083a
Instruction ID: 977865ea0e065265e84c4d2ebfa2214ea1ebd1afe430d64514702bc1cd905df6
Opcode Fuzzy Hash: 308bf6799015db2e8f02bd21b7af5e9ff003f7f396b33a0c006751a0aeeb083a
Instruction Fuzzy Hash: C2212C71A0030CEADB25DFA5DD06BAEB7B8AF44700F108169B709BB2D0E7745B49CB95

Function 003FC8C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 003FC920
__lseek_nolock.LIBCMT ref: 003FC93F

Part of subcall function 003F80B6: __getptd_noexit.LIBCMT ref: 003F80B6

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Strings

"6?, xrefs: 003FC938

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle__lseek_nolock
String ID: "6?
API String ID: 2897372107-4227004372
Opcode ID: 72e14d0c782f219dede372b367810ca47d6f3c021edcdc279ed66f250c0c3faf
Instruction ID: f58e5f05a17e37125406802ff880f96319e7114c9f85dc124de0f0844ea88a89
Opcode Fuzzy Hash: 72e14d0c782f219dede372b367810ca47d6f3c021edcdc279ed66f250c0c3faf
Instruction Fuzzy Hash: 7B11043286060DAFC7036FA88E5237E7760AF51321F569250E7242F1E3CFF849008762

Function 003F1DA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F1DCC

Part of subcall function 003F1E40: _memset.LIBCMT ref: 003F1E9B
Part of subcall function 003F1E40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F1EBE
Part of subcall function 003F1E40: __wfopen_s.LIBCMT ref: 003F1F20
Part of subcall function 003F1E40: __fread_nolock.LIBCMT ref: 003F1F3B

Strings

golfinfo.ini, xrefs: 003F1DD3
MSMP, xrefs: 003F1DC5

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DirectorySystem__fread_nolock__wfopen_s
String ID: MSMP$golfinfo.ini
API String ID: 2404306169-1742890095
Opcode ID: 608f2ffbd710b5189608417bc4764b42014c7f6a7b8a5978f08e3e4d4c0489ca
Instruction ID: c6418744a7789a750baff68ea8a8fd9bce3dbe3810e8f6fd34551160a97d7e95
Opcode Fuzzy Hash: 608f2ffbd710b5189608417bc4764b42014c7f6a7b8a5978f08e3e4d4c0489ca
Instruction Fuzzy Hash: 46110431A1020C9BCB54DA68E855BFE77B8DB44310F1001E9F919EB192DE70AE85CA40

Function 003F1F80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F1FAC

Part of subcall function 003F1E40: _memset.LIBCMT ref: 003F1E9B
Part of subcall function 003F1E40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F1EBE
Part of subcall function 003F1E40: __wfopen_s.LIBCMT ref: 003F1F20
Part of subcall function 003F1E40: __fread_nolock.LIBCMT ref: 003F1F3B

Strings

MSMP, xrefs: 003F1FA5
golfset.ini, xrefs: 003F1FB3

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DirectorySystem__fread_nolock__wfopen_s
String ID: MSMP$golfset.ini
API String ID: 2404306169-72712972
Opcode ID: 99965d597cf8808f59511ce61fa3bcd5ddd7073899a9b70615ff015e7c9cfd1f
Instruction ID: 821933f7eb578d0cd294cd3cdcf0f64a7545829d6c89bfcfc13c3647b066fdae
Opcode Fuzzy Hash: 99965d597cf8808f59511ce61fa3bcd5ddd7073899a9b70615ff015e7c9cfd1f
Instruction Fuzzy Hash: 6411C431B1030C9ADB55DA68EC45BBE77B8DB44310F5001A9E959EB192DF74AE45CA40

Function 003F2FB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2FF8
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F300C

Part of subcall function 003F3280: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 003F3332
Part of subcall function 003F3280: FindCloseChangeNotification.KERNELBASE(00000000), ref: 003F33CB

Strings

(?, xrefs: 003F3063, 003F3066

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ChangeCloseCreateDirectoryFileFindNotificationSystem_memset
String ID: (?
API String ID: 232342606-252319499
Opcode ID: f272a195913b4ce58c29d46c076015a2960651cce9a7929aa0c078b484078898
Instruction ID: 5f5af557a4daf6e6352dfc722bedd4fba2939572647d5e4209d750df5af91ae7
Opcode Fuzzy Hash: f272a195913b4ce58c29d46c076015a2960651cce9a7929aa0c078b484078898
Instruction Fuzzy Hash: 181193B1D4031C9BCB10EF68DD897EA7774AB54300F0046E9E61DAB291EA705B848F91

Function 003F3090 Relevance: 4.6, APIs: 3, Instructions: 73sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064), ref: 003F30A5
_memset.LIBCMT ref: 003F30DE
Sleep.KERNELBASE(00000064), ref: 003F31BC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Sleep$_memset
String ID:
API String ID: 3984771188-0
Opcode ID: 795765a5a23d90d93d35e480f59d7c746e27ef04131ec55b06eb40888634c3d3
Instruction ID: 4a14759fe26b4c95498aa6b05bcebe8e100453133d5ec9249f7316283380d42d
Opcode Fuzzy Hash: 795765a5a23d90d93d35e480f59d7c746e27ef04131ec55b06eb40888634c3d3
Instruction Fuzzy Hash: 94310974D4421C9BDB24DF54D889BE9B7B4AB58300F2082E9EA19A7392D7705B84CF85

Function 003F749C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 003F74A7

Strings

?9?, xrefs: 003F74A1

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __fsopen
String ID: ?9?
API String ID: 3646066109-1754585912
Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction ID: 225ec5d08354bdfdd4f015b5f7812dc9698958673dfc5b5ceed513a4d60dc261
Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction Fuzzy Hash: DAB092B644420C77DE022A82EC02A993B1A9B40660F008021FF0C1C261E6B3B670A6C9

Function 003F659D Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F6631
__flush.LIBCMT ref: 003F6651

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __flush__getptd_noexit_memmove
String ID:
API String ID: 3662107617-0
Opcode ID: 7aab428c3b702eb1d6cf3c836fe6f57eb2ac01c382f5f3611c05b874f5588bc6
Instruction ID: a2bf3ca00836f181215108a7a0068c352ecb2de4847c2e981d8aa50b09aa4af7
Opcode Fuzzy Hash: 7aab428c3b702eb1d6cf3c836fe6f57eb2ac01c382f5f3611c05b874f5588bc6
Instruction Fuzzy Hash: E741067070070EAFDB1A8FA8C8929BE7BB9EF45364B24813DE609DB240DB74DD458B00

Function 003FA2B8 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 003FA30F
__close_nolock.LIBCMT ref: 003FA328

Part of subcall function 003F80B6: __getptd_noexit.LIBCMT ref: 003F80B6

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: bf0de8d791f3888d9d8e70191ca9a2478161019ac7d13f057f6d06fa827e9b96
Instruction ID: ef3a1b97f7afd5610ec2ecad3dbf9a6eda6adc00201f17b96e4c3d45d1c55230
Opcode Fuzzy Hash: bf0de8d791f3888d9d8e70191ca9a2478161019ac7d13f057f6d06fa827e9b96
Instruction Fuzzy Hash: 8F11C2B2404A4DDEC303AFA8885277C3760AF56325F564352E6386F2E3CFB849418A57

Function 003F6429 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F6458
__lock_file.LIBCMT ref: 003F6479

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9fd19fdf1dd1a55aa80e55f17f2260aa0f9ae11baaafe4af1a22586c403047fa
Instruction ID: afdc086f86d82b3dc1d2837ab3e47507e94073e789724a8d991cff926f5a72d0
Opcode Fuzzy Hash: 9fd19fdf1dd1a55aa80e55f17f2260aa0f9ae11baaafe4af1a22586c403047fa
Instruction Fuzzy Hash: C101887180020DEBCF13BF658C02ABF7B71AF40710F158216FA285A151DB358A51DF91

Function 003F6526 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

__lock_file.LIBCMT ref: 003F656B

Part of subcall function 003F905D: __lock.LIBCMT ref: 003F9080

__fclose_nolock.LIBCMT ref: 003F6576

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 691ce9204b88b504ead51cdba3f8e31cd40d2e17c808b99a3b30db49d27d7193
Instruction ID: 67f323ef32048defe17c76bdd57db75912e4773aff3227f5586b57d1d18458bb
Opcode Fuzzy Hash: 691ce9204b88b504ead51cdba3f8e31cd40d2e17c808b99a3b30db49d27d7193
Instruction Fuzzy Hash: 97F0907180060E9AD713BB798807B7E77A16F42338F21821AE62CAF1D5CF7C49029A55

Function 003F72E8 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003F7318
__ftell_nolock.LIBCMT ref: 003F7323

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: b79a73d7f6312ad494501980c9b5fa6efa23e493b75f5a688a6be60ee64fbee2
Instruction ID: 83536d401ae2749072a0e717b4f252c163d16f9271f852a36ee797fee0aaa28d
Opcode Fuzzy Hash: b79a73d7f6312ad494501980c9b5fa6efa23e493b75f5a688a6be60ee64fbee2
Instruction Fuzzy Hash: 2FE0653190520DA6D7177B7458037BE66905F45334F654257FA14AF1C2CF788902A695

Function 003F9A20 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: ffabf5577671d8eaa8da6c2c8631697e229067e549dec76139609a0d5edb6ac9
Instruction ID: 6a39cf3be7407c57069bb44febca6455bfc251c5a3f80e010de9e81812455a67
Opcode Fuzzy Hash: ffabf5577671d8eaa8da6c2c8631697e229067e549dec76139609a0d5edb6ac9
Instruction Fuzzy Hash: 30218E3280424DAFCB03AF689C427793660AF55325F564252E6245F1F3CFB84800CA66

Function 003FAC34 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 003FAC93

Part of subcall function 003F80B6: __getptd_noexit.LIBCMT ref: 003F80B6

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: da4dab0ab5442f7dc8ef60b40bd9e38d8346bc9f9cadec15f5b3d408035fe84b
Instruction ID: a74538b49f4f06f4abe6f3b0fd18d4046fc265b81184c5d3304e79202c193ec5
Opcode Fuzzy Hash: da4dab0ab5442f7dc8ef60b40bd9e38d8346bc9f9cadec15f5b3d408035fe84b
Instruction Fuzzy Hash: 111190B2800A0D9FD7036F6889523783660AF55325F568250FB386F2E3CFB849008767

Function 003F31E0 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(000000FF,003F310A,000000FF,000000FF,00000000,?,?,00000200,00000000), ref: 003F3265

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b482799a2dfaddae079dc082b937b817a26ed8adb5dcff888c31955c438c1ed0
Instruction ID: 45c8e9cde74b463a6285908fadd1642de9dceb8460fbfbefacf27f5483889558
Opcode Fuzzy Hash: b482799a2dfaddae079dc082b937b817a26ed8adb5dcff888c31955c438c1ed0
Instruction Fuzzy Hash: 0C2183B1D0120DAFCB44CFA9C985AEEBBF5AF8C310F108669E519B7240D7749A44CFA4

Function 003F66F4 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003F6733

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 4eebd572eb605107075d69a37557bfbb0da52f8497f555d116ef13e21ffa1fde
Instruction ID: d51b05db9d17aa2208c198774ec53efccc741af07b8fcf767ee09fca53999318
Opcode Fuzzy Hash: 4eebd572eb605107075d69a37557bfbb0da52f8497f555d116ef13e21ffa1fde
Instruction Fuzzy Hash: EDF0CD3190020EEADF23BF748C037BE3AA1AF00328F118125F6289E191DF798A46DF41

Function 00400AD2 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00400B11

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a4d26f7c01abb203e8f2b78f498ae1422b547579a0d74fed4110ef6555a91faa
Instruction ID: 9a0b7ecb056f35cdca5b30492e48b097d9cfb186b09329bb03415f5cb165b103
Opcode Fuzzy Hash: a4d26f7c01abb203e8f2b78f498ae1422b547579a0d74fed4110ef6555a91faa
Instruction Fuzzy Hash: 87F0F87650010DFBDF029F94DD02DEE7F6AEF083A4F104154FA10A51A1E7B6CA20AB90

Function 003F30F1 Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064), ref: 003F31BC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a18becf081ac0e9c4e745ddcc0df846797b154bfa5ef55bdfba9100a77958ecc
Instruction ID: 374c1589f7a30dc8ce5d000a2c489257729c8fc6eeea31facccc0328440f27c8
Opcode Fuzzy Hash: a18becf081ac0e9c4e745ddcc0df846797b154bfa5ef55bdfba9100a77958ecc
Instruction Fuzzy Hash: 8EC08C34A8100C8BCA04EB90DA0A67DB335EF98311F1001CABF0B6B381C9310A148A20

Function 003F3116 Relevance: 1.3, APIs: 1, Instructions: 10sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064), ref: 003F31BC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ba760883662a6ca884b42029437bcb6e6623c03c87388cb9558e3194e7e9744a
Instruction ID: 374c1589f7a30dc8ce5d000a2c489257729c8fc6eeea31facccc0328440f27c8
Opcode Fuzzy Hash: ba760883662a6ca884b42029437bcb6e6623c03c87388cb9558e3194e7e9744a
Instruction Fuzzy Hash: 8EC08C34A8100C8BCA04EB90DA0A67DB335EF98311F1001CABF0B6B381C9310A148A20

Non-executed Functions

Function 003F54C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F54EA

Strings

AS101, xrefs: 003F56C0

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID: AS101
API String ID: 2102423945-3510149062
Opcode ID: fac8424eea28952d24eed572c5a2ff219aee976ece4cd365745ebaf013a32d02
Instruction ID: e86f5738355fe186d1a6527385d60344b87e331850b215c0d62264e2878b1558
Opcode Fuzzy Hash: fac8424eea28952d24eed572c5a2ff219aee976ece4cd365745ebaf013a32d02
Instruction Fuzzy Hash: 569108B49002A9CBDB25DF24CD45BA9B7F5BB44304F04D2EAD68DAB280DB745A84CF91

Function 003F2B50 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2B97
GetVersionExW.KERNEL32(0000011C), ref: 003F2BB0

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: a28c9dd934384be886c28c7e777933fdecb2c47c50e01194968525c0ca78b420
Instruction ID: 6f4ffa906cc9715fd63506e6b1b23d19136e6019061f6dc79c7e1c0e8f32a86e
Opcode Fuzzy Hash: a28c9dd934384be886c28c7e777933fdecb2c47c50e01194968525c0ca78b420
Instruction Fuzzy Hash: E521E37490121CDBCF25CF10D945BEEB7B4AF49314F0140E9DA896B240DB709EA4CF89

Function 003F7F0A Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,003F5DD0,00404258,00000001,?,003F5EE7,00404258,00000017), ref: 003F7F0F
UnhandledExceptionFilter.KERNEL32(00404258,?,003F5DD0,00404258,00000001,?,003F5EE7,00404258,00000017), ref: 003F7F18

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 30a5d934e902fd98cef763316ecbabe58e062c386fe7eb35f409285ede7c4db8
Instruction ID: dbd2a3b3042d51ff146eb0c77901b628df0d85a60ec69fcbde72f6c116f9ce87
Opcode Fuzzy Hash: 30a5d934e902fd98cef763316ecbabe58e062c386fe7eb35f409285ede7c4db8
Instruction Fuzzy Hash: 7AB09276048208EBDA002BD2ED09B883F2CEB84662F00C020F70E650608B7256608AA9

Function 003F7EE7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 003F7EED

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0f245788cec240febea4f4c09a34936fd89d8fa9d44238e541b37b0735ed1d8e
Instruction ID: 9e3bf87b4bc9c1e6206a16e529b9c3f7947efefed94d3e617351625c97770ead
Opcode Fuzzy Hash: 0f245788cec240febea4f4c09a34936fd89d8fa9d44238e541b37b0735ed1d8e
Instruction Fuzzy Hash: A6A0123000410CE7CA001B82EC044447F1CD6401507008020F60D10021873355204594

Function 004024D6 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: d3e91aae975a41330bad0d1c746019dd59f6c732cd7d2b0379c2e2bbcaba30e5
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: B2C1A47620516349DB2D863A863813FBBA15FA17B231A077FD4B3DB2C4EE78C524D624

Function 0040290B Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 421700b139ef2640069724f8602edc890c3048f5ee774052e27d47ca9d368f97
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: B2C1A77220516349DF6D863A963803FBBA15B927B231A077FD4B3EB2C4EE78C524D614

Function 004020A1 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 86a7e8e20042965c384c9a0791f3ad19222aaa58e51a1cad9d9b54f72db16fc5
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: E6C1C7722051634ADF2D867A863803FBBA15BA17B231A077FD9B3DB2C4EE78C524D514

Function 00401C89 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 67ec06d4d64f703a26fe2e2370826c0722ad47c25e780fdb8aa3dfd2eb12fbfa
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 4AC1A2722051A349DB2D863AC57803FBBA15BA27B231A077FD5B3DB2D0EE38C524D524

Function 003F1000 Relevance: 47.4, APIs: 15, Strings: 12, Instructions: 128COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F102E
_memset.LIBCMT ref: 003F1049
GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 003F105D
wsprintfW.USER32 ref: 003F108A
GetFileAttributesW.KERNEL32(?), ref: 003F109C
wsprintfW.USER32 ref: 003F10C1
GetFileAttributesW.KERNEL32(?), ref: 003F10CD
wsprintfW.USER32 ref: 003F10EF
GetFileAttributesW.KERNEL32(?), ref: 003F10FB
wsprintfW.USER32 ref: 003F111D
GetFileAttributesW.KERNEL32(?), ref: 003F1129
wsprintfW.USER32 ref: 003F114E
GetFileAttributesW.KERNEL32(?), ref: 003F115A
wsprintfW.USER32 ref: 003F117F
GetFileAttributesW.KERNEL32(?), ref: 003F118B

Strings

\Program Files\AhnLab\V3Lite30\V3Lite.exe, xrefs: 003F1105
%s%s, xrefs: 003F1084
%s%s, xrefs: 003F10B8
%s%s, xrefs: 003F1148
\Program Files\ESTsoft\ALYac\AYLaunch.exe, xrefs: 003F1136
%s%s, xrefs: 003F1179
%s%s, xrefs: 003F1117
%s%s, xrefs: 003F10E9
\Program Files\naver\NaverAgent\NaverAgent.exe, xrefs: 003F1167
\Hangame\KOREAN\HanUninstall.exe, xrefs: 003F1072
\Netmarble\Common\NetMarbleEndWeb.exe, xrefs: 003F10D7
\NEOWIZ\PMang\common\PMLauncher.exe, xrefs: 003F10A1

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFilewsprintf$_memset$DirectorySystemWindows
String ID: %s%s$%s%s$%s%s$%s%s$%s%s$%s%s$\Hangame\KOREAN\HanUninstall.exe$\NEOWIZ\PMang\common\PMLauncher.exe$\Netmarble\Common\NetMarbleEndWeb.exe$\Program Files\AhnLab\V3Lite30\V3Lite.exe$\Program Files\ESTsoft\ALYac\AYLaunch.exe$\Program Files\naver\NaverAgent\NaverAgent.exe
API String ID: 1182208999-444768472
Opcode ID: afefe631a1a2d1b9eabc3a72fd07be4fda1ee23a3d20cf7ce55a8dc014cce756
Instruction ID: a6318b6fcacc6d28321517a58ba3d8c750e71f8eaa8b1ed86aed075773f8de9f
Opcode Fuzzy Hash: afefe631a1a2d1b9eabc3a72fd07be4fda1ee23a3d20cf7ce55a8dc014cce756
Instruction Fuzzy Hash: 684166B5D0031C66DB10D7B4CD89FDAB37C9F44314F6146B6E628F30C2EA749A948B69

Function 003F1740 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 189registrysleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F1769
OpenEventW.KERNEL32(00020000,00000000,0040CCA8), ref: 003F17D5
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,000F003F,?), ref: 003F17F7
RegQueryValueExW.ADVAPI32(?,TrayKey,00000000,00000000,?,00000104), ref: 003F1820
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F1835
RegCloseKey.ADVAPI32(?), ref: 003F1845
GetTempPathW.KERNEL32(00000104,?), ref: 003F1857
Sleep.KERNEL32(00000064), ref: 003F191C
ShellExecuteW.SHELL32(00000000,00000000,?,004089E4,00000000,00000001), ref: 003F1936

Part of subcall function 003F1D80: vswprintf.LIBCMT ref: 003F1D93

_memset.LIBCMT ref: 003F195B
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000003,?), ref: 003F197A
RegSetValueExW.ADVAPI32(?,TrayKey,00000000,00000001,?,00000000), ref: 003F19BA
RegCloseKey.ADVAPI32(?), ref: 003F19CA

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 003F1941
opert, xrefs: 003F1876
TrayKey, xrefs: 003F1815
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 003F17ED
TrayKey, xrefs: 003F19AF
218.54.47.76, xrefs: 003F18FB
218.54.47.76, xrefs: 003F1907
%s.exe, xrefs: 003F18AB
%s.exe, xrefs: 003F187B

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Open$CloseEventValue_memset$ExecutePathQueryShellSleepTempvswprintf
String ID: %s.exe$%s.exe$218.54.47.76$218.54.47.76$Software\Microsoft\Windows NT\CurrentVersion\Windows$Software\Microsoft\Windows NT\CurrentVersion\Windows$TrayKey$TrayKey$opert
API String ID: 2200122674-3929848131
Opcode ID: ca8082027914a68eb3df7a15b1e9a4cff44651cc7a57fadf0fcdb41c45c0bac2
Instruction ID: 7570d34da0d7a8d0b18a70fef5a0face60399274bdd451fcd395efda1966926b
Opcode Fuzzy Hash: ca8082027914a68eb3df7a15b1e9a4cff44651cc7a57fadf0fcdb41c45c0bac2
Instruction Fuzzy Hash: F8611670A0030DDBDB159BA0DD56FFA3378AF44744F1041BAFB05BA0C0EBB55A418B59

Function 003F1470 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 109threadnetworkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F1490

Part of subcall function 003F3C20: _memset.LIBCMT ref: 003F3C4A
Part of subcall function 003F3C20: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003F3C74

OpenEventW.KERNEL32(00020000,00000000,0040BF88), ref: 003F14D0
CloseHandle.KERNEL32(00000000), ref: 003F14DB
CreateEventW.KERNEL32(00000000,00000000,00000000,0040BF88), ref: 003F14FC
WSAStartup.WS2_32(00000101,?), ref: 003F1512
CreateThread.KERNEL32(00000000,00000000,Function_000013B0,00000000,00000000,00000000), ref: 003F15EB

Strings

GTDR, xrefs: 003F155A
218.54.47.74, xrefs: 003F156E
218.54.47.77, xrefs: 003F1546
218.54.47.74, xrefs: 003F15C5

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CreateEvent_memset$CloseFileHandleModuleNameOpenStartupThread
String ID: 218.54.47.74$218.54.47.74$218.54.47.77$GTDR
API String ID: 2299581682-1851579067
Opcode ID: 240a235f6a6bd235627f84d9269683c24ff4b515f8d8ee17f16de467013147d2
Instruction ID: 9cf091c7bdeb22668263288fdb165bb612f68e97a9d33505f23a222eb4cdfc9c
Opcode Fuzzy Hash: 240a235f6a6bd235627f84d9269683c24ff4b515f8d8ee17f16de467013147d2
Instruction Fuzzy Hash: BD31A371740308A6E711ABA0AD47BBA32649F50B40F64017AFB09BF1C2EEB69514875D

Function 003F2759 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108sleepfileCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F27B5
CloseHandle.KERNEL32(00000000), ref: 003F27C2
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 003F27D5
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F27E7
CloseHandle.KERNEL32(00000000), ref: 003F27F6
Sleep.KERNEL32(000001F4), ref: 003F2802
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F280F
Sleep.KERNEL32(000003E8), ref: 003F281A
DeleteFileW.KERNEL32(?), ref: 003F2823

Strings

_STOP, xrefs: 003F278D

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Event$Open$CloseHandleSleep$CreateDeleteFile
String ID: _STOP
API String ID: 3344880316-3538324249
Opcode ID: aaade99b1de526a2fe8aba4e8480219fea1ad970be4f6c3b21d753befcbc16ff
Instruction ID: ea4f824069f97dd0155c6ae837cc961a0a9da39fb7fe0fdbb3a6ea4b4a2e8119
Opcode Fuzzy Hash: aaade99b1de526a2fe8aba4e8480219fea1ad970be4f6c3b21d753befcbc16ff
Instruction Fuzzy Hash: 6F41CF74500219CADB21DFA0DD81BFA73B4FF04704F2141AEEE49EB181EB329956CB68

Function 003FBFBD Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 003FBFCB

Part of subcall function 003FEF3B: __mtinitlocknum.LIBCMT ref: 003FEF4D
Part of subcall function 003FEF3B: RtlEnterCriticalSection.KERNEL32(003F74F4,?,003FB8F1,0000000D), ref: 003FEF66

__calloc_crt.LIBCMT ref: 003FBFDC

Part of subcall function 003FEDA0: __calloc_impl.LIBCMT ref: 003FEDAF
Part of subcall function 003FEDA0: Sleep.KERNEL32(00000000,?,003F74F4,003F4317,?,?,003F4317,00000020,?,003F12B1,?,0040C920,00000000,00000200,?,00000000), ref: 003FEDC6

@_EH4_CallFilterFunc@8.LIBCMT ref: 003FBFF7
GetStartupInfoW.KERNEL32(?,004091C8,00000064,003F6806,00408FE0,00000014), ref: 003FC050
__calloc_crt.LIBCMT ref: 003FC09B
GetFileType.KERNEL32(00000001), ref: 003FC0E2
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 003FC11B

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: dd5f0038eb45cd02412f35bf37b128073d24348cdc3e4fc153497ddf373d7231
Instruction ID: 5ae7bd195566e423d0c1ea92eb79691ff1f849a8ba7ac87c74f63bed30c61131
Opcode Fuzzy Hash: dd5f0038eb45cd02412f35bf37b128073d24348cdc3e4fc153497ddf373d7231
Instruction Fuzzy Hash: 6B81D37195424ECFCB16CFA8CA405B9BBF4EF09324B24566DD5A6AB3D1C7349803CB58

Function 003F4110 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00003A98), ref: 003F417A
RtlAllocateHeap.KERNEL32(00000000), ref: 003F4181
GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,00003A98), ref: 003F41B3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F41C8
HeapFree.KERNEL32(00000000), ref: 003F41CF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003F42D4
HeapFree.KERNEL32(00000000), ref: 003F42DB

Strings

o, xrefs: 003F41E5

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Heap$Process$Free$AdaptersAddressesAllocate
String ID: o
API String ID: 76810026-252678980
Opcode ID: d1fa90418dec5821ae57b2383f48489f28286b7be52dbc18f1a7ce88b7d2795e
Instruction ID: 51392e98c7827a62c3bb3cb86d47f312c18f2ed2296fc9f6c4d91660daece832
Opcode Fuzzy Hash: d1fa90418dec5821ae57b2383f48489f28286b7be52dbc18f1a7ce88b7d2795e
Instruction Fuzzy Hash: DE5107B4904209EFDB04CF94C498BAEFBB5FB48314F15C698EA156B391C3799A85CF90

Function 003F4B70 Relevance: 13.6, APIs: 9, Instructions: 109networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F4B9A
WSAStartup.WS2_32(00000101,?), ref: 003F4BFB
socket.WS2_32(00000002,00000001,00000006), ref: 003F4C1D
gethostbyname.WS2_32(00000000), ref: 003F4C3B
inet_addr.WS2_32(00000000), ref: 003F4C54
gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 003F4C6B
closesocket.WS2_32 ref: 003F4CFC

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Startup_memsetclosesocketgethostbyaddrgethostbynameinet_addrsocket
String ID:
API String ID: 2440521008-0
Opcode ID: f34f6295dd15d0e0cf9964b3fa37a9a9c596c114b2bb926efc08ba9690a3af8a
Instruction ID: 99e15731f0e0cea722f97619a57cd383d6baf22a24004d6045cb4745ed7e65f7
Opcode Fuzzy Hash: f34f6295dd15d0e0cf9964b3fa37a9a9c596c114b2bb926efc08ba9690a3af8a
Instruction Fuzzy Hash: 35413FB4A0121CDFEB24CF64DD49BAAB7B4BF48300F0081A9EA459B291DB749DC4CF91

Function 003FB9EE Relevance: 13.6, APIs: 9, Instructions: 74COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32(?,00000109,?,?,00400AE6,?,00000000,?,?,00400A7D,00000000,?,00000000,003F393F,?,00000040), ref: 003FBA21
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,?,00000109,?,?,00400AE6,?,00000000,?,?,00400A7D), ref: 003FBA3B
GetLastError.KERNEL32(?,?,00400AE6,?,00000000,?,?,00400A7D,00000000,?,00000000,003F393F,?,00000040,00000000,004093F0), ref: 003FBA48
__dosmaperr.LIBCMT ref: 003FBA4F

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiWide__dosmaperr__getptd_noexit
String ID:
API String ID: 370057422-0
Opcode ID: 45ff9c79152b601adf1957bb93ce8c875af6c2f313e37e12e0237d3a5bdc4446
Instruction ID: 8e1a74e2f0d6b0233ca94d6054ca789439527574ce09a047dbb1b1adcaa1947a
Opcode Fuzzy Hash: 45ff9c79152b601adf1957bb93ce8c875af6c2f313e37e12e0237d3a5bdc4446
Instruction Fuzzy Hash: 391190F660420ABFDF232FB0DD45A7BB6ACEF10350B204528FB51E9190EB34C9409660

Function 003FFF3E Relevance: 12.1, APIs: 8, Instructions: 118COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 003FFF56

Part of subcall function 003FEFC3: __FF_MSGBANNER.LIBCMT ref: 003FEFD8
Part of subcall function 003FEFC3: __NMSG_WRITE.LIBCMT ref: 003FEFDF
Part of subcall function 003FEFC3: __malloc_crt.LIBCMT ref: 003FEFFF

__lock.LIBCMT ref: 003FFF69
__lock.LIBCMT ref: 003FFFB5
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00409328,00000018,003FF40F,?,00000000,00000109), ref: 003FFFD1
RtlEnterCriticalSection.KERNEL32(8000000C,00409328,00000018,003FF40F,?,00000000,00000109), ref: 003FFFEE
RtlLeaveCriticalSection.KERNEL32(8000000C), ref: 003FFFFE

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 98d24bc4f0333fbcf00b897607cd36a6904ee7ba1b472f32122f6085d03f4879
Instruction ID: a4a0aef41da44cc5911f21cb484e1d18f415c816d02d0804cd01cab0c983d144
Opcode Fuzzy Hash: 98d24bc4f0333fbcf00b897607cd36a6904ee7ba1b472f32122f6085d03f4879
Instruction Fuzzy Hash: AE414BB191030ADFDB119F68E9447ADB7A4BF01725F10833AE625BB2E1C7789941CB8C

Function 003F5810 Relevance: 10.7, APIs: 7, Instructions: 202COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F5833
_malloc.LIBCMT ref: 003F591E
_memset.LIBCMT ref: 003F593A
_memset.LIBCMT ref: 003F596F
_memset.LIBCMT ref: 003F59B7
GetTempPathW.KERNEL32(00000104,?), ref: 003F59D1
_free.LIBCMT ref: 003F5B2C

Part of subcall function 003F5B60: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003F5B81

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$FileModuleNamePathTemp_free_malloc
String ID:
API String ID: 3718035101-0
Opcode ID: 1a4fbabf303aaa8e517f1dc2fbb3b1c94d4947ea3c212a88934d6a55eb8bdfbc
Instruction ID: df745645e966d141d28dd686e2583063416fc932e16fdd1abc6b49ec0d8b7f8d
Opcode Fuzzy Hash: 1a4fbabf303aaa8e517f1dc2fbb3b1c94d4947ea3c212a88934d6a55eb8bdfbc
Instruction Fuzzy Hash: 7C817EB590026C9BCB25DB10DC45BEAB3B9AF48300F1449E9E609B6281E7F45FD4CF95

Function 003F13B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F13DC
OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F144E
Sleep.KERNEL32(000000C8), ref: 003F1457
CloseHandle.KERNEL32(00000000), ref: 003F145E
ExitProcess.KERNEL32 ref: 003F1466

Strings

_STOP, xrefs: 003F141C

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CloseEventExitHandleOpenProcessSleep_memset
String ID: _STOP
API String ID: 2427619054-3538324249
Opcode ID: 9ccda4260d6df996410846798bcc2a79065fb9600ab7e77645876c5ce6cbe265
Instruction ID: 6b84960aafedf80703c7606fd047c6a9f987477173598407f5a8a5945dee42a9
Opcode Fuzzy Hash: 9ccda4260d6df996410846798bcc2a79065fb9600ab7e77645876c5ce6cbe265
Instruction Fuzzy Hash: 5911C1B4500309DBC710EF64EE49BA673B8EF04754F1580A9EF18EB292E6319905CB58

Function 003F4860 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003F48A0

Part of subcall function 003F6DB7: __FF_MSGBANNER.LIBCMT ref: 003F6DCE
Part of subcall function 003F6DB7: __NMSG_WRITE.LIBCMT ref: 003F6DD5
Part of subcall function 003F6DB7: RtlAllocateHeap.KERNEL32(00C80000,00000000,00000001,?,?,?,?,003F74F4,003F4317,?,?,003F4317,00000020,?,003F12B1,?), ref: 003F6DFA

_memset.LIBCMT ref: 003F48BC
_memset.LIBCMT ref: 003F48F1

Part of subcall function 003F4B70: _memset.LIBCMT ref: 003F4B9A
Part of subcall function 003F4B70: WSAStartup.WS2_32(00000101,?), ref: 003F4BFB

_free.LIBCMT ref: 003F4B3E

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AllocateHeapStartup_free_malloc
String ID:
API String ID: 2284926136-0
Opcode ID: 8cd83c878efb25d33fae73f1e9b6f18462946eca2f4912f32bd4513b8486368a
Instruction ID: 185cd6628c76bf50822bbe54d9813cf5d66e77df5e8afe113774746948730013
Opcode Fuzzy Hash: 8cd83c878efb25d33fae73f1e9b6f18462946eca2f4912f32bd4513b8486368a
Instruction Fuzzy Hash: 667142B5D0012C96EB65DB15CD41FFAB3B5AF54300F0082E9E649AA282EF749AC4CF95

Function 003FB95B Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 003FB95B

Part of subcall function 003FBBC5: RtlEncodePointer.KERNEL32(00000000,?,003FB960,003F67EC,00408FE0,00000014), ref: 003FBBC8
Part of subcall function 003FBBC5: __initp_misc_winsig.LIBCMT ref: 003FBBE9

__mtinitlocks.LIBCMT ref: 003FB960

Part of subcall function 003FF06A: InitializeCriticalSectionAndSpinCount.KERNEL32(0040AD48,00000FA0,?,?,003FB965,003F67EC,00408FE0,00000014), ref: 003FF088

__mtterm.LIBCMT ref: 003FB969

Part of subcall function 003FB9D1: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003FB96E,003F67EC,00408FE0,00000014), ref: 003FEF86
Part of subcall function 003FB9D1: _free.LIBCMT ref: 003FEF8D
Part of subcall function 003FB9D1: RtlDeleteCriticalSection.KERNEL32(0040AD48,?,?,003FB96E,003F67EC,00408FE0,00000014), ref: 003FEFAF

__calloc_crt.LIBCMT ref: 003FB98E
GetCurrentThreadId.KERNEL32 ref: 003FB9B7

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 224067749-0
Opcode ID: 56ff225c3c24df10f07c39b02e4245543e45517c08cb568935d4e98710b567a8
Instruction ID: be9d30aa92c01781baa6fdd65fb87c8183aa0752b6b090700bd765b27d68bc57
Opcode Fuzzy Hash: 56ff225c3c24df10f07c39b02e4245543e45517c08cb568935d4e98710b567a8
Instruction Fuzzy Hash: 5AF090B214D72A2AE2267B75FC0767BAA84DF42771B21062AF760DD0E2FF6088414194

Function 003F2C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2C6A
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003F2C87
GetTempPathW.KERNEL32(00000104,?), ref: 003F2CB4
wsprintfW.USER32 ref: 003F2CCE

Strings

%s%s.exe, xrefs: 003F2CC5

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: DirectoryPathSystemTemp_memsetwsprintf
String ID: %s%s.exe
API String ID: 1888207034-887668888
Opcode ID: a57ef0401736145ad2557f8d391bcb82f026f1038eaeae3d433b7775633a6292
Instruction ID: bbb4b62352b2fe5644182895391563dcf6d5392c35ec44d6596ed08204507ab9
Opcode Fuzzy Hash: a57ef0401736145ad2557f8d391bcb82f026f1038eaeae3d433b7775633a6292
Instruction Fuzzy Hash: B40156F594130CABD710DFA0DD4AFAA73789B44700F5081A9BB156B182E6709A54CB55

Function 003F74D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003F74EF

Part of subcall function 003F6DB7: __FF_MSGBANNER.LIBCMT ref: 003F6DCE
Part of subcall function 003F6DB7: __NMSG_WRITE.LIBCMT ref: 003F6DD5
Part of subcall function 003F6DB7: RtlAllocateHeap.KERNEL32(00C80000,00000000,00000001,?,?,?,?,003F74F4,003F4317,?,?,003F4317,00000020,?,003F12B1,?), ref: 003F6DFA

std::exception::exception.LIBCMT ref: 003F750B
__CxxThrowException@8.LIBCMT ref: 003F7520

Part of subcall function 003FCF3B: RaiseException.KERNEL32(?,?,?,0040905C,?,?,?,003F7525,?,0040905C,00000020,00000001), ref: 003FCF8C

Strings

lB@, xrefs: 003F74FD
bad allocation, xrefs: 003F7504

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation$lB@
API String ID: 3074076210-1028648849
Opcode ID: b87069ff11c6365481d71d9ac735f6a23dd1759ae18b57705efc39816aa16a3b
Instruction ID: 3bb85e1065050895c5fb44bd7ea7d5a17ac01485fa328268f39614055d449dc4
Opcode Fuzzy Hash: b87069ff11c6365481d71d9ac735f6a23dd1759ae18b57705efc39816aa16a3b
Instruction Fuzzy Hash: F4F0287150831D66CB07FBA9DD029FE7BAC9F02390F10407AFB44A61C1DBB08A40C2A5

Function 003F13E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,?), ref: 003F144E
Sleep.KERNEL32(000000C8), ref: 003F1457
CloseHandle.KERNEL32(00000000), ref: 003F145E
ExitProcess.KERNEL32 ref: 003F1466

Strings

_STOP, xrefs: 003F141C

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: CloseEventExitHandleOpenProcessSleep
String ID: _STOP
API String ID: 149034694-3538324249
Opcode ID: a289e7db86ac51e05f2fc9198d667fdce4ea4dc4b82b92865fa1ce70ef47edb6
Instruction ID: 0ea23d6ea99125a1c6be222c49d5f3ee4fcebdb283541c7c988b54c0cd5efd98
Opcode Fuzzy Hash: a289e7db86ac51e05f2fc9198d667fdce4ea4dc4b82b92865fa1ce70ef47edb6
Instruction Fuzzy Hash: 5C018F74100306CBC714EF64EE85BA573B0EF44754F1580A8EF58BB291E7319906CB18

Function 003F5140 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F516A

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 15ae20d5c3d820ea022558f563b1c2dba9bf2c595ffea65612198821432a6403
Instruction ID: e29ed76122f120aae283a8e58e48103340e2a054c4114fa95d1dbc9d384fe5ae
Opcode Fuzzy Hash: 15ae20d5c3d820ea022558f563b1c2dba9bf2c595ffea65612198821432a6403
Instruction Fuzzy Hash: B3A1B2B590052C8BCB65DF18C881BAAB7F5BF48304F14C1E9E689A7241DB70AEC58FD1

Function 004032FB Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00403307

Part of subcall function 003F6DB7: __FF_MSGBANNER.LIBCMT ref: 003F6DCE
Part of subcall function 003F6DB7: __NMSG_WRITE.LIBCMT ref: 003F6DD5
Part of subcall function 003F6DB7: RtlAllocateHeap.KERNEL32(00C80000,00000000,00000001,?,?,?,?,003F74F4,003F4317,?,?,003F4317,00000020,?,003F12B1,?), ref: 003F6DFA

_free.LIBCMT ref: 0040331A

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 15c245f9dd1cd9928b55505ee2d35632b8b1ec17486af513ed8fa0a9974e5333
Instruction ID: 958661b36b86278114cba1b1c6355655f3cf2424d8c1d1a5f9267b731e455273
Opcode Fuzzy Hash: 15c245f9dd1cd9928b55505ee2d35632b8b1ec17486af513ed8fa0a9974e5333
Instruction Fuzzy Hash: 9711E732400219ABCB263F75AD45A6B3F9CDF04362F108137FE04BE2D1DF3889408698

Function 003F3E80 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 003F74D7: _malloc.LIBCMT ref: 003F74EF

__wcstoi64.LIBCMT ref: 003F3F34

Part of subcall function 003F78A1: wcstoxq.LIBCMT ref: 003F78C1

__wcstoi64.LIBCMT ref: 003F3F52
__wcstoi64.LIBCMT ref: 003F3F6F
__wcstoi64.LIBCMT ref: 003F3F8D

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __wcstoi64$_mallocwcstoxq
String ID:
API String ID: 3166925466-0
Opcode ID: c14a10739d18201c24b0516ff5535d206a06196b95026be1a49e59548a0fd58c
Instruction ID: 3061944ca851869b9a962a032bf3334d55a7b9230bc157f87e31e745a82c49f1
Opcode Fuzzy Hash: c14a10739d18201c24b0516ff5535d206a06196b95026be1a49e59548a0fd58c
Instruction Fuzzy Hash: F551FAB1E0420D9FDB09DFA8D545BBEBBB4EB48300F50812DEA15AB341E7349A05CF95

Function 003F4680 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 003F4860: _malloc.LIBCMT ref: 003F48A0
Part of subcall function 003F4860: _memset.LIBCMT ref: 003F48BC
Part of subcall function 003F4860: _memset.LIBCMT ref: 003F48F1
Part of subcall function 003F4860: _free.LIBCMT ref: 003F4B3E

_memset.LIBCMT ref: 003F46DF
_memset.LIBCMT ref: 003F46FE
GetTempPathW.KERNEL32(00000104,?), ref: 003F4712
GetFileAttributesW.KERNEL32(?), ref: 003F482F

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AttributesFilePathTemp_free_malloc
String ID:
API String ID: 4167924629-0
Opcode ID: 93758cb86f76051a550aa1d18cb49ab8b2ba7153d90d48c9b8df7d6fb4620c5e
Instruction ID: 200a4f7b5e2b2f0976ae8f7c58110e4b3b059fe99ac449c8e19689b4ee6118d7
Opcode Fuzzy Hash: 93758cb86f76051a550aa1d18cb49ab8b2ba7153d90d48c9b8df7d6fb4620c5e
Instruction Fuzzy Hash: 5A4163F1A0021C9BDB14DB10DC85BFA73B8AB54704F40C1E9F719AA1C2E7745AC88F99

Function 003FEC95 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003FECC9
__isleadbyte_l.LIBCMT ref: 003FECF7
MultiByteToWideChar.KERNEL32(00000080,00000009,003F606B,00000001,00000000,00000000,?,00000000,00000000,?,[5?,003F606B,00000000), ref: 003FED25
MultiByteToWideChar.KERNEL32(00000080,00000009,003F606B,00000001,00000000,00000000,?,00000000,00000000,?,[5?,003F606B,00000000), ref: 003FED5B

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4961295c645f2ce832ee27553be4229d0ae003e7602d63a381635da6cea74482
Instruction ID: 1a166733b49cde58d5127e190d5e5c350827b987b9937f78dffae26b65f90435
Opcode Fuzzy Hash: 4961295c645f2ce832ee27553be4229d0ae003e7602d63a381635da6cea74482
Instruction Fuzzy Hash: 1C31AD3160024EAFDB229F65C845BBA7BAAFF41310F164428F6619B5B0E730E890DB90

Function 003F1610 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 003F4860: _malloc.LIBCMT ref: 003F48A0
Part of subcall function 003F4860: _memset.LIBCMT ref: 003F48BC
Part of subcall function 003F4860: _memset.LIBCMT ref: 003F48F1
Part of subcall function 003F4860: _free.LIBCMT ref: 003F4B3E

_memset.LIBCMT ref: 003F1656
_memset.LIBCMT ref: 003F1671
GetTempPathW.KERNEL32(00000104,?), ref: 003F1685
GetFileAttributesW.KERNEL32(?), ref: 003F1717

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AttributesFilePathTemp_free_malloc
String ID:
API String ID: 4167924629-0
Opcode ID: ecf1c5688589bb24ce2396bc867adcb682131a662ca85dbb84eac54bf4123f1b
Instruction ID: 129ef14e51e9c7845f291e5ad8ce0841f1f1ccd32040bdb8fbc20dffe2c3c059
Opcode Fuzzy Hash: ecf1c5688589bb24ce2396bc867adcb682131a662ca85dbb84eac54bf4123f1b
Instruction Fuzzy Hash: 1B2189F2D0031C97DB21AB549C8AEEA736C9F44310F4045B6BB18F71C2E6748E848BA5

Function 003FD5CA Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 003FB821: __getptd_noexit.LIBCMT ref: 003FB822

__lock.LIBCMT ref: 003FD607
InterlockedDecrement.KERNEL32(?), ref: 003FD624
_free.LIBCMT ref: 003FD637
InterlockedIncrement.KERNEL32(00CA1338), ref: 003FD64F

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: b92bcb9b3b72a15eb7d43f6a65182b91530938f15a9d994b0ece5a55949741f3
Instruction ID: 9ada54b364fac94a082c1d1b8e1fe336021bab326a62420cf63ff2d594e148c6
Opcode Fuzzy Hash: b92bcb9b3b72a15eb7d43f6a65182b91530938f15a9d994b0ece5a55949741f3
Instruction Fuzzy Hash: 9B01C432901719ABC723AF95E94DB797361BF54710F420029E608BB690C7385D81CFC5

Function 003FB8A8 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 003FB8EC

Part of subcall function 003FEF3B: __mtinitlocknum.LIBCMT ref: 003FEF4D
Part of subcall function 003FEF3B: RtlEnterCriticalSection.KERNEL32(003F74F4,?,003FB8F1,0000000D), ref: 003FEF66

InterlockedIncrement.KERNEL32(0042C0E8), ref: 003FB8F9
__lock.LIBCMT ref: 003FB90D
___addlocaleref.LIBCMT ref: 003FB92B

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: e6a638cb0f8ecdca36fbb2e488b2ffaa3c2099a027ccf4d31e8ebb9775613a4b
Instruction ID: 02eccc0ef82d0434fc2f598fbea75fa47a4b02cd45c376de47123f42e1c51321
Opcode Fuzzy Hash: e6a638cb0f8ecdca36fbb2e488b2ffaa3c2099a027ccf4d31e8ebb9775613a4b
Instruction Fuzzy Hash: 1B01C4B1500704DFD721EF65D80575AF7E0EF50320F20881EE6D99B2E0CBB4AA44CB05

Function 003F813E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 003F80EA: __getptd_noexit.LIBCMT ref: 003F80EA

__getbuf.LIBCMT ref: 003F81D5
__lseeki64.LIBCMT ref: 003F8245

Strings

[5?, xrefs: 003F813E

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID: [5?
API String ID: 3311320906-2348808136
Opcode ID: f41a800ae987e232beaf8ee40ddd38d29bbd1f95a4d7fa60ded00bc5b90b5a76
Instruction ID: 47a9358c319b2f42a485582dc12d2db21d7a38699c466b5f3ebab79eb8867ad4
Opcode Fuzzy Hash: f41a800ae987e232beaf8ee40ddd38d29bbd1f95a4d7fa60ded00bc5b90b5a76
Instruction Fuzzy Hash: 86412771500F0DAFD72E8F69C85177A77A49F45330B15CB2EE6BA8A6D1DF38A8018B50

Function 003F4FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F50AD
send.WS2_32(00000200,00000000,00000200,00000000), ref: 003F50CE

Strings

AS101, xrefs: 003F5089

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: _memmovesend
String ID: AS101
API String ID: 135662524-3510149062
Opcode ID: 03f4e0bc0d553833ab1ab0595c34812a71470c94eb079159bebf4d0659bec0a0
Instruction ID: 3f25bdf532a5c25e8a7f6acaf2d713b72f88a9f9c5ade685d835d3b818ef121c
Opcode Fuzzy Hash: 03f4e0bc0d553833ab1ab0595c34812a71470c94eb079159bebf4d0659bec0a0
Instruction Fuzzy Hash: AF4137B090464DEBCF05CF98C894BAEBBB4FF48304F208198EA15AB340D775AA55CB91

Function 003F2CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F2D24
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003F2D86

Part of subcall function 003F2B10: _wcsstr.LIBCMT ref: 003F2B1B

Strings

.exe, xrefs: 003F2D65

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: FileModuleName_memset_wcsstr
String ID: .exe
API String ID: 2776296755-4119554291
Opcode ID: a053d0bd0cf79625eb7574bd0b4db157a3b5f7f100b1c8f1657dc0334367a35c
Instruction ID: 999bb78aa19114f74dbbc0547f34e21e6f58892dea84e9b6d45ba22d1b081285
Opcode Fuzzy Hash: a053d0bd0cf79625eb7574bd0b4db157a3b5f7f100b1c8f1657dc0334367a35c
Instruction Fuzzy Hash: 7B21F1B1E1030C9EDB50EFA4D945BDEB7B4AF48700F0041A9E608FA291E7745748CB55

Function 003F8050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

RtlDecodePointer.KERNEL32(?,003F8087,00000000,00000000,00000000,00000000,00000000,003FC5CE,?,003FBD97,00000003,003FEFDD,004092C8,00000008,003FEF52,003F74F4), ref: 003F8059
__invoke_watson.LIBCMT ref: 003F8075

Strings

>n?, xrefs: 003F8069

Memory Dump Source

Source File: 00000000.00000002.1741743563.00000000003F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.1741728824.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.000000000040F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741743563.0000000000412000.00000040.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: >n?
API String ID: 4034010525-2628549276
Opcode ID: 17f38848e2b5f5324bed3a666ccd9829a568bba604b359df4098266f1770a253
Instruction ID: e5846cb274e3250f23a4b86a98d0f67e87d42f67c98aceba853b8c9e03cbc1ac
Opcode Fuzzy Hash: 17f38848e2b5f5324bed3a666ccd9829a568bba604b359df4098266f1770a253
Instruction Fuzzy Hash: 49E0EC7500010EBBCF062F61DD0997A3E65EB04640B844860FF1098431DF32C9749B94

Analysis Process: biudfw.exePID: 7024, Parent PID: 6796COMMON

Executed Functions

Function 002725D0 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 263sleepfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002725FC
_memset.LIBCMT ref: 0027261A
_memset.LIBCMT ref: 00272631
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,74DF0F00), ref: 00272646

Part of subcall function 00271DA0: _memset.LIBCMT ref: 00271DCC

GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 0027266B
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 002726AC

Part of subcall function 00272C40: _memset.LIBCMT ref: 00272C6A
Part of subcall function 00272C40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00272C87
Part of subcall function 00272C40: wsprintfW.USER32 ref: 00272CCE

Part of subcall function 00272CF0: _memset.LIBCMT ref: 00272D24
Part of subcall function 00272CF0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00272D86

_memset.LIBCMT ref: 00272714
_memset.LIBCMT ref: 0027272F
OpenEventW.KERNEL32(00020000,00000000,?), ref: 002727B5
CloseHandle.KERNEL32(00000000), ref: 002727C2
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 002727D5
OpenEventW.KERNEL32(00020000,00000000,?), ref: 002727E7
CloseHandle.KERNEL32(00000000), ref: 002727F6
Sleep.KERNEL32(000001F4), ref: 00272802
OpenEventW.KERNEL32(00020000,00000000,?), ref: 0027280F
Sleep.KERNEL32(000003E8), ref: 0027281A
DeleteFileW.KERNEL32(?), ref: 00272823
_memset.LIBCMT ref: 002728D2

Strings

biudfw, xrefs: 002726BB, 0027295A
.exe, xrefs: 00272692
_STOP, xrefs: 0027278D

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$EventFile$Open$CloseDeleteHandleModuleNameSleep$CreateDirectoryPathSystemTempwsprintf
String ID: .exe$_STOP$biudfw
API String ID: 1186630344-407398200
Opcode ID: efd88c4e129b90d68485149c4ad02b06f892f1e772bd321673e13408bc61e6e1
Instruction ID: cca0d278402642888715e95f9c752e26045fa96347288be5e905bbf4a813cf42
Opcode Fuzzy Hash: efd88c4e129b90d68485149c4ad02b06f892f1e772bd321673e13408bc61e6e1
Instruction Fuzzy Hash: 61A1B675910219DADB24EBA0DC46BEA7378FF04704F1440AAFA0CD6181FB715A69CF65

Function 002719F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 116sleepCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000067,Hutdre,00000064), ref: 00271A1F
LoadStringW.USER32(?,0000006D,Polkkhdfte,00000064), ref: 00271A2B

Part of subcall function 00271B90: LoadIconW.USER32(?,0000006B), ref: 00271BC9
Part of subcall function 00271B90: LoadCursorW.USER32(00000000,00007F00), ref: 00271BD9
Part of subcall function 00271B90: LoadIconW.USER32(?,0000006C), ref: 00271BFC
Part of subcall function 00271B90: RegisterClassExW.USER32(00000030), ref: 00271C09

CreateWindowExW.USER32(00000000,Polkkhdfte,Hutdre,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00271A60
LoadAcceleratorsW.USER32(?,0000006D), ref: 00271A85
Sleep.KERNELBASE(000007D0), ref: 00271A96
ExitProcess.KERNEL32 ref: 00271AB5

Strings

Polkkhdfte, xrefs: 00271A23, 00271A53
Hutdre, xrefs: 00271A17, 00271A4E
218.54.47.74, xrefs: 00271ADC
djfuhgdt.exe, xrefs: 00271B07, 00271B45

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Load$IconString$AcceleratorsClassCreateCursorExitProcessRegisterSleepWindow
String ID: 218.54.47.74$Hutdre$Polkkhdfte$djfuhgdt.exe
API String ID: 1591761199-2373049902
Opcode ID: 79c2c0a44db8104de9d947a17f31b48ea9c274998981a2948b2d321e2b624f30
Instruction ID: c026aeaf38f6fe5e203a00bd0cc504291dc091e49b423c628db5b97e643821c0
Opcode Fuzzy Hash: 79c2c0a44db8104de9d947a17f31b48ea9c274998981a2948b2d321e2b624f30
Instruction Fuzzy Hash: 3031A9797A1305B7E220BB64AC4FF6B36689F45F41F10401AF708AA1D1EBF19430CBA6

Function 0027F20C Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMON

Download Yara Rule

APIs

___createFile.LIBCMT ref: 0027F457
___createFile.LIBCMT ref: 0027F498
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 0027F4C1
__dosmaperr.LIBCMT ref: 0027F4C8
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 0027F4DB
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 0027F4FE
__dosmaperr.LIBCMT ref: 0027F507
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 0027F510
__set_osfhnd.LIBCMT ref: 0027F540
__lseeki64_nolock.LIBCMT ref: 0027F5AA
__close_nolock.LIBCMT ref: 0027F5D0
__chsize_nolock.LIBCMT ref: 0027F600
__lseeki64_nolock.LIBCMT ref: 0027F612
__lseeki64_nolock.LIBCMT ref: 0027F70A
__lseeki64_nolock.LIBCMT ref: 0027F71F
__close_nolock.LIBCMT ref: 0027F77F

Part of subcall function 0027A382: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,0027F5D5,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0027A3D2
Part of subcall function 0027A382: GetLastError.KERNEL32(?,0027F5D5,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0027A3DC
Part of subcall function 0027A382: __free_osfhnd.LIBCMT ref: 0027A3E9
Part of subcall function 0027A382: __dosmaperr.LIBCMT ref: 0027A40B

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

__lseeki64_nolock.LIBCMT ref: 0027F7A1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 0027F8D6
___createFile.LIBCMT ref: 0027F8F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0027F902
__dosmaperr.LIBCMT ref: 0027F909
__free_osfhnd.LIBCMT ref: 0027F929
__invoke_watson.LIBCMT ref: 0027F957
__wsopen_helper.LIBCMT ref: 0027F971

Strings

@, xrefs: 0027F52C

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3388700018-2766056989
Opcode ID: ed9ba0d65a39b01c34f52b2e3f8b31cef4678bff86e3a985a1cd7e6540fa2ba4
Instruction ID: 12a64f2556cbde7761e5d650420b0875f899d0811f2e984cbd24c660c1c6d3ce
Opcode Fuzzy Hash: ed9ba0d65a39b01c34f52b2e3f8b31cef4678bff86e3a985a1cd7e6540fa2ba4
Instruction Fuzzy Hash: 872245719381079BEB699F68DE567BE7B60EB00310F24C239E929A72E1C7358D70CB51

Function 00271000 Relevance: 47.4, APIs: 15, Strings: 12, Instructions: 128COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027102E
_memset.LIBCMT ref: 00271049
GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 0027105D
wsprintfW.USER32 ref: 0027108A
GetFileAttributesW.KERNELBASE(?), ref: 0027109C
wsprintfW.USER32 ref: 002710C1
GetFileAttributesW.KERNELBASE(?), ref: 002710CD
wsprintfW.USER32 ref: 002710EF
GetFileAttributesW.KERNELBASE(?), ref: 002710FB
wsprintfW.USER32 ref: 0027111D
GetFileAttributesW.KERNELBASE(?), ref: 00271129
wsprintfW.USER32 ref: 0027114E
GetFileAttributesW.KERNELBASE(?), ref: 0027115A
wsprintfW.USER32 ref: 0027117F
GetFileAttributesW.KERNELBASE(?), ref: 0027118B

Strings

%s%s, xrefs: 00271084
%s%s, xrefs: 00271148
%s%s, xrefs: 00271179
\Program Files\ESTsoft\ALYac\AYLaunch.exe, xrefs: 00271136
\NEOWIZ\PMang\common\PMLauncher.exe, xrefs: 002710A1
%s%s, xrefs: 00271117
\Hangame\KOREAN\HanUninstall.exe, xrefs: 00271072
%s%s, xrefs: 002710E9
%s%s, xrefs: 002710B8
\Program Files\naver\NaverAgent\NaverAgent.exe, xrefs: 00271167
\Netmarble\Common\NetMarbleEndWeb.exe, xrefs: 002710D7
\Program Files\AhnLab\V3Lite30\V3Lite.exe, xrefs: 00271105

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFilewsprintf$_memset$DirectorySystemWindows
String ID: %s%s$%s%s$%s%s$%s%s$%s%s$%s%s$\Hangame\KOREAN\HanUninstall.exe$\NEOWIZ\PMang\common\PMLauncher.exe$\Netmarble\Common\NetMarbleEndWeb.exe$\Program Files\AhnLab\V3Lite30\V3Lite.exe$\Program Files\ESTsoft\ALYac\AYLaunch.exe$\Program Files\naver\NaverAgent\NaverAgent.exe
API String ID: 1182208999-444768472
Opcode ID: 2c7cb00375b4556d08f7cdb57aa2e4f5df102ef725ba6de4971675734a8dd31a
Instruction ID: 3d6d6cc5d526a8b756ccfc51a34ea12a8843dad43991c66126dc7953977f7a83
Opcode Fuzzy Hash: 2c7cb00375b4556d08f7cdb57aa2e4f5df102ef725ba6de4971675734a8dd31a
Instruction Fuzzy Hash: 2A416AB9D1122C66D710EBB4CC89EDAB37C9F44714F5146A1E62CE30C2EA709AA44B65

Function 00271740 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 189registrysleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00271769
OpenEventW.KERNEL32(00020000,00000000,houtue), ref: 002717D5
RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,000F003F,?), ref: 002717F7
RegQueryValueExW.KERNELBASE(?,TrayKey,00000000,00000000,?,00000104), ref: 00271820
OpenEventW.KERNEL32(00020000,00000000,?), ref: 00271835
RegCloseKey.KERNELBASE(?), ref: 00271845
GetTempPathW.KERNEL32(00000104,?), ref: 00271857
Sleep.KERNEL32(00000064), ref: 0027191C
ShellExecuteW.SHELL32(00000000,00000000,?,002889E4,00000000,00000001), ref: 00271936

Part of subcall function 00271D80: vswprintf.LIBCMT ref: 00271D93

_memset.LIBCMT ref: 0027195B
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000003,?), ref: 0027197A
RegSetValueExW.ADVAPI32(?,TrayKey,00000000,00000001,?,00000000), ref: 002719BA
RegCloseKey.ADVAPI32(?), ref: 002719CA

Strings

%s.exe, xrefs: 0027187B
opert, xrefs: 00271876
TrayKey, xrefs: 002719AF
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00271941
houtue, xrefs: 00271776, 002717C9, 0027185D, 002718A6, 002718C0
218.54.47.76, xrefs: 002718FB
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 002717ED
%s.exe, xrefs: 002718AB
218.54.47.76, xrefs: 00271907
TrayKey, xrefs: 00271815
djfuhgdt.exe, xrefs: 00271880, 002718B0, 002718D4

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Open$CloseEventValue_memset$ExecutePathQueryShellSleepTempvswprintf
String ID: %s.exe$%s.exe$218.54.47.76$218.54.47.76$Software\Microsoft\Windows NT\CurrentVersion\Windows$Software\Microsoft\Windows NT\CurrentVersion\Windows$TrayKey$TrayKey$djfuhgdt.exe$houtue$opert
API String ID: 2200122674-3888653445
Opcode ID: 3680c91a814d34c6fe7867034876e836081f96c41dab69c7a1d904d1a53801bc
Instruction ID: 92e6e35f1953f5fe21ecf88a26377d5693e95de9bb6663b15db29114404e5779
Opcode Fuzzy Hash: 3680c91a814d34c6fe7867034876e836081f96c41dab69c7a1d904d1a53801bc
Instruction Fuzzy Hash: 21613E38A613069BDB24EFA4DC16FFA7378EF04740F1080A5FA09A61C1EB715A718B65

Function 00272110 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 323fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027213C
_memset.LIBCMT ref: 0027215A
_memset.LIBCMT ref: 00272170
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 00272184
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 002721AA

Part of subcall function 002725D0: _memset.LIBCMT ref: 002725FC
Part of subcall function 002725D0: _memset.LIBCMT ref: 0027261A
Part of subcall function 002725D0: _memset.LIBCMT ref: 00272631
Part of subcall function 002725D0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,74DF0F00), ref: 00272646
Part of subcall function 002725D0: GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 0027266B
Part of subcall function 002725D0: DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0F00), ref: 002726AC

Strings

HGDraw.dll, xrefs: 0027218A
houtue, xrefs: 002723CC
biudfw, xrefs: 002723FF, 00272421
218.54.47.74, xrefs: 002722F2
biudfw, xrefs: 002723EC
Run, xrefs: 00272573
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 0027252A
MSMP, xrefs: 00272457
MSMP, xrefs: 00272473

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$File$DeletePathTemp$ModuleName
String ID: 218.54.47.74$HGDraw.dll$MSMP$MSMP$Run$Software\Microsoft\Windows NT\CurrentVersion\Windows$biudfw$biudfw$houtue
API String ID: 3389175124-3896806327
Opcode ID: 848e630a36ffd0c248e7232ccd10d1c18ae42fef55b8d80fe29b1b4e0aa43ba7
Instruction ID: 1b29d6e7adad43e75874a5f6c6103f790ad59720e6ab14406ae99f49c659c600
Opcode Fuzzy Hash: 848e630a36ffd0c248e7232ccd10d1c18ae42fef55b8d80fe29b1b4e0aa43ba7
Instruction Fuzzy Hash: 59C14B75920219D7DB24EF60DC46BEAB374AF54700F4480E9EA0CE7181EBB19EA9CF54

Function 00271470 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 109threadnetworkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00271490

Part of subcall function 00273C20: _memset.LIBCMT ref: 00273C4A
Part of subcall function 00273C20: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00273C74

OpenEventW.KERNEL32(00020000,00000000,biudfw), ref: 002714D0
CloseHandle.KERNEL32(00000000), ref: 002714DB
CreateEventW.KERNEL32(00000000,00000000,00000000,biudfw), ref: 002714FC
WSAStartup.WS2_32(00000101,?), ref: 00271512
CreateThread.KERNELBASE(00000000,00000000,Function_000013B0,00000000,00000000,00000000), ref: 002715EB

Strings

QAAAA, xrefs: 00271584
218.54.47.74, xrefs: 00271575
houtue, xrefs: 002715A7
MSMP2, xrefs: 00271518
GTDR, xrefs: 0027155A
biudfw, xrefs: 002714B5, 002714C4, 002714F1
biudfw, xrefs: 00271537
218.54.47.74, xrefs: 002715C5
218.54.47.77, xrefs: 00271546
218.54.47.74, xrefs: 0027156E

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CreateEvent_memset$CloseFileHandleModuleNameOpenStartupThread
String ID: 218.54.47.74$218.54.47.74$218.54.47.74$218.54.47.77$GTDR$MSMP2$QAAAA$biudfw$biudfw$houtue
API String ID: 2299581682-1964883170
Opcode ID: 86e4d6b2c2f7a06c7e57418a5f170622a22d9eddf5859862e356d032777479b5
Instruction ID: 9e6719fe464682e748251384b6eb793ad2daf4d7b54a367610e3d90bd70765ee
Opcode Fuzzy Hash: 86e4d6b2c2f7a06c7e57418a5f170622a22d9eddf5859862e356d032777479b5
Instruction Fuzzy Hash: 82310B7876130557DB14FFA4AC4BBAA33649F10B04F60405AFA0DAB1C1FFB155348719

Function 00279B29 Relevance: 26.2, APIs: 17, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: c01cf87f7bfcc8b660a3e23c0c5da6da524e783e37ac443550f5b685b68aa904
Instruction ID: b3f78e38c315275f4cdb6db3d435e9074e77671ca78a618ac960c95f3ac0aaaa
Opcode Fuzzy Hash: c01cf87f7bfcc8b660a3e23c0c5da6da524e783e37ac443550f5b685b68aa904
Instruction Fuzzy Hash: 05326934A25346DFDB31DF58D844BBD7BB5AF46310F24C04AE89D9B292C77088A1CB62

Function 002754C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002754EA

Strings

AS101, xrefs: 002756C0

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID: AS101
API String ID: 2102423945-3510149062
Opcode ID: dc1c296ae2342ec0b16c464caae6061b5e89d7effc2091c32a8fd4b922e2be30
Instruction ID: 98c4e206bb79009ee65826b31acadc352474e42a88c71820c2179f45013c8492
Opcode Fuzzy Hash: dc1c296ae2342ec0b16c464caae6061b5e89d7effc2091c32a8fd4b922e2be30
Instruction Fuzzy Hash: DF91D5B49102A9CBDB24DF24DC45BA9B7F5BF44304F04C2DAE48DAA280DBB45E94CF91

Function 00274110 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00003A98), ref: 0027417A
RtlAllocateHeap.NTDLL(00000000), ref: 00274181
GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,00003A98), ref: 002741B3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002741C8
HeapFree.KERNEL32(00000000), ref: 002741CF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002742D4
RtlFreeHeap.NTDLL(00000000), ref: 002742DB

Strings

o, xrefs: 002741E5

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$Process$Free$AdaptersAddressesAllocate
String ID: o
API String ID: 76810026-252678980
Opcode ID: 05e29385e5403973117cb624856a254506727995c447866fcffb47aa7fc5cb2d
Instruction ID: 40023c9a30aaa91223119b6cbf1b5788c9020c20a040c864a43f17c0884d088e
Opcode Fuzzy Hash: 05e29385e5403973117cb624856a254506727995c447866fcffb47aa7fc5cb2d
Instruction Fuzzy Hash: 57512774A1020ADFDB04DF94C498BAEFBB1FB48304F14C699E8196B381C7759A45CF90

Function 00274B70 Relevance: 13.6, APIs: 9, Instructions: 109networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00274B9A
WSAStartup.WS2_32(00000101,?), ref: 00274BFB
socket.WS2_32(00000002,00000001,00000006), ref: 00274C1D
gethostbyname.WS2_32(00000000), ref: 00274C3B
inet_addr.WS2_32(00000000), ref: 00274C54
gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 00274C6B
closesocket.WS2_32 ref: 00274CFC

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Startup_memsetclosesocketgethostbyaddrgethostbynameinet_addrsocket
String ID:
API String ID: 2440521008-0
Opcode ID: 44185085ae167282d63d4e4bcf7772a678058c0b02b18ec522931f1151592a2c
Instruction ID: 7cfb402b1008865c093aa23624da79c0e27913373e2af463d9be534584979820
Opcode Fuzzy Hash: 44185085ae167282d63d4e4bcf7772a678058c0b02b18ec522931f1151592a2c
Instruction Fuzzy Hash: 3B417C74A11219DFEB24DF20DD49BAAB3B4FF48300F008199E9499B291DB709ED4CF91

Function 00271B90 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,0000006B), ref: 00271BC9
LoadCursorW.USER32(00000000,00007F00), ref: 00271BD9
LoadIconW.USER32(?,0000006C), ref: 00271BFC
RegisterClassExW.USER32(00000030), ref: 00271C09

Strings

Polkkhdfte, xrefs: 00271BF5
0, xrefs: 00271BA3
m, xrefs: 00271BEE

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Load$Icon$ClassCursorRegister
String ID: 0$Polkkhdfte$m
API String ID: 4202395251-997551336
Opcode ID: 37317c24840a36126484bd93bb10eda50ed549b9230eb447a1fb9ecb6d30e986
Instruction ID: 8377312838ad2a00fe2bb4cc2a574f98914962514cd5b11d49d44ded42735237
Opcode Fuzzy Hash: 37317c24840a36126484bd93bb10eda50ed549b9230eb447a1fb9ecb6d30e986
Instruction Fuzzy Hash: 7D0108B4D01209ABEB00EFE0E95DB9EBBB4AB08304F50415AE505BB280D7BA06588F94

Function 00271C20 Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON

Download Yara Rule

APIs

73A246C0.USER32(?,?,?,?), ref: 00271C5E
73A246C0.USER32(?,00000111,?,?), ref: 00271C8E
BeginPaint.USER32(?,?), ref: 00271CF1
EndPaint.USER32(?,?), ref: 00271CFD
PostQuitMessage.USER32(00000000), ref: 00271D19

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: A246Paint$BeginMessagePostQuit
String ID:
API String ID: 1189651601-0
Opcode ID: f32cf32d9243225492d08d3e172ebea394505471dc653e1d8aab5bf74822c7e2
Instruction ID: 3d3dd11b5a52ec578364158115a9ed4a1893244735ae2148f36ead42721f31bb
Opcode Fuzzy Hash: f32cf32d9243225492d08d3e172ebea394505471dc653e1d8aab5bf74822c7e2
Instruction Fuzzy Hash: 3D21C8316251195FCB24EF68EC0EAAB7BA8EF49311F40450FF94A8A191DA719830DB96

Function 00271E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00271E9B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00271EBE
GetTempPathW.KERNEL32(00000104,?,?,MSMP2), ref: 00271EEB
__wfopen_s.LIBCMT ref: 00271F20
__fread_nolock.LIBCMT ref: 00271F3B

Strings

MSMP2, xrefs: 00271E57

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: DirectoryPathSystemTemp__fread_nolock__wfopen_s_memset
String ID: MSMP2
API String ID: 3270528022-3050822126
Opcode ID: 13a44ff6f0b75476195c5d13e6a6d087d705faab2f91fe1aaa77f1bf25416c1b
Instruction ID: ce8976957d3de44a55f3392f6627910ec084e2b05e00bc481773d0cce65b0e9d
Opcode Fuzzy Hash: 13a44ff6f0b75476195c5d13e6a6d087d705faab2f91fe1aaa77f1bf25416c1b
Instruction Fuzzy Hash: 2731E8B59112189BDB20EF68DC49BEA73789F44700F048195FD0DA7181EBB05E748F51

Function 002713B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002713DC
OpenEventW.KERNEL32(00020000,00000000,?), ref: 0027144E
Sleep.KERNELBASE(000000C8), ref: 00271457
CloseHandle.KERNEL32(00000000), ref: 0027145E
ExitProcess.KERNEL32 ref: 00271466

Strings

_STOP, xrefs: 0027141C

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseEventExitHandleOpenProcessSleep_memset
String ID: _STOP
API String ID: 2427619054-3538324249
Opcode ID: 9b05aa0f2287adca596295e0c2570f8c2d1304cc08705b02be460c65b410707d
Instruction ID: a0c8a4ad13b80ac666a016858b642babdddfd7cd55f17acee584e13aff078d61
Opcode Fuzzy Hash: 9b05aa0f2287adca596295e0c2570f8c2d1304cc08705b02be460c65b410707d
Instruction Fuzzy Hash: 0711A07851230AAFD714EF68EC4DFA673B8EF04744F248099EA18DB292F6309955CB54

Function 00274860 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 002748A0

Part of subcall function 00276DB7: __FF_MSGBANNER.LIBCMT ref: 00276DCE
Part of subcall function 00276DB7: __NMSG_WRITE.LIBCMT ref: 00276DD5
Part of subcall function 00276DB7: RtlAllocateHeap.NTDLL(008A0000,00000000,00000001,?,?,?,?,002774F4,00274317,?,?,00274317,00000020,?,002712B1,?), ref: 00276DFA

_memset.LIBCMT ref: 002748BC
_memset.LIBCMT ref: 002748F1

Part of subcall function 00274B70: _memset.LIBCMT ref: 00274B9A
Part of subcall function 00274B70: WSAStartup.WS2_32(00000101,?), ref: 00274BFB

_free.LIBCMT ref: 00274B3E

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AllocateHeapStartup_free_malloc
String ID:
API String ID: 2284926136-0
Opcode ID: 57c13ae98b12a1fb6683a5fa80916d06fcd1eaf8c2c240fb920790c4582b658e
Instruction ID: 57bc71352cde380beb0cdaccd62199e2f7f64ea1b90677d4c13bb3597636608e
Opcode Fuzzy Hash: 57c13ae98b12a1fb6683a5fa80916d06fcd1eaf8c2c240fb920790c4582b658e
Instruction Fuzzy Hash: 09715FB5D1012C96EB68DB15DD41FEAB3B4AF58304F0082E9E50DA6182EF745ED4CF91

Function 002A4561 Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000007,?,00001000,00000004), ref: 002A458B
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 002A45BC
VirtualProtect.KERNELBASE(?,00000001,00000004,?), ref: 002A45C9
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 002A45DC
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 002A45F2
VirtualProtect.KERNELBASE(?,00000001,?,?), ref: 002A4600

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000296000.00000040.00000001.01000000.00000005.sdmp, Offset: 00296000, based on PE: false

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: 0f32917d514b474a3e93ec6ad6b0b84087001e06b61f4270065deb97bdcee493
Instruction ID: ce39358bce5d13c339339b58e616dd61391bd5131508a060ba141f6b30d75ba6
Opcode Fuzzy Hash: 0f32917d514b474a3e93ec6ad6b0b84087001e06b61f4270065deb97bdcee493
Instruction Fuzzy Hash: 1A41A272510201AFDF149F14CC88B6677A9FF97721F248154FA469F189DBB0E820CB51

Function 00274680 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00274860: _malloc.LIBCMT ref: 002748A0
Part of subcall function 00274860: _memset.LIBCMT ref: 002748BC
Part of subcall function 00274860: _memset.LIBCMT ref: 002748F1
Part of subcall function 00274860: _free.LIBCMT ref: 00274B3E

_memset.LIBCMT ref: 002746DF
_memset.LIBCMT ref: 002746FE
GetTempPathW.KERNEL32(00000104,?), ref: 00274712
GetFileAttributesW.KERNEL32(?), ref: 0027482F

Strings

djfuhgdt.exe, xrefs: 0027480F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AttributesFilePathTemp_free_malloc
String ID: djfuhgdt.exe
API String ID: 4167924629-2194725056
Opcode ID: a1203a7835ed8b40be2a5a716bebfdeeefc0546f83e2f04672e2b2bebf8e63bb
Instruction ID: 64f5f05f8441eba7296c62de0fd2fa76d02e32ca71e02bd6142b44c2bec7b7b0
Opcode Fuzzy Hash: a1203a7835ed8b40be2a5a716bebfdeeefc0546f83e2f04672e2b2bebf8e63bb
Instruction Fuzzy Hash: 8F41A8F5A1022C9BDB18EB10DC85BE9B3B4AB44704F50C1E9F60D9A1C1E7B45AE4CF95

Function 00271610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00274860: _malloc.LIBCMT ref: 002748A0
Part of subcall function 00274860: _memset.LIBCMT ref: 002748BC
Part of subcall function 00274860: _memset.LIBCMT ref: 002748F1
Part of subcall function 00274860: _free.LIBCMT ref: 00274B3E

_memset.LIBCMT ref: 00271656
_memset.LIBCMT ref: 00271671
GetTempPathW.KERNEL32(00000104,?), ref: 00271685
GetFileAttributesW.KERNEL32(?), ref: 00271717

Strings

djfuhgdt.exe, xrefs: 002716F7

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$AttributesFilePathTemp_free_malloc
String ID: djfuhgdt.exe
API String ID: 4167924629-2194725056
Opcode ID: 93c03bd5a31a3e34c664d74c652a16cb5952af5e796681e814317854979aed2d
Instruction ID: c3903710e8d5f313d8a27161f239e933c94744b009875ccf34a0e0226bec6b28
Opcode Fuzzy Hash: 93c03bd5a31a3e34c664d74c652a16cb5952af5e796681e814317854979aed2d
Instruction Fuzzy Hash: 9621A9F6D1131857DB60AB549C4AEDAB37C9F44310F1085E5B61CE31C2E6748EA08BA6

Function 00271250 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027128F
_memset.LIBCMT ref: 002712A0

Part of subcall function 00274300: _memset.LIBCMT ref: 0027433C

Part of subcall function 00271000: _memset.LIBCMT ref: 0027102E
Part of subcall function 00271000: _memset.LIBCMT ref: 00271049
Part of subcall function 00271000: GetSystemWindowsDirectoryW.KERNEL32(?,00000104), ref: 0027105D
Part of subcall function 00271000: wsprintfW.USER32 ref: 0027108A
Part of subcall function 00271000: GetFileAttributesW.KERNELBASE(?), ref: 0027109C
Part of subcall function 00271000: wsprintfW.USER32 ref: 002710C1
Part of subcall function 00271000: GetFileAttributesW.KERNELBASE(?), ref: 002710CD
Part of subcall function 00271000: wsprintfW.USER32 ref: 002710EF
Part of subcall function 00271000: GetFileAttributesW.KERNELBASE(?), ref: 002710FB
Part of subcall function 00271000: wsprintfW.USER32 ref: 0027111D
Part of subcall function 00271000: GetFileAttributesW.KERNELBASE(?), ref: 00271129
Part of subcall function 00271000: wsprintfW.USER32 ref: 0027114E
Part of subcall function 00271000: GetFileAttributesW.KERNELBASE(?), ref: 0027115A

Strings

AAAA, xrefs: 00271377
Jones-PC, xrefs: 00271335
UnKnown, xrefs: 00271344

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AttributesFile_memsetwsprintf$DirectorySystemWindows
String ID: AAAA$user-PC$UnKnown
API String ID: 3855195234-1929542895
Opcode ID: 4930b1a23707213a60b120419f6b5a6c3a5458e3083c019774cb447efec8f158
Instruction ID: ce96bdcdc9a96c86cfeb51a5e9e6737b621237ff106e8691f0c3da72bc7104f8
Opcode Fuzzy Hash: 4930b1a23707213a60b120419f6b5a6c3a5458e3083c019774cb447efec8f158
Instruction Fuzzy Hash: 523190B89222098ADB14EFB8EC55BB977F4AF4C300F2481AEE44997251E7305654CB38

Function 002774D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 002774EF

Part of subcall function 00276DB7: __FF_MSGBANNER.LIBCMT ref: 00276DCE
Part of subcall function 00276DB7: __NMSG_WRITE.LIBCMT ref: 00276DD5
Part of subcall function 00276DB7: RtlAllocateHeap.NTDLL(008A0000,00000000,00000001,?,?,?,?,002774F4,00274317,?,?,00274317,00000020,?,002712B1,?), ref: 00276DFA

std::exception::exception.LIBCMT ref: 0027750B
__CxxThrowException@8.LIBCMT ref: 00277520

Part of subcall function 0027CF3B: RaiseException.KERNEL32(?,?,?,0028905C,?,?,?,00277525,?,0028905C,00000020,00000001), ref: 0027CF8C

Strings

lB(, xrefs: 002774FD
bad allocation, xrefs: 00277504

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation$lB(
API String ID: 3074076210-2116421371
Opcode ID: dc8ea97f6488e961f8636d5bae0ab5f41dd3fa403016dddd8a63113a4f51edcb
Instruction ID: 15007d825cea2897909c337fccfc58c57a33ed1a05b2d8f0978e057b1e189706
Opcode Fuzzy Hash: dc8ea97f6488e961f8636d5bae0ab5f41dd3fa403016dddd8a63113a4f51edcb
Instruction Fuzzy Hash: 9DF0A97552921B67C715BBA8DC119DE7BA85F02354F10C069FD4C91182DBB08A609792

Function 002713E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,?), ref: 0027144E
Sleep.KERNELBASE(000000C8), ref: 00271457
CloseHandle.KERNEL32(00000000), ref: 0027145E
ExitProcess.KERNEL32 ref: 00271466

Strings

_STOP, xrefs: 0027141C

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseEventExitHandleOpenProcessSleep
String ID: _STOP
API String ID: 149034694-3538324249
Opcode ID: c9bee0abde1d8af77a7bd8969bae42949f815016031e9f8fa3b19c952bf96f08
Instruction ID: 8eeb2e53b19f7a7c8729e0cc50e37b0317f884229e4a4190eff18f9690350d7f
Opcode Fuzzy Hash: c9bee0abde1d8af77a7bd8969bae42949f815016031e9f8fa3b19c952bf96f08
Instruction Fuzzy Hash: 220162385023068BC724EF68EC8DBA673B4FF05704F658098EA1C9B291E7319916CB15

Function 00275140 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027516A

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c1a9ee912a3a1d46ca4d495c6773f99304570d18fea59330e3a702d278fca38a
Instruction ID: 33b3f23ef34dec06d0ac892576682293af33e2a6524a72899d87b8c35d5eda9b
Opcode Fuzzy Hash: c1a9ee912a3a1d46ca4d495c6773f99304570d18fea59330e3a702d278fca38a
Instruction Fuzzy Hash: AFA1B1B59101298BCB64DF14D891BAAB7F5FF88304F14C1E8E48DA7241DAB0AED58FD1

Function 0027624B Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002762A7
_memcpy_s.LIBCMT ref: 00276319
__filbuf.LIBCMT ref: 0027639A
_memset.LIBCMT ref: 002763DE

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 0d225e69f2ec64261b7013b1ac2747038d67961d1837a102cc7e749bb44f9ac3
Instruction ID: 5a75e6f0717d422c226e1251498287b8c75511c3097a82f5b1679c8300a8c651
Opcode Fuzzy Hash: 0d225e69f2ec64261b7013b1ac2747038d67961d1837a102cc7e749bb44f9ac3
Instruction Fuzzy Hash: 9151B570A20B07DFDB249EA9C8486AE77B5AF51720F14C669F83D962D1D7B09D70CB40

Function 00274FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002750AD
send.WS2_32(00000200,00000000,00000200,00000000), ref: 002750CE

Strings

AS101, xrefs: 00275089

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memmovesend
String ID: AS101
API String ID: 135662524-3510149062
Opcode ID: 9fe2fabd0d156bcf5e51e83e0b1231b7b79110a2fc74a280d601e96dde5a5ffa
Instruction ID: d72ffd031c75654accd7d6a92ad6e891a6c536dc965fc90cb03c2266e6f0c409
Opcode Fuzzy Hash: 9fe2fabd0d156bcf5e51e83e0b1231b7b79110a2fc74a280d601e96dde5a5ffa
Instruction Fuzzy Hash: AC4118B4D14249EBDF04CF98D854BAEBBB0BF48304F248199E8196B380D3B59A61DF91

Function 00271DA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00271DCC

Part of subcall function 00271E40: _memset.LIBCMT ref: 00271E9B
Part of subcall function 00271E40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00271EBE
Part of subcall function 00271E40: __wfopen_s.LIBCMT ref: 00271F20
Part of subcall function 00271E40: __fread_nolock.LIBCMT ref: 00271F3B

Strings

MSMP, xrefs: 00271DC5
golfinfo.ini, xrefs: 00271DD3

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DirectorySystem__fread_nolock__wfopen_s
String ID: MSMP$golfinfo.ini
API String ID: 2404306169-1742890095
Opcode ID: a7782dde4d03f6ae11fcecd2f702360ef43f92be8d36c19d987dda27c1de5b2f
Instruction ID: a117bc18bd3321d902fb833d27439f380c37da97557d7924a4c93844a4137f9d
Opcode Fuzzy Hash: a7782dde4d03f6ae11fcecd2f702360ef43f92be8d36c19d987dda27c1de5b2f
Instruction Fuzzy Hash: CE112631A202089BDF64DE68DC49BEE77B8DF45310F5041E9E81DD7192DE70AEA5CB40

Function 00274D50 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00274D7A

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 1e8dfb098dc5b0b757f7e79607f2a9df9b706bdc349a1980f12502787d765c48
Instruction ID: f9edf4292e6b013614794113a7764b5c8c799c7d8b35ec034f1d61e9814ca538
Opcode Fuzzy Hash: 1e8dfb098dc5b0b757f7e79607f2a9df9b706bdc349a1980f12502787d765c48
Instruction Fuzzy Hash: 8D61F5B49101199BDBA4EF14D841BA9B3F5BF48304F10C1A9E58DA7240DB749EE9CFD2

Function 00274300 Relevance: 4.6, APIs: 3, Instructions: 79networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002774D7: _malloc.LIBCMT ref: 002774EF

_memset.LIBCMT ref: 0027433C

Part of subcall function 00274110: GetProcessHeap.KERNEL32(00000000,00003A98), ref: 0027417A
Part of subcall function 00274110: RtlAllocateHeap.NTDLL(00000000), ref: 00274181
Part of subcall function 00274110: GetProcessHeap.KERNEL32(00000000,00000000), ref: 002742D4
Part of subcall function 00274110: RtlFreeHeap.NTDLL(00000000), ref: 002742DB

htonl.WS2_32(?), ref: 0027436C
gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 0027437D

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$Process$AllocateFree_malloc_memsetgethostbyaddrhtonl
String ID:
API String ID: 3130101773-0
Opcode ID: 61abbe16e27252975634e5c707cea8941f5ce3a08501ea65757b93fe60cb89ff
Instruction ID: a2c18d6fa25fea93f8694ceab07ddabbb29ad6d96c2fd7bb96e7097906f51243
Opcode Fuzzy Hash: 61abbe16e27252975634e5c707cea8941f5ce3a08501ea65757b93fe60cb89ff
Instruction Fuzzy Hash: 6C3110B4D10209AFDB00EFA4D849BAEBBB4BF48304F108469E909AB381D7759A54CF95

Function 00274D20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00274D31

Strings

RK', xrefs: 00274D23, 00274D2B, 00274D3F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: closesocket
String ID: RK'
API String ID: 2781271927-654180457
Opcode ID: 98ca7e173269d9227f0621b7bf39a4925b8f6616b1bd8dc37c242f6c839112c8
Instruction ID: 4f00e79ac15d1db12ad019ac0b7b2068dc41471bc31ba63dd0514651d91254d0
Opcode Fuzzy Hash: 98ca7e173269d9227f0621b7bf39a4925b8f6616b1bd8dc37c242f6c839112c8
Instruction Fuzzy Hash: EDE0173422030ADFDB25AF68D884BA637A8AB46784F40C464F84D8F390D775ED90CBA0

Function 0027A2B8 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0027A30F
__close_nolock.LIBCMT ref: 0027A328

Part of subcall function 002780B6: __getptd_noexit.LIBCMT ref: 002780B6

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 4e35b9803b4194e6090b2e07b9b3491aa22ce7de9da24087b433f94b336f07a1
Instruction ID: 38c91d21164c16c04aef02f8a33d0debe20f9c81f36b0bd3d457bd84b05e3ab5
Opcode Fuzzy Hash: 4e35b9803b4194e6090b2e07b9b3491aa22ce7de9da24087b433f94b336f07a1
Instruction Fuzzy Hash: E611C2324756518AD7017FA8985676C36606F92331F15C284E43C5B1E3CBB449718B62

Function 00276429 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00276458
__lock_file.LIBCMT ref: 00276479

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 7fc44ef0c6861b324395ebe993421bf21591ecd983cabfe4a8b3a0f5a910aeb4
Instruction ID: 74071718b32acb0ee225332574b440dfc742cdedaa3c2157d4b6b3d9e5c3dc89
Opcode Fuzzy Hash: 7fc44ef0c6861b324395ebe993421bf21591ecd983cabfe4a8b3a0f5a910aeb4
Instruction Fuzzy Hash: D4018F7182160AEBCF22AFA58C1999F7B71AF80720F14C215F82C561A1DB318A72DF91

Function 00276526 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

__lock_file.LIBCMT ref: 0027656B

Part of subcall function 0027905D: __lock.LIBCMT ref: 00279080

__fclose_nolock.LIBCMT ref: 00276576

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 6ee85b69d227d52614e5ab93d8338c869629ad5dbef6bdd468ff5a7df0814c66
Instruction ID: 276d4d087cc864adf3f366ff20ceab9011ae03e0e710bd1ca6d12a5dd35e5a35
Opcode Fuzzy Hash: 6ee85b69d227d52614e5ab93d8338c869629ad5dbef6bdd468ff5a7df0814c66
Instruction Fuzzy Hash: 4DF0BB31831B119AD7117F75880D75E77A16F41334F54C205E42CAB1D5CB7C4972AF55

Function 0027419C Relevance: 3.0, APIs: 2, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 002742D4
RtlFreeHeap.NTDLL(00000000), ref: 002742DB

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59f040411917248a68929b53fe32ef6de10bef92a1585450ea56fd1dd4fd93da
Instruction ID: 7955d821e9f2b44bf9003f6ee03fe2b8ef8f68bfb857f336f6bec4a6f637b815
Opcode Fuzzy Hash: 59f040411917248a68929b53fe32ef6de10bef92a1585450ea56fd1dd4fd93da
Instruction Fuzzy Hash: C2D01234A1111ADBCB18EBD0E80D77E7334EB44301F014648F90A56181CB741924CB51

Function 002742BF Relevance: 3.0, APIs: 2, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 002742D4
RtlFreeHeap.NTDLL(00000000), ref: 002742DB

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9722f30434bc09acc95bb278dd5f485763638903045be2f7869540b442578d58
Instruction ID: 7955d821e9f2b44bf9003f6ee03fe2b8ef8f68bfb857f336f6bec4a6f637b815
Opcode Fuzzy Hash: 9722f30434bc09acc95bb278dd5f485763638903045be2f7869540b442578d58
Instruction Fuzzy Hash: C2D01234A1111ADBCB18EBD0E80D77E7334EB44301F014648F90A56181CB741924CB51

Function 00279A20 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 001d52d85711cc8e16f7cf1e73bfecbfbf9e70714a457135a959c17f8fa5b68f
Instruction ID: e805564d0cab23e034fade69df63e0588555566ec1e3cb9c769b9c08c40462b1
Opcode Fuzzy Hash: 001d52d85711cc8e16f7cf1e73bfecbfbf9e70714a457135a959c17f8fa5b68f
Instruction Fuzzy Hash: E1218E328713458BD701BF689C567693660AF12329F15C244E42C5B1E3DBB498B0CF62

Function 0027494A Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00274B3E

Part of subcall function 00276E49: RtlFreeHeap.NTDLL(00000000,00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E5D
Part of subcall function 00276E49: GetLastError.KERNEL32(00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E6F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a029a982bdb5a37bc62cc427a5dc2d62a39010bce1aa974aa786f34c05607e8c
Instruction ID: a3ad14999c3e0f596102177929f7a1057b3a2932032ab89fc525b411b11b4517
Opcode Fuzzy Hash: a029a982bdb5a37bc62cc427a5dc2d62a39010bce1aa974aa786f34c05607e8c
Instruction Fuzzy Hash: 1BE04FB5D2001887DA24EB64E985FDAB3649B58205F0082E9F80E56141DA759EA4CF41

Function 002749A1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00274B3E

Part of subcall function 00276E49: RtlFreeHeap.NTDLL(00000000,00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E5D
Part of subcall function 00276E49: GetLastError.KERNEL32(00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E6F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 0d34aa33bdc9a40567672ce0c1c4444d1d2c7bd5c71e9eb499d0e8718d477da8
Instruction ID: a3ad14999c3e0f596102177929f7a1057b3a2932032ab89fc525b411b11b4517
Opcode Fuzzy Hash: 0d34aa33bdc9a40567672ce0c1c4444d1d2c7bd5c71e9eb499d0e8718d477da8
Instruction Fuzzy Hash: 1BE04FB5D2001887DA24EB64E985FDAB3649B58205F0082E9F80E56141DA759EA4CF41

Function 0027498E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00274B3E

Part of subcall function 00276E49: RtlFreeHeap.NTDLL(00000000,00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E5D
Part of subcall function 00276E49: GetLastError.KERNEL32(00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E6F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: cf1aa5add83c462649ff2c444d79d1c98d72d666090808181f7616201bc928e4
Instruction ID: a3ad14999c3e0f596102177929f7a1057b3a2932032ab89fc525b411b11b4517
Opcode Fuzzy Hash: cf1aa5add83c462649ff2c444d79d1c98d72d666090808181f7616201bc928e4
Instruction Fuzzy Hash: 1BE04FB5D2001887DA24EB64E985FDAB3649B58205F0082E9F80E56141DA759EA4CF41

Function 002749E4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00274B3E

Part of subcall function 00276E49: RtlFreeHeap.NTDLL(00000000,00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E5D
Part of subcall function 00276E49: GetLastError.KERNEL32(00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E6F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: cd18f61d3b2584ea1841d4f63d82c90add8c51963ebfea4f0b3cfea724c86f8c
Instruction ID: a3ad14999c3e0f596102177929f7a1057b3a2932032ab89fc525b411b11b4517
Opcode Fuzzy Hash: cd18f61d3b2584ea1841d4f63d82c90add8c51963ebfea4f0b3cfea724c86f8c
Instruction Fuzzy Hash: 1BE04FB5D2001887DA24EB64E985FDAB3649B58205F0082E9F80E56141DA759EA4CF41

Function 00274A13 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00274B3E

Part of subcall function 00276E49: RtlFreeHeap.NTDLL(00000000,00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E5D
Part of subcall function 00276E49: GetLastError.KERNEL32(00000000,?,0027B899,00000000,002780EF,00276E3E), ref: 00276E6F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 3d81abf6e3b6b4b72183a6be7a18e4ffcdaadd3429573816c622b47edc5c4e19
Instruction ID: a3ad14999c3e0f596102177929f7a1057b3a2932032ab89fc525b411b11b4517
Opcode Fuzzy Hash: 3d81abf6e3b6b4b72183a6be7a18e4ffcdaadd3429573816c622b47edc5c4e19
Instruction Fuzzy Hash: 1BE04FB5D2001887DA24EB64E985FDAB3649B58205F0082E9F80E56141DA759EA4CF41

Non-executed Functions

Function 00273780 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 287COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002737AA
_memset.LIBCMT ref: 002737C7
_memset.LIBCMT ref: 002737E4
GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,?,74DF0F00), ref: 00273827
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,?,?,74DF0F00), ref: 002738DA

Part of subcall function 002766F4: __lock_file.LIBCMT ref: 00276733

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00273C02

Strings

del ", xrefs: 00273979
open, xrefs: 00273BFB
sanfdr.bat, xrefs: 002737EC
del ", xrefs: 00273B47
rmdir ", xrefs: 00273AAD
" goto Repeat, xrefs: 00273A95
", xrefs: 00273B2F
if exist ", xrefs: 00273A13
:Repeat, xrefs: 00273961
", xrefs: 002739FB

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$ExecuteFileModuleNamePathShellTemp__lock_file
String ID: "$"$" goto Repeat$:Repeat$del "$del "$if exist "$open$rmdir "$sanfdr.bat
API String ID: 2882992250-1728629311
Opcode ID: a3f1a9d272c4322e1790e3d3e29d083e8d7d742eed2a1f6999a86fd80960d6e4
Instruction ID: 99c869d2ba52be5dfdf78eb46a15fb6cb633b17f524439604d708a286291f805
Opcode Fuzzy Hash: a3f1a9d272c4322e1790e3d3e29d083e8d7d742eed2a1f6999a86fd80960d6e4
Instruction Fuzzy Hash: 50D16C71D113289FDB26DB64CC86BE9B7B8AB59700F4080D9E60C67281DA716FD4CF51

Function 00272339 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 174COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,0028BFEC), ref: 002723A2

Strings

houtue, xrefs: 002723CC
biudfw, xrefs: 002723FF, 00272421
biudfw, xrefs: 002723EC
Run, xrefs: 00272573
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 0027252A
MSMP, xrefs: 00272457
MSMP, xrefs: 00272473

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: EventOpen
String ID: MSMP$MSMP$Run$Software\Microsoft\Windows NT\CurrentVersion\Windows$biudfw$biudfw$houtue
API String ID: 3658969616-1991036340
Opcode ID: fe5f7587d184b87a9da065f9c625292b60dd5be63c0c847dc4c4f522d41a7c58
Instruction ID: 49d7a8dd93823128a893936d1edf356fb346c19d7788686a94873fab82bab0d6
Opcode Fuzzy Hash: fe5f7587d184b87a9da065f9c625292b60dd5be63c0c847dc4c4f522d41a7c58
Instruction Fuzzy Hash: 9A613674A102198BDB24EF10DC56BE9B375AF44300F4480E8EA4DAB181EBB16EE9CF54

Function 00272DD0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00272E0F
_memset.LIBCMT ref: 00272E27
_free.LIBCMT ref: 00272E5E

Strings

_GBP, xrefs: 00272E75
_GBP, xrefs: 00272F23

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _free_malloc_memset
String ID: _GBP$_GBP
API String ID: 2338540524-3430829148
Opcode ID: 491d929b61f2114a7170c554d451fb8e9df9b4ef69328772a0e22fd3238e4926
Instruction ID: 3d5c1801f78a2bcc9cfec1375a81c0b34b52160a5d6d5ac1ebd8a016a5ebc304
Opcode Fuzzy Hash: 491d929b61f2114a7170c554d451fb8e9df9b4ef69328772a0e22fd3238e4926
Instruction Fuzzy Hash: 1F5180B5D20209EBDF10DFA8C845EEEB7B5EF48314F108168E509BB380E775AA54CB91

Function 00272759 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108sleepfileCOMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,?), ref: 002727B5
CloseHandle.KERNEL32(00000000), ref: 002727C2
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 002727D5
OpenEventW.KERNEL32(00020000,00000000,?), ref: 002727E7
CloseHandle.KERNEL32(00000000), ref: 002727F6
Sleep.KERNEL32(000001F4), ref: 00272802
OpenEventW.KERNEL32(00020000,00000000,?), ref: 0027280F
Sleep.KERNEL32(000003E8), ref: 0027281A
DeleteFileW.KERNEL32(?), ref: 00272823

Strings

_STOP, xrefs: 0027278D

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Event$Open$CloseHandleSleep$CreateDeleteFile
String ID: _STOP
API String ID: 3344880316-3538324249
Opcode ID: 95a63f25b9f6cd44178765edb3f4d20588ccfc0855a55351ef6105723e8b08c0
Instruction ID: e33c62c0bb4d6992be37fcea464dfa2e8cd2c9d88dcffab7e9692c9c4ce4d223
Opcode Fuzzy Hash: 95a63f25b9f6cd44178765edb3f4d20588ccfc0855a55351ef6105723e8b08c0
Instruction Fuzzy Hash: 7E41903851021ACACB24DFA4EC85BFA73B4FF04705F24419AE90DD7181EB32995ACB65

Function 0027BFBD Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0027BFCB

Part of subcall function 0027EF3B: __mtinitlocknum.LIBCMT ref: 0027EF4D
Part of subcall function 0027EF3B: RtlEnterCriticalSection.KERNEL32(002774F4,?,0027B8F1,0000000D), ref: 0027EF66

__calloc_crt.LIBCMT ref: 0027BFDC

Part of subcall function 0027EDA0: __calloc_impl.LIBCMT ref: 0027EDAF
Part of subcall function 0027EDA0: Sleep.KERNEL32(00000000,?,002774F4,00274317,?,?,00274317,00000020,?,002712B1,?,0028C920,00000000,00000200,?,00000000), ref: 0027EDC6

@_EH4_CallFilterFunc@8.LIBCMT ref: 0027BFF7
GetStartupInfoW.KERNEL32(?,002891C8,00000064,00276806,00288FE0,00000014), ref: 0027C050
__calloc_crt.LIBCMT ref: 0027C09B
GetFileType.KERNEL32(00000001), ref: 0027C0E2
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0027C11B

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 90f18483e69688751690c3f883226e160e3dd28358fa40b5d43f13f7a0c595fc
Instruction ID: 782bd5a05fd5a7df42e005408f133765722193e83803b81ea9c75d7fd64cc920
Opcode Fuzzy Hash: 90f18483e69688751690c3f883226e160e3dd28358fa40b5d43f13f7a0c595fc
Instruction Fuzzy Hash: 0C81D4719253468FDB14CFB8D8445ADBBF0AF0A324B34826DD4AEAB3D2D7349812CB54

Function 00275810 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00275833
_malloc.LIBCMT ref: 0027591E
_memset.LIBCMT ref: 0027593A
_memset.LIBCMT ref: 0027596F
_memset.LIBCMT ref: 002759B7
GetTempPathW.KERNEL32(00000104,?), ref: 002759D1
_free.LIBCMT ref: 00275B2C

Part of subcall function 00275B60: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00275B81

Strings

djfuhgdt.exe, xrefs: 00275AE3

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$FileModuleNamePathTemp_free_malloc
String ID: djfuhgdt.exe
API String ID: 3718035101-2194725056
Opcode ID: 9e812bd826d57d5713b14d6b5fd6bb38f586204d73c8f1a436e8ece2e614d8a8
Instruction ID: 2a4b17278a81322e285b6e03810412d6f06261dea79788d77714ba57624a7d05
Opcode Fuzzy Hash: 9e812bd826d57d5713b14d6b5fd6bb38f586204d73c8f1a436e8ece2e614d8a8
Instruction Fuzzy Hash: F0816EB5D102689BCB24EB14DC45BEAB3B9AB48300F1489E9E50D76281E7F05FE4CF95

Function 0027B9EE Relevance: 13.6, APIs: 9, Instructions: 74COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32(?,00000109,?,?,00280AE6,?,00000000,?,?,00280A7D,00000000,?,00000000,0027393F,?,00000040), ref: 0027BA21
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,?,00000109,?,?,00280AE6,?,00000000,?,?,00280A7D), ref: 0027BA3B
GetLastError.KERNEL32(?,?,00280AE6,?,00000000,?,?,00280A7D,00000000,?,00000000,0027393F,?,00000040,00000000,002893F0), ref: 0027BA48
__dosmaperr.LIBCMT ref: 0027BA4F

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiWide__dosmaperr__getptd_noexit
String ID:
API String ID: 370057422-0
Opcode ID: b61c8da39051531d1cb248aaf67bf9830fab80d090730ee600e0160b79924f08
Instruction ID: 020721fe5cfcccf3d437624cf3368597cbdeb310f938666fa2a11cac6f8f4294
Opcode Fuzzy Hash: b61c8da39051531d1cb248aaf67bf9830fab80d090730ee600e0160b79924f08
Instruction Fuzzy Hash: 8811C476634213AFDB223FB09C49BBB779CEF14350B20C529FA59D5190EB70C8649B60

Function 00273280 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00275D00: vswprintf.LIBCMT ref: 00275D18

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00273332
DeviceIoControl.KERNEL32(000000FF,00560000,00000000,00000000,?,00000400,?,00000000), ref: 00273370
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00273399
CloseHandle.KERNEL32(00000000), ref: 002733CB

Strings

>0', xrefs: 002733AC
\\.\%s, xrefs: 0027330E
>0', xrefs: 002732F5, 0027330A, 0027330D

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseControlCreateDeviceFileHandleUnothrow_t@std@@@__ehfuncinfo$??2@vswprintf
String ID: >0'$>0'$\\.\%s
API String ID: 3510280372-4264712857
Opcode ID: 0fb63215688e58a98d43dcb32eae22fd70ad1e9c1c3d3b8587a5897112f9a7d4
Instruction ID: f44308aa93178d9529e86ed79051f35cf2d4d0230f95b91ac886d1cb7908b809
Opcode Fuzzy Hash: 0fb63215688e58a98d43dcb32eae22fd70ad1e9c1c3d3b8587a5897112f9a7d4
Instruction Fuzzy Hash: 83414EB4E112189FDB24DF64DD45B9EB7B5EF48700F4080A9E60CAB280DA709B44CF99

Function 0027FF3E Relevance: 12.1, APIs: 8, Instructions: 118COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0027FF56

Part of subcall function 0027EFC3: __FF_MSGBANNER.LIBCMT ref: 0027EFD8
Part of subcall function 0027EFC3: __NMSG_WRITE.LIBCMT ref: 0027EFDF
Part of subcall function 0027EFC3: __malloc_crt.LIBCMT ref: 0027EFFF

__lock.LIBCMT ref: 0027FF69
__lock.LIBCMT ref: 0027FFB5
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00289328,00000018,0027F40F,?,00000000,00000109), ref: 0027FFD1
RtlEnterCriticalSection.KERNEL32(8000000C,00289328,00000018,0027F40F,?,00000000,00000109), ref: 0027FFEE
RtlLeaveCriticalSection.KERNEL32(8000000C), ref: 0027FFFE

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 973383f5a78d65649830d00a289e4fece989f408e8e963ac4c0286376a17898c
Instruction ID: d3c848a9f6c85b43b2bc85fc3ae63ad5f2992a0af37544571f50ed035b7554bd
Opcode Fuzzy Hash: 973383f5a78d65649830d00a289e4fece989f408e8e963ac4c0286376a17898c
Instruction Fuzzy Hash: F0418B759233068BEB50EF68E88876CB7A4BF01325F10832CE528A76D1C7B49964CF94

Function 002735D0 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

__wfopen_s.LIBCMT ref: 002735FB
_fseek.LIBCMT ref: 0027361D
_fseek.LIBCMT ref: 0027363C
_malloc.LIBCMT ref: 0027364B
__fread_nolock.LIBCMT ref: 00273664
__wfopen_s.LIBCMT ref: 00273698

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __wfopen_s_fseek$__fread_nolock_malloc
String ID:
API String ID: 3146148979-0
Opcode ID: ba6e8fd3a7e51fcc78788b516c28d83acfafa84c090a1430feea472231b4ec3a
Instruction ID: 3778081ff11445be0965ecdbb08617fcd1f3a4549a2be07b268e7ccd3b276b57
Opcode Fuzzy Hash: ba6e8fd3a7e51fcc78788b516c28d83acfafa84c090a1430feea472231b4ec3a
Instruction Fuzzy Hash: 323150F6E20209BBDB04EFA4DC46FAF77B8AF44300F148558F90967241E675EA24CB95

Function 0027B95B Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 0027B95B

Part of subcall function 0027BBC5: RtlEncodePointer.KERNEL32(00000000,?,0027B960,002767EC,00288FE0,00000014), ref: 0027BBC8
Part of subcall function 0027BBC5: __initp_misc_winsig.LIBCMT ref: 0027BBE9

__mtinitlocks.LIBCMT ref: 0027B960

Part of subcall function 0027F06A: InitializeCriticalSectionAndSpinCount.KERNEL32(0028AD48,00000FA0,?,?,0027B965,002767EC,00288FE0,00000014), ref: 0027F088

__mtterm.LIBCMT ref: 0027B969

Part of subcall function 0027B9D1: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0027B96E,002767EC,00288FE0,00000014), ref: 0027EF86
Part of subcall function 0027B9D1: _free.LIBCMT ref: 0027EF8D
Part of subcall function 0027B9D1: RtlDeleteCriticalSection.KERNEL32(0028AD48,?,?,0027B96E,002767EC,00288FE0,00000014), ref: 0027EFAF

__calloc_crt.LIBCMT ref: 0027B98E
GetCurrentThreadId.KERNEL32 ref: 0027B9B7

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 224067749-0
Opcode ID: 4075101f781663d9de9601602a08d21241dbd59a84be7973f91097639e23126e
Instruction ID: 78b2997d04ec18cd83f49f1b94b4b276f6af081cf45870380209def41a56b51a
Opcode Fuzzy Hash: 4075101f781663d9de9601602a08d21241dbd59a84be7973f91097639e23126e
Instruction Fuzzy Hash: 1AF0F63217E2229AE2267B357C0B75A2684CF01732F20C61AF77CD50D2FF3488610E50

Function 00273E80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 002774D7: _malloc.LIBCMT ref: 002774EF

__wcstoi64.LIBCMT ref: 00273F34

Part of subcall function 002778A1: wcstoxq.LIBCMT ref: 002778C1

__wcstoi64.LIBCMT ref: 00273F52
__wcstoi64.LIBCMT ref: 00273F6F
__wcstoi64.LIBCMT ref: 00273F8D

Strings

z=', xrefs: 00273F05, 00273F08

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __wcstoi64$_mallocwcstoxq
String ID: z='
API String ID: 3166925466-1774569793
Opcode ID: cd1751c621506bbfc2c657caede234d81c5cda5ca4f2af07773cc666d39305d5
Instruction ID: 92a5ce29d529faf64365a31ff1180c3a48cd1ce49537753bade637415766f39b
Opcode Fuzzy Hash: cd1751c621506bbfc2c657caede234d81c5cda5ca4f2af07773cc666d39305d5
Instruction Fuzzy Hash: F35118B1E142099FDB08DFA8D585BFEBBF4AB48300F50802DE919A7340E7749A15DF96

Function 00272020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272062
GetTempPathW.KERNEL32(00000104,?,?,?,MSMP), ref: 00272084
__wfopen_s.LIBCMT ref: 002720B3

Strings

MSMP, xrefs: 00272033
golfinfo.ini, xrefs: 0027208A

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: PathTemp__wfopen_s_memset
String ID: MSMP$golfinfo.ini
API String ID: 1039979586-1742890095
Opcode ID: c17d1cd84e99db35c4e9020fb5fce3f3d580546856e76f6ec240a7f8d51bdbfe
Instruction ID: 0b7af7c2cabfd0b9665ef0463f1f99f8ffbfd182d6514ec0a3e3d2ce43f67ab1
Opcode Fuzzy Hash: c17d1cd84e99db35c4e9020fb5fce3f3d580546856e76f6ec240a7f8d51bdbfe
Instruction Fuzzy Hash: B611EC71D6021C9BDF24FB648D4EBEEB37CAF15300F4440D5F90DA6181DAB45EA48B65

Function 00272C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272C6A
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00272C87
GetTempPathW.KERNEL32(00000104,?), ref: 00272CB4
wsprintfW.USER32 ref: 00272CCE

Strings

%s%s.exe, xrefs: 00272CC5

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: DirectoryPathSystemTemp_memsetwsprintf
String ID: %s%s.exe
API String ID: 1888207034-887668888
Opcode ID: 49f76ef37dbee873dda4ae4788a461572921dfe296d1ec1d4e0c48164aaee6a2
Instruction ID: e87c4cca26a16d0d73b1fb5f0b8e64619af30cd52bc55f5831da508f53af76c7
Opcode Fuzzy Hash: 49f76ef37dbee873dda4ae4788a461572921dfe296d1ec1d4e0c48164aaee6a2
Instruction Fuzzy Hash: E50196B9911308ABD714EBA0EC4EEA973749B54700F50819AFA1956182EA705A58CF51

Function 002832FB Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00283307

Part of subcall function 00276DB7: __FF_MSGBANNER.LIBCMT ref: 00276DCE
Part of subcall function 00276DB7: __NMSG_WRITE.LIBCMT ref: 00276DD5
Part of subcall function 00276DB7: RtlAllocateHeap.NTDLL(008A0000,00000000,00000001,?,?,?,?,002774F4,00274317,?,?,00274317,00000020,?,002712B1,?), ref: 00276DFA

_free.LIBCMT ref: 0028331A

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8300dfc2b55c3dd663424e78cbb0d1231d40bde7fa7f5bb539003a504a17c395
Instruction ID: 9fe8ea04e19ca4484e746f09616b7bc3c62919875c13ea87cf5ef6ba83e44791
Opcode Fuzzy Hash: 8300dfc2b55c3dd663424e78cbb0d1231d40bde7fa7f5bb539003a504a17c395
Instruction Fuzzy Hash: F711063A436212AFCB227F75AC0DA5A3B84EF04761F10C16AF9089A1D1DF34C9708BD0

Function 002729A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002729C9
_memset.LIBCMT ref: 002729DF

Part of subcall function 00271F80: _memset.LIBCMT ref: 00271FAC

DeleteFileW.KERNEL32(?), ref: 00272AB9

Strings

golfset.ini, xrefs: 00272A9F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DeleteFile
String ID: golfset.ini
API String ID: 503654765-3745977089
Opcode ID: c503f1f4b08eb931e9aa0f96069448e17adc0a8b52da3eb7de79447a26442d1c
Instruction ID: 03c23aa1f6c5a1485f048c6edf55d81b99b06775a5d0494f1ac5e1b5c8fef2cf
Opcode Fuzzy Hash: c503f1f4b08eb931e9aa0f96069448e17adc0a8b52da3eb7de79447a26442d1c
Instruction Fuzzy Hash: B131C778920208D6CB24DF60EC4ABF973B4AF14704F2044AFED0D97181FB715AA8CB96

Function 0027EC95 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0027ECC9
__isleadbyte_l.LIBCMT ref: 0027ECF7
MultiByteToWideChar.KERNEL32(00000080,00000009,0027606B,00000001,00000000,00000000,?,00000000,00000000,?,[5',0027606B,00000000), ref: 0027ED25
MultiByteToWideChar.KERNEL32(00000080,00000009,0027606B,00000001,00000000,00000000,?,00000000,00000000,?,[5',0027606B,00000000), ref: 0027ED5B

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3431d16ba2b696a0775df45aa5edf51ae737b4a5c12767fb32af7550745c2b24
Instruction ID: 75f2abc3350a4db88bc58ef05eeb0c80a4c4e0c1b36d3ace23628cd307f0dd09
Opcode Fuzzy Hash: 3431d16ba2b696a0775df45aa5edf51ae737b4a5c12767fb32af7550745c2b24
Instruction Fuzzy Hash: BA31C631620247AFDF229F64C845BAB7BA9FF49310F1684A9E46997190D770D860DBA0

Function 0027D5CA Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0027B821: __getptd_noexit.LIBCMT ref: 0027B822

__lock.LIBCMT ref: 0027D607
InterlockedDecrement.KERNEL32(?), ref: 0027D624
_free.LIBCMT ref: 0027D637
InterlockedIncrement.KERNEL32(008C03E0), ref: 0027D64F

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e7a2fef01dc150dbd9b01e3b8a37aeb50efeb85019a0f91de2ca8392c9c25d19
Instruction ID: ae28799d5bf97349bada97a331f70c0e4edfea83fb1367493a75e8f43fd95e54
Opcode Fuzzy Hash: e7a2fef01dc150dbd9b01e3b8a37aeb50efeb85019a0f91de2ca8392c9c25d19
Instruction Fuzzy Hash: 2F01C439D22612ABD721AF54B44AB597774AF04710F458009E81C67680CB346DF1CFD2

Function 0027B8A8 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0027B8EC

Part of subcall function 0027EF3B: __mtinitlocknum.LIBCMT ref: 0027EF4D
Part of subcall function 0027EF3B: RtlEnterCriticalSection.KERNEL32(002774F4,?,0027B8F1,0000000D), ref: 0027EF66

InterlockedIncrement.KERNEL32(0042C0E8), ref: 0027B8F9
__lock.LIBCMT ref: 0027B90D
___addlocaleref.LIBCMT ref: 0027B92B

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: e1f2b86962a34a96bcbcfefca683b3e083d73c1a2303faadd497f7e6630c3d47
Instruction ID: 5f0356cabdcf61625422d9db679806a0bf21358310c467838ccdbd2b5e7a7a8d
Opcode Fuzzy Hash: e1f2b86962a34a96bcbcfefca683b3e083d73c1a2303faadd497f7e6630c3d47
Instruction Fuzzy Hash: A001AD75421B01DFD720AF65D80974AB7E0EF40324F20880EE5AE976E0CB70AA90CF11

Function 0027813E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

__getbuf.LIBCMT ref: 002781D5
__lseeki64.LIBCMT ref: 00278245

Strings

[5', xrefs: 0027813E

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __getbuf__getptd_noexit__lseeki64
String ID: [5'
API String ID: 3311320906-2559799198
Opcode ID: 93c19c2b9136ebe00675b809c0b3efd5504bc6e3497f4b2f76999966cd74b245
Instruction ID: 32eaa98110ee7f3dea0df8216f059d39f1913ba918361c250266ba969f4912f9
Opcode Fuzzy Hash: 93c19c2b9136ebe00675b809c0b3efd5504bc6e3497f4b2f76999966cd74b245
Instruction Fuzzy Hash: 54416372170B429FD7249F29C86AA7A77E49F44331B14C61DE8BE862D2DA3498618F10

Function 002733F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,00000000), ref: 00273485

Strings

\\.\PHYSICALDRIVE, xrefs: 0027340E

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CreateFile
String ID: \\.\PHYSICALDRIVE
API String ID: 823142352-1766338221
Opcode ID: 0ee68ecc2849a221838280be063303897f40eac933138dfdc3b946bb54970bdc
Instruction ID: 0f54c00499b9dd2cfa11691e6698f0700d412b3b432467fc561a590e4d02824c
Opcode Fuzzy Hash: 0ee68ecc2849a221838280be063303897f40eac933138dfdc3b946bb54970bdc
Instruction Fuzzy Hash: D0217175E11308EBDB28DF94DC16BEEB7B4AF44700F108029E609A71D0D7B45B15DB91

Function 00272CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272D24
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00272D86

Part of subcall function 00272B10: _wcsstr.LIBCMT ref: 00272B1B

Strings

.exe, xrefs: 00272D65

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: FileModuleName_memset_wcsstr
String ID: .exe
API String ID: 2776296755-4119554291
Opcode ID: 2cf7a8fc5627bba58af5b38b0ff9f2999b322aa629d4804be41ff49dcf064036
Instruction ID: 531a5c82e2b305ac776a3211441aaecd493c204f80be0423cf0f14d618ef0bd5
Opcode Fuzzy Hash: 2cf7a8fc5627bba58af5b38b0ff9f2999b322aa629d4804be41ff49dcf064036
Instruction Fuzzy Hash: 9821FFB5E103089FDB90EFA4D84ABDEB7B4AF48700F0081A9E50CE6291EB745758CB65

Function 0027C8C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0027C920
__lseek_nolock.LIBCMT ref: 0027C93F

Part of subcall function 002780B6: __getptd_noexit.LIBCMT ref: 002780B6

Part of subcall function 002780EA: __getptd_noexit.LIBCMT ref: 002780EA

Strings

"6', xrefs: 0027C938

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle__lseek_nolock
String ID: "6'
API String ID: 2897372107-3902697346
Opcode ID: 84fbc9512b60a1773b625ef3874d144e72dc4550a329b7b0eb9a1d0df3897647
Instruction ID: b988d3a045392f83cb0ad03742b10758ce8d51061ae8713cc4ed3c797028384f
Opcode Fuzzy Hash: 84fbc9512b60a1773b625ef3874d144e72dc4550a329b7b0eb9a1d0df3897647
Instruction Fuzzy Hash: 8D11B272835600DBD7427FB48C5A36D7B60AF52321F29C248E56C1B1E3CBB449318F62

Function 00271F80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00271FAC

Part of subcall function 00271E40: _memset.LIBCMT ref: 00271E9B
Part of subcall function 00271E40: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00271EBE
Part of subcall function 00271E40: __wfopen_s.LIBCMT ref: 00271F20
Part of subcall function 00271E40: __fread_nolock.LIBCMT ref: 00271F3B

Strings

MSMP, xrefs: 00271FA5
golfset.ini, xrefs: 00271FB3

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: _memset$DirectorySystem__fread_nolock__wfopen_s
String ID: MSMP$golfset.ini
API String ID: 2404306169-72712972
Opcode ID: 190187e4ba843e7b44791e1cc0e3213cb73ca0aa0251147c25ec3a8d0da57f51
Instruction ID: 88aec2b0f818497d18794f8911402ecb3cc7aba4b4a2d5efaf57ec90e2117d30
Opcode Fuzzy Hash: 190187e4ba843e7b44791e1cc0e3213cb73ca0aa0251147c25ec3a8d0da57f51
Instruction Fuzzy Hash: 36110431A203089BDB54DE68DC49BAEB3B4DF44310F5040A9E80DD7182DF70AEA5CB41

Function 00272FB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00272FF8
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0027300C

Part of subcall function 00273280: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00273332
Part of subcall function 00273280: CloseHandle.KERNEL32(00000000), ref: 002733CB

Strings

(', xrefs: 00273063, 00273066

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseCreateDirectoryFileHandleSystem_memset
String ID: ('
API String ID: 2178358837-476483421
Opcode ID: 45a418c6a26fadad161009688fd1c077727777da1980ffb81ea354fe9ea7c2f7
Instruction ID: 7d3a4ffcd6daffa8a58c206279c31a55be1162965b47eb3882c8525d85d80063
Opcode Fuzzy Hash: 45a418c6a26fadad161009688fd1c077727777da1980ffb81ea354fe9ea7c2f7
Instruction Fuzzy Hash: F311D0B0D5031C9BCB20EF68DC8DBDAB7B4AB14300F0086D8E51DAB281EA704B948F91

Function 00278050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

RtlDecodePointer.KERNEL32(?,00278087,00000000,00000000,00000000,00000000,00000000,0027C5CE,?,0027BD97,00000003,0027EFDD,002892C8,00000008,0027EF52,002774F4), ref: 00278059
__invoke_watson.LIBCMT ref: 00278075

Strings

>n', xrefs: 00278069

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: DecodePointer__invoke_watson
String ID: >n'
API String ID: 4034010525-2411782858
Opcode ID: a0fd881ff6936f33f24ee2906cc77920d58be5a19e065c1fa161ef39ccd96e10
Instruction ID: b726b32688c9f75311eea83db313ace4f7a55ec73b1aeefb06b1716101fa1a4f
Opcode Fuzzy Hash: a0fd881ff6936f33f24ee2906cc77920d58be5a19e065c1fa161ef39ccd96e10
Instruction Fuzzy Hash: 35E0EC79150109ABCF026F61EC0D96A3E65FB04640B448410FE1884031EB32C9749B90

Function 002714A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00020000,00000000,biudfw), ref: 002714D0
CloseHandle.KERNEL32(00000000), ref: 002714DB

Strings

biudfw, xrefs: 002714B5, 002714C4

Memory Dump Source

Source File: 00000001.00000002.2408594836.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000001.00000002.2408577308.0000000000270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.000000000028F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2408594836.0000000000292000.00000040.00000001.01000000.00000005.sdmpDownload File

Yara matches

Similarity

API ID: CloseEventHandleOpen
String ID: biudfw
API String ID: 2077840173-2384789794
Opcode ID: cdd71e1aed8ace8cf8a6ad6cc3f20a3bb8c1984bebec05b2afa57a8bedc0ccad
Instruction ID: 2e505d5dc614270dc3880d89bdd0d3dbb34fb2159997d2e437833d16b0f4ecc8
Opcode Fuzzy Hash: cdd71e1aed8ace8cf8a6ad6cc3f20a3bb8c1984bebec05b2afa57a8bedc0ccad
Instruction Fuzzy Hash: 83E0DF382102028ACF24AF60AC4AB6A3374AF24B42F20804CBD0D9B0C1EB314830CB05

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WOa6j2H74T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Urelas

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\biudfw.exe

C:\Users\user\AppData\Local\Temp\golfinfo.ini

C:\Users\user\AppData\Local\Temp\sanfdr.bat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
WOa6j2H74T.exe